Country blocking script

[redhat27]

Here it is:

#!/bin/sh

# Re-download blocklist if locally saved blocklist is older than this many days
BLOCKLISTS_SAVE_DAYS=15

# For the users of mips routers (kernel 2.x): You can now block sources with IPv6 with country blocklists
# Enable if you want to add huge country IPv6 netmask lists directly into ip6tables rules.
# Also, enabling this will add a *lot* of processing time!
# Note: This has no effect if you have ipset v6: It will always use ipset v6 for IPv6 coultry blocklists regardless of whether this is enabled or not.
USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE=disabled # [enabled|disbled]

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Check dependencies exist
[ -n "$(which ip6tables-save 2>/dev/null)" ] && LIST6TABLE="ip6tables-save" || LIST6TABLE="ip6tables -L"

# Different routers got different iptables and ipset syntax
case $(ipset -v | grep -o "v[4,6]") in
  v6)
    MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
    # Loading ipset modules
    lsmod | grep -q "xt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
      insmod $module
    done;;
  v4)
    MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
    # Loading ipset modules
    lsmod | grep -q "ipt_set" || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
      insmod $module
    done;;
  *)
    logger -t Firewall "$0: Unknown ipset version: $(ipset -v). Exiting."
    exit 1;;
esac

# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE TorNodes $IPHASH
  [ ! -e "$IPSET_LISTS_DIR/tor.lst" -o -n "$(find $IPSET_LISTS_DIR/tor.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
  for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
    ipset $ADD TorNodes $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list="au br cn jp kr pk ru sa sc tr tw ua vn"
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${country_list}; do
    entryCount=0
    [ ! -e "$IPSET_LISTS_DIR/$country.lst" -o -n "$(find $IPSET_LISTS_DIR/$country.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
  done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 ]; then
  if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
    [  -n "$NETHASH6" ] && ipset $CREATE BlockedCountries6 $NETHASH6
    for country in ${country_list}; do
      [ -e "/tmp/ipv6_country_blocks_loaded" ] && logger -t Firewall "$0: Country block rules have already beed loaded into ip6tables... Skipping." && break
      entryCount=0
      [ ! -e "$IPSET_LISTS_DIR/${country}6.lst" -o -n "$(find $IPSET_LISTS_DIR/${country}6.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
      for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
        if [ -n "$NETHASH6" ]; then
          ipset $ADD BlockedCountries6 $IP6
        elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" ]; then
          ip6tables -A INPUT -s $IP6 -j DROP
        fi
        [ $? -eq 0 ] && entryCount=$((entryCount+1))
      done
      if [ -n "$NETHASH6" ]; then
        logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
      elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" ]; then
        logger -t Firewall "$0: Added country [$country] to ip6tables rules ($entryCount entries)"
      fi
    done
  fi
  if [ -n "$NETHASH6" ]; then
    $LIST6TABLE | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
  elif [ $USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE = "enabled" -a ! -e "/tmp/ipv6_country_blocks_loaded" ]; then
    logger -t Firewall "$0: Creating [/tmp/ipv6_country_blocks_loaded] to prevent accidental reloading of country blocklists in ip6table rules."
    touch /tmp/ipv6_country_blocks_loaded
  fi
fi

# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE MicrosoftSpyServers $IPHASH
  [ $? -eq 0 ] && entryCount=0
  for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
        65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
        65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
        65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
        131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
        134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
        191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
    ipset $ADD MicrosoftSpyServers $IP
    [ $? -eq 0 ] && entryCount=$((entryCount+1))
  done
  logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j DROP

# Block traffic from custom block list
if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
  if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE CustomBlock $IPHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
      ipset $ADD CustomBlock $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
  fi
  iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP
fi

# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
  if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q "$SETNOTFOUND"); then
    ipset $CREATE Whitelist $NETHASH
    [ $? -eq 0 ] && entryCount=0
    for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
      [ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
  fi
  iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPT
fi

Please post:

grep "Firewall" /tmp/syslog.log

after you run it. Thanks for your help in testing it.

 

[wallyg8r]

It's working again. Thanks for all your time and effort it is very much appreciated.

admin@NETGEAR-87C8:/tmp/home/root# grep "Firewall" /tmp/syslog.log
Mar 2 20:52:00 Firewall: /jffs/scripts/firewall-start: Added TorNodes list (7034 entries)
Mar 2 20:52:39 Firewall: /jffs/scripts/firewall-start: Added country [au] to BlockedCountries list (5066 entries)
Mar 2 20:52:56 Firewall: /jffs/scripts/firewall-start: Added country [br] to BlockedCountries list (2340 entries)
Mar 2 20:53:30 Firewall: /jffs/scripts/firewall-start: Added country [cn] to BlockedCountries list (4682 entries)
Mar 2 20:53:50 Firewall: /jffs/scripts/firewall-start: Added country [jp] to BlockedCountries list (2716 entries)
Mar 2 20:54:01 Firewall: /jffs/scripts/firewall-start: Added country [kr] to BlockedCountries list (890 entries)
Mar 2 20:54:04 Firewall: /jffs/scripts/firewall-start: Added country [pk] to BlockedCountries list (323 entries)
Mar 2 20:54:52 Firewall: /jffs/scripts/firewall-start: Added country [ru] to BlockedCountries list (6711 entries)
Mar 2 20:54:56 Firewall: /jffs/scripts/firewall-start: Added country [sa] to BlockedCountries list (344 entries)
Mar 2 20:54:57 Firewall: /jffs/scripts/firewall-start: Added country [sc] to BlockedCountries list (54 entries)
Mar 2 20:55:03 Firewall: /jffs/scripts/firewall-start: Added country [tr] to BlockedCountries list (806 entries)
Mar 2 20:55:07 Firewall: /jffs/scripts/firewall-start: Added country [tw] to BlockedCountries list (438 entries)
Mar 2 20:55:26 Firewall: /jffs/scripts/firewall-start: Added country [ua] to BlockedCountries list (2720 entries)
Mar 2 20:55:30 Firewall: /jffs/scripts/firewall-start: Added country [vn] to BlockedCountries list (444 entries)
Mar 2 20:55:41 Firewall: /jffs/scripts/firewall-start: Added country [au] to BlockedCountries6 list (994 entries)
Mar 2 20:56:25 Firewall: /jffs/scripts/firewall-start: Added country [br] to BlockedCountries6 list (3987 entries)
Mar 2 20:56:39 Firewall: /jffs/scripts/firewall-start: Added country [cn] to BlockedCountries6 list (1225 entries)
Mar 2 20:56:45 Firewall: /jffs/scripts/firewall-start: Added country [jp] to BlockedCountries6 list (405 entries)
Mar 2 20:56:46 Firewall: /jffs/scripts/firewall-start: Added country [kr] to BlockedCountries6 list (109 entries)
Mar 2 20:56:48 Firewall: /jffs/scripts/firewall-start: Added country [pk] to BlockedCountries6 list (77 entries)
Mar 2 20:57:02 Firewall: /jffs/scripts/firewall-start: Added country [ru] to BlockedCountries6 list (1309 entries)
Mar 2 20:57:03 Firewall: /jffs/scripts/firewall-start: Added country [sa] to BlockedCountries6 list (74 entries)
Mar 2 20:57:04 Firewall: /jffs/scripts/firewall-start: Added country [sc] to BlockedCountries6 list (9 entries)
Mar 2 20:57:07 Firewall: /jffs/scripts/firewall-start: Added country [tr] to BlockedCountries6 list (283 entries)
Mar 2 20:57:08 Firewall: /jffs/scripts/firewall-start: Added country [tw] to BlockedCountries6 list (84 entries)
Mar 2 20:57:12 Firewall: /jffs/scripts/firewall-start: Added country [ua] to BlockedCountries6 list (352 entries)
Mar 2 20:57:13 Firewall: /jffs/scripts/firewall-start: Added country [vn] to BlockedCountries6 list (77 entries)
Mar 2 20:57:13 Firewall: /jffs/scripts/firewall-start: Added MicrosoftSpyServers list (45 entries)

 

[redhat27]

My account was unflagged and I updated the wiki with the working script.

 

[Undesirable]

My account was unflagged and I updated the wiki with the working script.

I uploaded the script to my router, ran it manually, got no errors in the log and .lst files were created. I then added a new country code to the "BLOCKED_COUNTRY_LIST=" part of the script, ran the script manually again and it didn't create the appropriate .lst file of the newly chosen country in the ipset_list folder and the log didn't output anything further either.

 

[redhat27]

Right, that's because this script is meant to run once at the router boot. There are checks to prevent it from reloading the sets if the sets are already existing. I figured that changing the list of blocked countries would not be very frequent.

Unfortunately, as it stands now, you'd need to reboot your router for the change to take effect. If there is much demand to run this repeatedly (or scheduled from cron) I can think of implementing that.

My take on it is that it would probably be an overkill, as country netmasks do not change that frequently, unlike malware lists

 

[Undesirable]

Unfortunately, as it stands now, you'd need to reboot your router for the change to take effect. If there is much demand to run this repeatedly (or scheduled from cron) I can think of implementing that.

My take on it is that it would probably be an overkill, as country netmasks do not change that frequently, unlike malware lists

Very good, thanks. I wondered if that were the case. Yes, I can't think of any real need to run the script frequently just to change countries.

 

[visortgw]

I am not sure if checking "nvram get ipv6_fw_enable" for value of 1 is accurate test for whether IPv6 is enabled in router. The test returns value of 1 on my router, but IPv6 is definitely disabled.

UPDATE: Might "if [ "$(cat /proc/net/if_inet6 | wc -l)" -gt "0" ]" be a better test?

 

[swetoast]

both are acceptable since both return the same values was actually thinking about doing "nvram get ipv6_fw_enable" when i made privacy filter but scratched that since i want other router distroes to be able to use or for that matter servers in general to use my scripts.

think @Shounak De approach is really good the whole script looks and hopefully works nice

 

[visortgw]

both are acceptable since both return the same values was actually thinking about doing "nvram get ipv6_fw_enable" when i made privacy filter but scratched that since i want other router distroes to be able to use or for that matter servers in general to use my scripts.

think @Shounak De approach is really good the whole script looks and hopefully works nice

The two tests provide different results for me -- IPv6 is not enabled on my router:

# nvram get ipv6_fw_enable
1
# cat /proc/net/if_inet6 | wc -l
0​

I believe that the second one provides correct results.

 

[bayern1975]

i tested this script right now....i think it working...i have a question. so if i block country "au" that mean no one from "au" can`t access to my destination? what about if i need one IP fom blocked country that have access to my destination? is there whitelist? here is my log:

ASUSWRT-Merlin RT-AC3200 380.65-0 Fri Feb  3 05:20:08 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# cat /tmp/syslog.log | grep "Firewall"
Mar  5 13:56:51 Firewall: /jffs/scripts/create-ipset-lists.sh: Added TorNodes list ( entries)
Mar  5 13:57:37 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [au] to BlockedCountries list (5065 entries)
Mar  5 13:57:59 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [br] to BlockedCountries list (2355 entries)
Mar  5 13:58:41 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [cn] to BlockedCountries list (4688 entries)
Mar  5 13:59:05 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [jp] to BlockedCountries list (2716 entries)
Mar  5 13:59:14 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [kr] to BlockedCountries list (890 entries)
Mar  5 13:59:17 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [pk] to BlockedCountries list (323 entries)
Mar  5 14:00:17 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ru] to BlockedCountries list (6711 entries)
Mar  5 14:00:21 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sa] to BlockedCountries list (344 entries)
Mar  5 14:00:21 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sc] to BlockedCountries list (54 entries)
Mar  5 14:00:29 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tr] to BlockedCountries list (806 entries)
Mar  5 14:00:33 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tw] to BlockedCountries list (438 entries)
Mar  5 14:00:58 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ua] to BlockedCountries list (2721 entries)
Mar  5 14:01:03 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [vn] to BlockedCountries list (444 entries)
Mar  5 14:01:17 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [au] to BlockedCountries6 list (996 entries)
Mar  5 14:02:12 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [br] to BlockedCountries6 list (4009 entries)
Mar  5 14:02:29 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [cn] to BlockedCountries6 list (1241 entries)
Mar  5 14:02:35 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [jp] to BlockedCountries6 list (405 entries)
Mar  5 14:02:37 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [kr] to BlockedCountries6 list (109 entries)
Mar  5 14:02:38 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [pk] to BlockedCountries6 list (77 entries)
Mar  5 14:02:56 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ru] to BlockedCountries6 list (1310 entries)
Mar  5 14:02:57 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sa] to BlockedCountries6 list (74 entries)
Mar  5 14:02:58 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sc] to BlockedCountries6 list (9 entries)
Mar  5 14:03:02 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tr] to BlockedCountries6 list (283 entries)
Mar  5 14:03:03 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tw] to BlockedCountries6 list (84 entries)
Mar  5 14:03:08 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ua] to BlockedCountries6 list (352 entries)
Mar  5 14:03:10 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [vn] to BlockedCountries6 list (77 entries)
Mar  5 14:03:10 Firewall: /jffs/scripts/create-ipset-lists.sh: Added MicrosoftSpyServers list (45 entries)

 

[swetoast]

there is no whitelist and if you block a country is blocked, thats what a BLOCK list does it blocks stuff.

and to answer the second question, you can request a whitelist but since its ranges that your blocking its not that easy so the simplest answer is dont block that much.

 

[redhat27]

I believe that the second one provides correct results.

I believe you are right. That nvram variable is toggled from the the web UI: "Firewall" => "IPv6 Firewall (tab)" => "Enable IPv6 Firewall"
It may actually have no bearing to whether IPv6 is actually enabled. I'll modify the script.

Mar 5 13:56:51 Firewall: /jffs/scripts/create-ipset-lists.sh: Added TorNodes list ( entries)

Your Tor list is not downloaded. (Maybe you use opendns and blocked Proxy/Anonymizers?) You can verify by trying

wget http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv

directly on the command line

what about if i need one IP fom blocked country that have access to my destination? is there whitelist?

there is no whitelist and if you block a country is blocked, thats what a BLOCK list does it blocks stuff.

The script does have a provision for defining a whitelist.lst, but I cannot give a definitive answer here. I looked at iptable rule precedence (googled) and sources seems to indicate that if a matching rule for that IP being filtered appears first, it would go with that, even if an conflicting rule is later defined. I would love if someone can verify that.

 

[swetoast]

ohh missed that part but yeah i can check the code see if i spot an error dont have much better things to do atm

 

[System Error Message]

i dont know why you want to block countries, what if you are travelling and needed to vpn into your network? Some traffic can be legitimate too (you could be using a torrent and losing some seeds to connect to).

The better option would be to block based on activity. For instance if you get traffic initiated to your router that wasnt initiated by some computer inside which uses NAT/forwarding, than you can use that as a way to block. This method is very effective but you will end up blocking popular services like google and facebook because they also track you and google is also used for hacking as well. It is very effective against port scans as well and if you have a service running on the higher ports the host will be blocked before it detects that port.

Once you block traffic on input you can block the host on other chains as well such as output and forwarding. care must be taken to ensure that DNS, NTP and crucial services arent blocked so it requires a dynamic rule to allow input from hosts that the router first initiated contact with. You could make static rules instead but it is 1 rule vs many rules.

 

[john9527]

both are acceptable since both return the same values was actually thinking about doing "nvram get ipv6_fw_enable"

checking ipv6_fw_enable is checking the desired state of the ipv6 firewall when ipv6 is enabled.
If you want to check is ipv6 is enabled, do
nvram get ipv6_service
any value other than 'disabled' means some type of ipv6 is active.

 

[redhat27]

i dont know why you want to block countries, what if you are travelling and needed to vpn into your network? Some traffic can be legitimate too (you could be using a torrent and losing some seeds to connect to).

This has actually happened. I traveled to China, and took that out of my blocked countries before I went Regarding torrents, yes, you get some peers blocked. The country blocking need is an old one, from the early days of dd-wrt and frater. Sometimes you just need a smaller window the world can 'see' you with.

The better option would be to block based on activity

Absolutely, and that is why there is a custom.lst provision in the script. I have scheduled a script to regularly scan my syslog for activities I do not want, and then append to that custom.lst file and to the CustomBlock ipset list.

If you want to check is ipv6 is enabled, do
nvram get ipv6_service
any value other than 'disabled' means some type of ipv6 is active.

Awesome. I'll use that

 

[redhat27]

The better option would be to block based on activity. For instance if you get traffic initiated to your router that wasnt initiated by some computer inside which uses NAT/forwarding, than you can use that as a way to block. This method is very effective but you will end up blocking popular services like google and facebook because they also track you and google is also used for hacking as well. It is very effective against port scans as well and if you have a service running on the higher ports the host will be blocked before it detects that port.

Once you block traffic on input you can block the host on other chains as well such as output and forwarding. care must be taken to ensure that DNS, NTP and crucial services arent blocked so it requires a dynamic rule to allow input from hosts that the router first initiated contact with. You could make static rules instead but it is 1 rule vs many rules.

Re-reading your post, this is indeed a fine grained blocking approach. Country blocking is a crude alternative. I am still learning iptables, and haven't used dynamic rules yet.

 

[Martineau]

Re-reading your post, this is indeed a fine grained blocking approach. Country blocking is a crude alternative. I am still learning iptables, and haven't used dynamic rules yet.

I believe this was the 'original' useful script which allowed a static 'country' ban using IPSETs, but also implemented @System Error Message's suggestion for unsolicited 'activity' blocking:

https://www.snbforums.com/threads/h...ng-ipset-firewall-addition.16798/#post-115872

I recall that the -t filter INPUT Blacklist IPSET got quite large!.

 

[redhat27]

I have a similar approach of periodically (cru run script) scanning the syslog and adding the naughty IPs both to the current "CustomBlock" set and also to /jffs/ipset_lists/custom.lst (to be loaded after a reboot). The current country block script adds back the IPs in custom.lst file to CustomBlock

 

[redhat27]

Updated script in wiki. Added new set BruteForceLogins and made the iptable target easily configurable at the top