Blocking IP Range

[AnthonyArmato]

Is it possible to block a range of IPs without having to enter them one at a time via Firewall/Network Services Filter ?

 

[AnthonyArmato]

Guess that's a no ?

 

[wiz]

The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.

So that's not blocking Ip ranges, thats for denying local hosts access to specific ports / hosts you put in this list.

What you can do is figure out how you block a range with iptables and then put this in the script "firewall-start" on the jffs partition. I think that's the only way you would be able to get this going.

something like iptables INPUT -p all -s aaa.bbb.ccc.ddd/netmask -j DROP should work I think

 

[chamberc]

Is it possible to block a range of IPs without having to enter them one at a time via Firewall/Network Services Filter ?

Trying to do this to fix youtube by chance?

 

[sabot105mm]

Is it possible to block a range of IPs without having to enter them one at a time via Firewall/Network Services Filter ?

opendns allows you to filter ip addresses. It's what I used when I had a guest account, to filter adult websites and email.
http://www.dd-wrt.com/wiki/index.php/OpenDNS

 

[Mistermoonlight]

I am also using opendns (free service) and this is really good for web content filtering. Here is the procedure using merlin firmware:

1- Create an account on opendns, and create also a dnsomatic account:

see
http://dnsomatic.com/
https://store.opendns.com/get/home-free

You will use the dnsomatic account to update your server address provided by dyndns or any other dynamic ip service, usefull if you are running any kind of web/ftp server on your computer. The dnsomatic account will also be used to update your address to the opendns server (don't forget to link your opendns account with dnsomatic for this purpose) so specific web content filtering can be used according to your opendns account setting. So configure your dnsomatic account with all dynamic dns service you may want to update (dyndns, etc)

Specify the web content filtering level you want in your opendns account just created.

2- In the router wan ddns tab, enter your dnsomatic account information, so everytime the router log to internet, it will give your internet address info to opendns server so your own custom web filtering rules (in your opendns account) could be used when navigating internet with your router.

3- In the router wan internet connection tab, change the wan dns setting "Connect to DNS Server automatically" to no, and type opendns dns server addresses in DNS server1 and server2.

opendns dns servers
208.67.222.222
208.67.220.220

4- As a safety measure, you can create a jffs script "firewall-start" like this (check merlin firmware wiki to get info about how to create a jffs script):

-------------------------------
#!/bin/sh

#############
# Firewalling
#############
iptables -I FORWARD 1 -p udp -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 2 -p udp -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 5 -p udp --dport 53 -j DROP
iptables -I FORWARD 6 -p tcp -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 7 -p tcp -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 10 -p tcp --dport 53 -j DROP
-------------------------------

This script will prevent any user of any wireless/pc devices on your network to use a different dns server then the one from opendns. With this feature, there is no way to bypass your web content filtering rules by using another dns server by just changing for example the dns server in the NIC setup of your window computer. So the DNS setting is setup automatic (and would be provided by the router) when each device on the network is using dhcp to get an address from the router.

IMPORTANT: The reason i am using a jffs script to filter non authorize dns request is that there is a bug in the network service filter (from firewall router menu) and you cannot filter correctly and easily all other dns server (different from opendns ones you want to use) if you are using "parental control" feature of your router: parental control feature active will make your network filter rules (from the router gui menu) going wild with firmware 3.0.0.4.270.24 (merlin).


Final words:

The beauty of a setup like this, is that any devices connected to the router in your network will have web content filtering as your requierements, no matter if it is a WII, a PC, a playstation, web tv, etc... and is quite difficult to bypass for your childs...

 

[RMerlin]

IMPORTANT: The reason i am using a jffs script to filter non authorize dns request is that there is a bug in the network service filter (from firewall router menu) and you cannot filter correctly and easily all other dns server (different from opendns ones you want to use) if you are using "parental control" feature of your router: parental control feature active will make your network filter rules (from the router gui menu) going wild with firmware 3.0.0.4.270.24 (merlin).

If you want to take it one step forward, the following will force all DNS queries to go through your router (which will in turn go through OpenDNS). That way, a misconfigured client will still have Internet access, just that it will be forced to to through your configured DNS.

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

Repeat the same for TCP if you wish. I haven't tested it myself, this is just based on Tomato code that I looked at a few weeks ago.

Cleaner than just dropping connection to other DNS servers.

 

[Mistermoonlight]

Merlin said:

If you want to take it one step forward, the following will force all DNS queries to go through your router (which will in turn go through OpenDNS). That way, a misconfigured client will still have Internet access, just that it will be forced to to through your configured DNS.

Yes very good idea. That way it will silently force to use the opendns dns server instead of dropping the undesired dns attempt. I would try this improvement as soon as i have a chance to.

This modification has to be added to another script than "firewall-start" i guess?

Thanks

 

[RMerlin]

Merlin said:


Yes very good idea. That way it will silently force to use the opendns dns server instead of dropping the undesired dns attempt. I would try this improvement as soon as i have a chance to.

This modification has to be added to another script than "firewall-start" i guess?

Thanks

Use it instead of your current series of rules.

 

[AnthonyArmato]

Trying to do this to fix youtube by chance?

Yes, exactly. I entered them in Windows Firewall but I normally have this disabled. Plus I have quite a few devices on my network so being able to block them via the router would be much more effective.

Don't want to use OpenDNS. Get better performance on my current ones.

 

[AnthonyArmato]

The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.

So that's not blocking Ip ranges, thats for denying local hosts access to specific ports / hosts you put in this list.

What you can do is figure out how you block a range with iptables and then put this in the script "firewall-start" on the jffs partition. I think that's the only way you would be able to get this going.

something like iptables INPUT -p all -s aaa.bbb.ccc.ddd/netmask -j DROP should work I think

Absolutely no idea how to do that.

 

[AnthonyArmato]

Think I got it. Spoke to Asus. The guy had me block 3 IPs to block a whole subnet. Something about a broadcast address etc etc. But like I said to him, I didn't need the whole subnet blocked.

So I found something online that said to run the following commands. (I inserted the IP range I needed blocked)

Does this look correct ?

iptables -i eth1 -A INPUT -s 173.194.55.0/24 -j DROP
iptables -i eth1 -A INPUT -s 206.111.0.0/16 -j DROP

Running iptables -L shows this...
DROP all -- 173.194.55.0/24 anywhere
DROP all -- 206.111.0.0.ptr.us.xo.net/16 anywhere

 

[RMerlin]

Think I got it. Spoke to Asus. The guy had me block 3 IPs to block a whole subnet. Something about a broadcast address etc etc. But like I said to him, I didn't need the whole subnet blocked.

So I found something online that said to run the following commands. (I inserted the IP range I needed blocked)

Does this look correct ?

iptables -i eth1 -A INPUT -s 173.194.55.0/24 -j DROP
iptables -i eth1 -A INPUT -s 206.111.0.0/16 -j DROP

Running iptables -L shows this...
DROP all -- 173.194.55.0/24 anywhere
DROP all -- 206.111.0.0.ptr.us.xo.net/16 anywhere

eth1 is wifi 2.4G.

eth0 is WAN.
eth2 is Wifi 5 G
br0 is the whole LAN.

 

[AnthonyArmato]

Oh thanks ! How can I delete those two entries I added so I can change it to br0 ?

 

[AnthonyArmato]

Figured that out too.

Only thing I can't figure out is saving. Is it saved automatically or do I need to run a command to do that ?

 

[RMerlin]

Figured that out too.

Only thing I can't figure out is saving. Is it saved automatically or do I need to run a command to do that ?

You will need to create a user script to have these commands run at boot time. Probably best to use a firewall-start script for these.

 

[AnthonyArmato]

Any chance you can walk me through those steps ?

 

[Mistermoonlight]

Looks:

https://github.com/RMerl/asuswrt-merlin/wiki/JFFS
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts


This will show you the process of creating a jffs script:
https://github.com/RMerl/asuswrt-merlin/wiki/WOL-Script-Wake-Up-Your-Webserver-On-Internet-Traffic

Apply a similar technic for all different possible kind of scripts as described in the links above.

 

[AnthonyArmato]

Great thanks. Will try that when I get home from work today.

 

[AnthonyArmato]

Eh still a bit confused. I downloaded the programs and got everything working. I know I need to create "firewall-start" and enter the iptable info I had posted earlier. Then what ?