Country blocking script

[sobored04]

i just wanted to say that i found this site after trying to find a solution to errors i encountered while trying to run "firewall-start" scripts from the Asus-Merlin Wiki.
i actually have almost 0 experience with the commandline interface so i pretty much got stuck on the first step after SSH'ing into the router. (how to create a script file. lol)

Model: RT-AC68R (ipset v6 / arm v7l)
Firmware: Asuswrt-Merlin v380.64

log into your routers web interface.
go to:
firewall -> general
enable firewall.
go to:
Administration -> System
Enable JFFS custom scripts and configs (YES)
Enable SSH (lan only)
--
download an SSH client. i used putty.

this is just for anyone else who doesn't know how to use the commandline interface.
to create the "firewall-start" script, you have to do the following:
log into the router using SSH. (username/password = it's the same as your login information to log into the routers web interface)
go to /jffs/scripts by typing this:

cd /jffs/scripts

create the script called "firewall-start by typing:

nano firewall-start

this script only blocks Russia, China, Brazil, India, Mexico, Columbia, and Poland.
to modify the countries, search for the comments that shows you how (comments in scripts have # at the beginning of the line)
copy& paste this into the nano text editor :
(i did keep getting errors when pasting this into Putty because my Putty window was apparently too small. for some reason putty would WORD-WRAP some of the longer lines and because i don't know anything about commandline interfaces, i thought it was perfectly fine. it isn't. you will get errors so make sure that your scripts don't word-wrap. )

#!/bin/sh

# Loading ipset modules
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
    do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Block incoming traffic from some countries using IPDENY.com blocklist
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]
then
    ipset -N BlockedCountries nethash
#step 1: See country codes(Example: MEXICO(mx) use mx to block mexico IP)at http://www.ipdeny.com/ipblocks/
#step 2: Insert the country codes after "for country in" (located below this line)
    for country in ru cn br in mx co pl
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I FORWARD -m set --match-set BlockedCountries src,dst -j DROP

save it (in putty you press "ctrl+x", then save by pressing "y" for yes, then name it (you already named it when you typed nano firewall-start); then press "Enter"

make it executable by typing:

chmod +x /jffs/scripts/firewall-start

then run the script by typing:

./firewall-start

just remember that there is a limit on how many IP addresses you can add. i think its 64k.
(i decided to add all third world countries but i kept going over the limit)
if you get errors running this, it's probably because i didn't use the compatibility checks that the other scripts use (arm or mips & ipset v4 or v6)
honestly, if you do encounter any errors, i will not be able to help you since i have no idea what any of those commands do. all i know is that it works.

 

[wallyg8r]

It seems to be working ok. Thanks for the script!

 

[Csection]

i just wanted to say that i found this site after trying to find a solution to errors i encountered while trying to run "firewall-start" scripts from the Asus-Merlin Wiki.
i actually have almost 0 experience with the commandline interface so i pretty much got stuck on the first step after SSH'ing into the router. (how to create a script file. lol)

Model: RT-AC68R (ipset v6 / arm v7l)
Firmware: Asuswrt-Merlin v380.64

log into your routers web interface.
go to:
firewall -> general
enable firewall.
go to:
Administration -> System
Enable JFFS custom scripts and configs (YES)
Enable SSH (lan only)
--
download an SSH client. i used putty.

this is just for anyone else who doesn't know how to use the commandline interface.
to create the "firewall-start" script, you have to do the following:
log into the router using SSH. (username/password = it's the same as your login information to log into the routers web interface)
go to /jffs/scripts by typing this:

cd /jffs/scripts

create the script called "firewall-start by typing:

nano firewall-start

this script only blocks Russia, China, Brazil, India, Mexico, Columbia, and Poland.
to modify the countries, search for the comments that shows you how (comments in scripts have # at the beginning of the line)
copy& paste this into the nano text editor :
(i did keep getting errors when pasting this into Putty because my Putty window was apparently too small. for some reason putty would WORD-WRAP some of the longer lines and because i don't know anything about commandline interfaces, i thought it was perfectly fine. it isn't. you will get errors so make sure that your scripts don't word-wrap. )

#!/bin/sh

# Loading ipset modules
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
    do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Block incoming traffic from some countries using IPDENY.com blocklist
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]
then
    ipset -N BlockedCountries nethash
#step 1: See country codes(Example: MEXICO(mx) use mx to block mexico IP)at http://www.ipdeny.com/ipblocks/
#step 2: Insert the country codes after "for country in" (located below this line)
    for country in ru cn br in mx co pl
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I FORWARD -m set --match-set BlockedCountries src,dst -j DROP

save it (in putty you press "ctrl+x", then save by pressing "y" for yes, then name it (you already named it when you typed nano firewall-start); then press "Enter"

make it executable by typing:

chmod +x /jffs/scripts/firewall-start

then run the script by typing:

./firewall-start

just remember that there is a limit on how many IP addresses you can add. i think its 64k.
(i decided to add all third world countries but i kept going over the limit)
if you get errors running this, it's probably because i didn't use the compatibility checks that the other scripts use (arm or mips & ipset v4 or v6)
honestly, if you do encounter any errors, i will not be able to help you since i have no idea what any of those commands do. all i know is that it works.

I wonder if this is processor dependent. It doesn't look like it, but then what the heck do I know.

 

[swetoast]

pretty much a copy paste from the wiki, if you want this to work with newer routers it needs a rework.

 

[Csection]

pretty much a copy paste from the wiki, if you want this to work with newer routers it needs a rework.

Thanks!
Just wondering as DD-Wrt had something like this yrs. ago with Frater's ad on to Optware.

 

[swetoast]

been thinking about updating the example on the wiki to support ipset 4 and 6 but im working soo much now and just maintaining privacy filter and malware filter is hard enough.

 

[wallyg8r]

been thinking about updating the example on the wiki to support ipset 4 and 6 but im working soo much now and just maintaining privacy filter and malware filter is hard enough.

It would be really awesome if you were able to do it though! And thanks for privacy filter, works great!

 

[swetoast]

wallyg8r ill take the time and really think about it, think it would be pretty easy to do but as usual i just dont wanna copy paste the old script and i really want my own touch on it more interactive then the old.

 

[wallyg8r]

wallyg8r ill take the time and really think about it, think it would be pretty easy to do but as usual i just dont wanna copy paste the old script and i really want my own touch on it more interactive then the old.

Again, that would be awesome!

 

[redhat27]

You might want to try out the script here. It should block IPv6 sources from the blocked countries if you have a arm router.

 

[swetoast]

@Shounak De i would go on ipset version instead of cpu architecture

 

[redhat27]

Fair enough: Here is the updated script:

#!/bin/sh

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Check dependencies exist
[ -x "/usr/sbin/ip6tables-save" ] && LIST6TABLE="ip6tables-save" || LIST6TABLE="ip6tables -L"

# Different routers got different iptables and ipset syntax
case $(ipset -v | grep -o "v[4,6]") in
  v6)
    MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
    # Loading ipset modules
    lsmod | grep -q "xt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
      insmod $module
    done;;
  v4)
    MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
    # Loading ipset modules
    lsmod | grep -q "ipt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
      insmod $module
    done;;
  *)
    logger -t Firewall "$0: Unknown ipset version: $(ipset -v). Exiting"
    exit 1;;
esac

# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE TorNodes $IPHASH
  [ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
  for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
    ipset $ADD TorNodes $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list="au br cn kr pk ru sa sc tr tw ua vn"
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${country_list}; do
    entryCount=0
    [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
  done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 -a -n "$NETHASH6" ]; then
  if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE BlockedCountries6 $NETHASH6
    for country in ${country_list}; do
      entryCount=0
      [ -e $IPSET_LISTS_DIR/${country}6.lst ] || wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
      for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
        ipset $ADD BlockedCountries6 $IP6
        [ $? -eq 0 ] && entryCount=$((entryCount+1))
      done
      logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
    done
  fi
  $LIST6TABLE | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
fi

# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE MicrosoftSpyServers $IPHASH
  [ $? -eq 0 ] && entryCount=0
  for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
        65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
        65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
        65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
        131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
        134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
        191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
    ipset $ADD MicrosoftSpyServers $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers src,dst -j DROP

# Block traffic from custom block list
if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
  if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
  fi
  logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP
fi

# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
  if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE Whitelist $NETHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
      [ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
  fi
  logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
  iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPT
fi

Thanks to @wallyg8r for testing it in the v6 world

 

[swetoast]

Update the wiki with your example

 

[redhat27]

Updated wiki. Thanks.

 

[redhat27]

FYI: There was a bug in the script with checking the date and re-downloading cached lists. It should now be fixed.

 

[wallyg8r]

FYI: There was a bug in the script with checking the date and re-downloading cached lists. It should now be fixed.

I believe that the script may be broken now. No errors come up when running it but it is not populating in ipset_lists. I'm guessing that the updated script was the one from the wiki?

 

[redhat27]

Sorry I broke it for you When you say its not populating the lists, can you give me:

grep "Firewall" /tmp/syslog.log

It would be good you can get the code from the wiki as it exists now and then reboot your router first, and then send me those outputs. It is expected not to reload the lists when the lists are already loaded.

 

[wallyg8r]

Sorry I broke it for you When you say its not populating the lists, can you give me:

grep "Firewall" /tmp/syslog.log

It would be good you can get the code from the wiki as it exists now and then reboot your router first, and then send me those outputs. It is expected not to reload the lists when the lists are already loaded.

What I did was delete the lists, reboot the router, then run firewall-start (from the wiki).

admin@NETGEAR-87C8:/jffs/scripts# grep "Firewall" /tmp/syslog.log
Mar 2 19:27:18 Firewall: ./firewall-start: Added TorNodes list ( entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [au] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [jp] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [kr] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [pk] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [ru] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [sa] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [sc] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [ua] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [vn] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [cn] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [br] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [in] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [pl] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [tr] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [it] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [es] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [tw] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [ro] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [hu] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [cz] to BlockedCountries list (0 entries)
Mar 2 19:27:18 Firewall: ./firewall-start: Added country [au] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [jp] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [kr] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [pk] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [ru] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [sa] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [sc] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [ua] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [vn] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [cn] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [br] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [in] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [pl] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [tr] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [it] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [es] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [tw] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [ro] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [hu] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added country [cz] to BlockedCountries6 list (0 entries)
Mar 2 19:27:19 Firewall: ./firewall-start: Added MicrosoftSpyServers list (45 entries)

The lists were not created. With the old script they get created.

 

[redhat27]

You've uncovered a bug. I did not account for the fact that if the blocklist was missing, it should download. I was just checking if the date was older than a certain date it would re-download. I am unable to update that wiki anymore as I made some frequent updates, and my account is flagged and is now under review. @swetoast if I PM you the script, can you update it?

 

[wallyg8r]

You've uncovered a bug. I did not account for the fact that if the blocklist was missing, it should download. I was just checking if the date was older than a certain date it would re-download. I am unable to update that wiki anymore as I made some frequent updates, and my account is flagged and is now under review. @swetoast if I PM you the script, can you update it?

Good that you could figure it out so quickly. Can you post the new script here in this thread?