WQ6N
Occasional Visitor
First, I do wish to say thank you for the ipset wiki and ASUSWRT-Merlin resources.
I have taken a different approach from the BlockedCountry ipset nethash configuration. Instead of creating lists for multiple blocked countries, I have created a WhitelistCountry ipset nethash, which is allowed, and the default to explicitly deny all other IP's.
The script was rearranged to insert (I) the allowed iptable INPUT rules last (e.g. Whitelist and WhitelistCountry) which puts them before any blocked rules. The last rule for INPUT was appended (A) -j DROP default.
Prior to the allowed whitelists, I have created additional Blocks (e.g. DShield, Spider...) from the iblocklist site to address emerging threats. As of right now this is a manual process to create the specific lists with in the ipset_lists folder.
Realizing there is a balance between how many countries you want to block and how many you allow. The explicit deny rule was the main driver for my implementation.
Any pre-routing (port forwarding) rules (VSERVER) bypass the ipset rules. As secondary Firewall/IPS is recommended for those protocols.
So far, the router seems to be happy and functional providing a filtered outer DMZ. Hope this provides food for thought when creating your enclave.
I have taken a different approach from the BlockedCountry ipset nethash configuration. Instead of creating lists for multiple blocked countries, I have created a WhitelistCountry ipset nethash, which is allowed, and the default to explicitly deny all other IP's.
The script was rearranged to insert (I) the allowed iptable INPUT rules last (e.g. Whitelist and WhitelistCountry) which puts them before any blocked rules. The last rule for INPUT was appended (A) -j DROP default.
Prior to the allowed whitelists, I have created additional Blocks (e.g. DShield, Spider...) from the iblocklist site to address emerging threats. As of right now this is a manual process to create the specific lists with in the ipset_lists folder.
Realizing there is a balance between how many countries you want to block and how many you allow. The explicit deny rule was the main driver for my implementation.
Any pre-routing (port forwarding) rules (VSERVER) bypass the ipset rules. As secondary Firewall/IPS is recommended for those protocols.
So far, the router seems to be happy and functional providing a filtered outer DMZ. Hope this provides food for thought when creating your enclave.