Country blocking script

[redhat27]

Would there be any issue to make this run with a cron job rather than make it start with the firewall? maybe run this every day or week?
Thanks again.

The script would typically just need to be run once at the router boot. The country lists are pretty static and do not change very frequently. If your router stays on for a very long time (over 3 months+) then this might be an issue. The script has checks that prevent the lists from being loaded if they are already loaded

If you want to reload the blocklists on a schedule, You can check out this thread

Edit: corrected typos

 

[swetoast]

@redhat27
http://ipverse.net/

might be better suited if you wanna implement ipv6

 

[redhat27]

@redhat27
http://ipverse.net/

might be better suited if you wanna implement ipv6

Ipv6 was already implemented a long time ago in country block

 

[sbutler]

I just set this up, and am having some trouble with it. I'm new to this merlin version of the firmware, so maybe I'm doing something silly.

I've added the create-ipset-lists.sh to /jffs/scripts and I created a firewall-start in /jffs/scripts which runs the create-ipset-lists.sh. I reboot the router, and review the System log. I see entries like this, so I know its running:
Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [br] to BlockedCountries list (2422 entries)

However, then I test it. I have a service running on a port, and I have that port forwarded on the WAN/ Virtual Server / Port Forwarding page. I open up my mobile device (cellular network, disabled wifi so i'm not on the network), and connect to a VPN in Brazil (one of the blocked countries). On the VPN connection, I pull an IP of 177.234.144.139 and verify that on a standard whatismyipaddress web page. I also check and I can see that in /jffs/ipset_lists br.lst has an entry for: 177.234.144.0/20 which includes my IP address.

However, I'm still able to connect to my network, on that port. Shouldn't it be blocked?

I then did another test, and this time used the iblocklist-loader script instead (omitting the create-ipset-lists.sh), and it properly blocked the connection.


PS. Is there an error in the docs at https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions ? It shows
"Finally call this at the end of your existing /jffs/firewall-start:". Should that be /jffs/scripts/firewall-start ?

 

[redhat27]

However, I'm still able to connect to my network, on that port. Shouldn't it be blocked?

The src is blocked in country blocking (means that traffic from the specified countries would be blocked) You would still be able to connect to services in those countries. So if you can get someone in Brazil to try to connect to your home network, they would be blocked.

PS. Is there an error in the docs at https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions ? It shows
"Finally call this at the end of your existing /jffs/firewall-start:". Should that be /jffs/scripts/firewall-start ?

Thank you for spotting the error. Its now corrected.

 

[redhat27]

@sbutler Try the test from here: http://www.webpagetest.org/ to connect to a service running on your router for testing the script. If you are blocking only ipv4, remember to choose a ipv4 source (If you are blocking both ipv4 and ipv6, you can choose any source) Most of amazon ec2 instances are on ipv6, fyi.

 

[Xentrk]

I rebooted after making some changes, including updating the IPSET_Block.sh script. Upon checking my logs, I notice many 0 entries on countries.

May  5 22:16:33 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ar] to BlockedCountries list (1026 entries)
May  5 22:17:02 Firewall: /jffs/scripts/create-ipset-lists.sh: Added MicrosoftSpyServers list (45 entries)
May  5 22:17:15 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [au] to BlockedCountries list (5107 entries)
May  5 22:17:22 Firewall: /jffs/scripts/create-ipset-lists.sh: Added TorNodes list (7003 entries)
May  5 22:17:33 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [br] to BlockedCountries list (2414 entries)
May  5 22:17:33 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [cn] to BlockedCountries list (0 entries)
May  5 22:18:12 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [de] to BlockedCountries list (5527 entries)
May  5 22:18:31 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [fr] to BlockedCountries list (2733 entries)
May  5 22:18:31 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [jp] to BlockedCountries list (0 entries)
May  5 22:18:31 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [kp] to BlockedCountries list (1 entries)
May  5 22:18:31 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [kr] to BlockedCountries list (0 entries)
May  5 22:18:31 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [pk] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ru] to BlockedCountries list (6791 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sa] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [sc] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tr] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [tw] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [ua] to BlockedCountries list (0 entries)
May  5 22:19:18 Firewall: /jffs/scripts/create-ipset-lists.sh: Added country [vn] to BlockedCountries list (0 entries)

So, thinking that the script is working too hard or conflicting with other processes that may be running, I added a sleep in the code here:

# Country blocking by nethashes [Both IPv4 and IPv6 sources]
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
  ipset $CREATE BlockedCountries $NETHASH
  for country in ${BLOCKED_COUNTRY_LIST}; do
    entryCount=0
    [ ! -e "$IPSET_LISTS_DIR/$country.lst" -o -n "$(find $IPSET_LISTS_DIR/$country.lst -mtime +$BLOCKLISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
    for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
      ipset $ADD BlockedCountries $IP
      [ $? -eq 0 ] && entryCount=$((entryCount+1))
    done
    logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
    sleep 60
  done
fi

But no change.

Notice that MicrosoftSpyServers and TorNodes got inserted above between loading two countries.

May  5 22:47:06 Firewall: /jffs/scripts/create-ipset-lists.sh: Added MicrosoftSpyServers list (45 entries)
May  5 22:47:13 Firewall: /jffs/scripts/create-ipset-lists.sh: Added TorNodes list (7003 entries)

Do you have any suggestions? I especially want to block CN as I see Chinese IP addresses on my pfSense Snort log trying to gain entry. So who knows what they are trying to access on this router.

 

[redhat27]

Couple of things to try:

[1] I have realized that a better place to run the ipset firewall scripts is in services-start (not firewall-start).. So I would remove the script call from firewall-start altogether and put it in services-start. The reason being, there could be instances, the firewall reloading multiple times, especially during boot time. This is event driven, see Rmerlin's post.

[2] Before you reboor your router after moving the call to services-start, also remove the country lists, so for example if they are at /jffs/ipset_lists, then do a
rm /jffs/ipset_lists/??.lst

Let me know if that worked. If moving the call to services-start works, then I'll update the wiki

 

[Xentrk]

Couple of things to try:

[1] I have realized that a better place to run the ipset firewall scripts is in services-start (not firewall-start).. So I would remove the script call from firewall-start altogether and put it in services-start. The reason being, there could be instances, the firewall reloading multiple times, especially during boot time. This is event driven, see Rmerlin's post.

[2] Before you reboor your router after moving the call to services-start, also remove the country lists, so for example if they are at /jffs/ipset_lists, then do a
rm /jffs/ipset_lists/??.lst

Let me know if that worked. If moving the call to services-start works, then I'll update the wiki

Thanks @redhat27, that fixed the problem. Following is the updated services-start:

#!/bin/sh

# DO NOT EDIT this part of the file #
# generated by AB-Solution 3.8
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ];do
    i=$(($i-1))
    if [ "$i" -lt 1 ];then
        logger "Unable to start Entware"
        exit
    fi
    sleep 1
done
logger "AB-Solution started rc.unslung via $0"
$RC start
# end of DO NOT EDIT #
logger "at start create-ipset-lists script"
sh /jffs/scripts/create-ipset-lists.sh
logger "at finsish create-ipset-lists script"
cru a malware-filter "0 */12 * * * /jffs/scripts/malware-block"
cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day

I first entered: rm /jffs/ipset_lists/*.lst
to remove the prior entries.

At first attempt, I added the "sh /jffs/scripts/create-ipset-lists.sh" to the last line of services-start, after the last "cru" entry. After a reboot, I waited for what I thought was a reasonable time but never saw the script execute. So, I added it where it is, with the logger lines for debugging and validation, and rebooted. It is working now!

It makes sense having it in services-start. However, if one is an ab-solution user, I believe the services-start gets created from scratch upon a new install (which I had to do the other day to reformat and make another partition on my USB drive) one will loose any entries after "# end of DO NOT EDIT #". Another reason to make backups or use John's backup utility of this file. Or, be prepared to recreate the entries.

Thank you for the help!

 

[redhat27]

You can also put the call to the script in post-mount, if you don't want use services-start

 

[Xentrk]

You can also put the call to the script in post-mount, if you don't want use services-start

Thank you. I'll look into that suggestion.

 

[skeal]

You can also put the call to the script in post-mount, if you don't want use services-start

I put it in services-start but still it causes problems. Any way to make this script start as the last instructions in the boot process? I guess another question is if it is called from post-mount how do you delay the execution of the script?
When I put a sleep command in post-mount for the script it stops other functions from starting until it is loaded thus my problem.

 

[sfx2000]

Just thinking here - checked the china blocklist - and it's over 5000 CIDR entries these days...

China is big on the TCP port scan front, but these days, it's pretty much from everywhere...

Which is pretty crazy to try and process... even with ipset on a dual core ARM, much less a single core MIPS chip

Might be better to do a whitelist instead - trust IP's/IP/CIDR ranges, and block the rest out, or just don't expose services in the first place...

Don't expose services one doesn't need to in the first place...

for SSH - I just do IPTables rate limiting these days - they get a couple of attempts, fail, and they're blocked for awhile, and they give up...in @RMerlin - his firmware already does this by default.

If one is running OpenVPN as a server endpoint - just use UDP instead of TCP - port scanners avoid UDP as it's very inefficient for them and sucks up their resources - putting OVPN on TCP, esp on TCP/80 or TCP/443, just asking to get hammered there, as these are common webserver ports...

 

[redhat27]

I put it in services-start but still it causes problems

Is the country blocking script causing problems? Or some other script? What problems it it causing?

 

[redhat27]

Might be better to do a whitelist instead - trust IP's/IP/CIDR ranges, and block the rest out, or just don't expose services in the first place...

Someone can try to implement something like that. Would be interesting to see how that pans out

 

[skeal]

Should this script be restarted once a month or......? Create a cron that fires it once a month....any ideas?

 

[redhat27]

Should this script be restarted once a month or......? Create a cron that fires it once a month....any ideas?

I just have it in my services-start. You can create a once a month schedule if you want to. I do too many changes in my router, so it's usually rebooted more than once in a month. I believe the script checks to see if the last time it downloaded the files is over 15 days to re-download the country data.

 

[MuppetSoul]

I use PPTP VPN for old android devices. I know its not the most secure protocol so I tend to block IP addresses from countries where I get port scans from like China, Russia, US, etc. Though for some odd reasons, even after I've blocked US, I still see attempts from the US in the logs. I recently switched from firewall-start to services-start to see if it could make things better but it hasn't. The scan attempts are from the usual culprits, e.g., Shodan, Linode, etc. These aren't obscure services. Any insight to what is going on here?

 

[MuppetSoul]

Just thinking here - checked the china blocklist - and it's over 5000 CIDR entries these days...

China is big on the TCP port scan front, but these days, it's pretty much from everywhere...

Which is pretty crazy to try and process... even with ipset on a dual core ARM, much less a single core MIPS chip

Might be better to do a whitelist instead - trust IP's/IP/CIDR ranges, and block the rest out, or just don't expose services in the first place...

Don't expose services one doesn't need to in the first place...

for SSH - I just do IPTables rate limiting these days - they get a couple of attempts, fail, and they're blocked for awhile, and they give up...in @RMerlin - his firmware already does this by default.

If one is running OpenVPN as a server endpoint - just use UDP instead of TCP - port scanners avoid UDP as it's very inefficient for them and sucks up their resources - putting OVPN on TCP, esp on TCP/80 or TCP/443, just asking to get hammered there, as these are common webserver ports...

I've been thinking about this. Its simply inefficient to block individual countries when what we really need is to whitelist a country/state/province. Its easier to block all incoming IP addresses with the exception of the whitelist.

 

[Builder71]

Added this script using services-start.
Working really well on my RT-N66U.
If you add the US remember to whitelist Google DNS.
Of course, don't load the us.lst at all, if you live in the US.