What's new

Firewall/IPTables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

djtech2k

Senior Member
Because I am sick of hack attempts coming from other countries, I was thinking of blocking all traffic from foreign countries on my Asus RT-AC68U (and my Linux Web Server). The only way I know I can do it is with IPTables.

I have a consolidated list of IP subnets from other countries, but its like 75k entries. My guess is that having an IPTables rule for every one will be a performance issue.

So my question is if there is a way to accomplish this or if the iptables would work.
 
Use ipsets, they are more efficient for blocking a large number of subnets.

There should be a few examples on this forum on how to do it, people were even using precompiled IP lists to block certain countries such as China.
 
I have been reading all day and I am completely lost.

I searched the forum and found that long post about it, but the links it has to scripts are broken. I am just lost as to what is necessary to get ipsets going.
 
I am really stuck on this. Any help would be appreciated. IPSets seem to be the way to go but I have never dealt with it before.
 
So I have read thread after thread and the wiki.

The big thread on this forum about using ipset is long, but it relies on running that script for everything. I am not sure if that script is what I want, but the script is also not posted anymore.

So my main issue is figuring out how to install/configure/use ipset. I looked up ipset in general, but I so not know how to install or configure it on my rouer running RMerlin.

Does anyone have any reference on how to setup and use ipset with this firmware?
 
Ok, well I hope I have figured this out lol.

I have Optware installed and I created a new firewall-start script that looks something like this. Can someone please verify that this is proper use of ipset and that this is a good way to block out many subnets without impacting performance? Since iptables will make the performance go bad with a long list of subnets, I am hoping to use this and maintain good perf.

Code:
#!/bin/sh

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn ru lu my kr kp jp il ir cz mo hk br sa
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set --set BlockedCountries src -j LOGDROP
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top