Country blocking script

[spanjap]

I had also problems with the tor.lst and brute.lst. They were both always empty. The reason why is that the internet connection is not made yet. I first let the script sleep for 120 seconds and then it works and all files are downloaded okay.

#!/bin/sh

sleep 120

# snbforums thread:
# https://www.snbforums.com/threads/country-blocking-script.36732/page-2#post-311407

# Re-download blocklist if locally saved blocklist is older than this many days
BLOCKLISTS_SAVE_DAYS=15

# For the users of mips routers (kernel 2.x): You can now block sources with IPv6 with country blocklists
# Enable if you want to add huge country IPv6 netmask lists directly into ip6tables rules.
# Also, enabling this will add a *lot* of processing time!
# Note: This has no effect *if* you have ipset v6: It will always use ipset v6 for IPv6 country blocklists regardless of whether this is enabled or not.
USE_IP6TABLES_IF_IPSETV6_UNAVAILABLE=disabled # [enabled|disabled]
.............

 

[redhat27]

I had also problems with the tor.lst and brute.lst. They were both always empty. The reason why is that the internet connection is not made yet. I first let the script sleep for 120 seconds and then it works and all files are downloaded okay.

I added a wait loop for your case. You should not need that forced sleep 120 anymore.

 

[spanjap]

The wait loop works like a charm. Thank you.

 

[MuppetSoul]

What would be the best way to use the Privacy list (https://gitlab.com/swe_toast/privacy-filter/raw/master/privacy-filter.list), which blocks shodan.io, in custom.lst?

 

[redhat27]

A quick way would be to use this list. A better way would be to script ip lookup of the all shodan.io scanners and populate the blocklist

 

[swetoast]

or my privacy filter that already does all of this for almost every WRT distro but its possible to modify redhats script add and add my sources if you want an all around script

@redhat27 might be time to rename that script to the great firewall dunno what your intentions are but i got a suggestion for it, enable and disable various functions might be a nice feature for it

 

[redhat27]

It was your original script I just modified for ipset v6 and ipv6 for countries. I think it is a good little first line of defense, and you deserve the full credit of putting up the initial write.

I have been monitoring the hits on the lists as time passes. I think that BruteForceLogins list may not have been a good addition (around 500 entries only) I may take it off later on, as it gets low hits (1-2 a day)

Regarding @MuppetSoul question, he was only asking for a possible use of custom.lst that is used in the script.

Spoiler: my use

I use a scheduled job to populate custom.lst with all attacking IPs I find in my syslog (there is a whole bunch of ways I scan for all IPs from various applications log, so I won't bother the forum with the details)

But really you can put pretty much anything in there.

 

[redhat27]

What would be the best way to use the Privacy list (https://gitlab.com/swe_toast/privacy-filter/raw/master/privacy-filter.list), which blocks shodan.io, in custom.lst?

As @swetoast has mentioned, you can use his script as is to take care of all the entries in that list (without using custom.lst)

 

[swetoast]

meehh your list my list in the end its all about the user

 

[redhat27]

Removed BruteForceLogins and restored previous heading in the wiki

 

[skeal]

I have a ac68u running this script on 380.65_2 and my countries list doesn't grow. It's still loading the default list. Isn't this list expanding since the first list was offered? It blocks 9 countries according to the logs. Always the same countries. Is this correct or....?

 

[visortgw]

I have a ac68u running this script on 380.65_2 and my countries list doesn't grow. It's still loading the default list. Isn't this list expanding since the first list was offered? It blocks 9 countries according to the logs. Always the same countries. Is this correct or....?

It blocks exactly what you configure in the script. The default list of countries is static, but you can feel free to add or delete specific country digraphs based upon your specific needs -- the IP ranges associated with each country are dynamic, and they are downloaded and processed when the script is run.

 

[skeal]

It blocks exactly what you configure in the script. The default list of countries is static, but you can feel free to add or delete specific country digraphs based upon your specific needs -- the IP ranges associated with each country are dynamic, and they are downloaded and processed when the script is run.

Cool thank you for the explanation!

 

[shooter40sw]

hi @redhat27 can you point me in the direction that I can edit the script so that I can use only tor and country block?
Thanks

 

[redhat27]

Sure! Get the script from here. If you have trouble extracting the script from the wiki, you can also get it from here (same script, maybe has a few additional default country codes).

Just save that script in /jffs/scripts, make it executable and reference that from your existing /jffs/scripts/firewall-start

Then change line 16 to include all the countries that you'd like to block. You can get the full list of 2-letter country codes here. For example, if you wanted to block Afghanisthan, make sure BLOCKED_COUNTRY_LIST has the code "af" in there. I just chose Afghanisthan as an example as that was the first one in the list. You can put as many country codes as you'd like to block.

That's it. Its simple as that. The same script will also download the tor list, load an ipset and create an iptables rule to block tor nodes. It addition, it also blocks a handful of Microsoft telemetry servers on outbound traffic.

If there was something in the wiki that was confusing or you feel needs an update, please let me know, and I'll change it accordingly.

 

[swetoast]

fyi the whole static ip on the telemetry servers is pretty outdated thats why i overhauled my filter to not just go on ip alone

 

[shooter40sw]

Sure! Get the script from here. If you have trouble extracting the script from the wiki, you can also get it from here (same script, maybe has a few additional default country codes).

Just save that script in /jffs/scripts, make it executable and reference that from your existing /jffs/scripts/firewall-start

Then change line 16 to include all the countries that you'd like to block. You can get the full list of 2-letter country codes here. For example, if you wanted to block Afghanisthan, make sure BLOCKED_COUNTRY_LIST has the code "af" in there. I just chose Afghanisthan as an example as that was the first one in the list. You can put as many country codes as you'd like to block.

That's it. Its simple as that. The same script will also download the tor list, load an ipset and create an iptables rule to block tor nodes. It addition, it also blocks a handful of Microsoft telemetry servers on outbound traffic.

If there was something in the wiki that was confusing or you feel needs an update, please let me know, and I'll change it accordingly.

Thanks!, I made a small modification and deleted the telemetry part of the script and left everything else intact, not sure in this moment if I will use the custom or white list in this moment, but thanks a lot, its already blocking countries with your script!
Would there be any issue to make this run with a cron job rather than make it start with the firewall? maybe run this every day or week?
Thanks again.

 

[redhat27]

fyi the whole static ip on the telemetry servers is pretty outdated thats why i overhauled my filter to not just go on ip alone

Not quite outdated. I see it get regular hits: This is the output on the router after just 1 hour browsing with a single windows 10 machine in my network:

admin@RT-AC66R-D700:/tmp/home/root# iptables -L -v | grep "SpyServers"
   48  2432 DROP       all  --  any    any     anywhere             anywhere            set MicrosoftSpyServers dst

 

[swetoast]

#   iptables -L -v | grep privacy
80537 3812K REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable

guessing not quite as efficant as mine then

 

[redhat27]

Well, I don't know how long your rule was up. The stats I posted was with firewall was started about 1 hour ago, and the stats are from just 1 windows machine, also the list is just the telemetry