ipset blocking doesnt work on RT-AC66U ?
Hello,
I tried to block Tor nodes and countries with the script in:
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset
but it doesnt seem to work on my RT-AC66U with Merlin build 376.44 (3-Aug-2014). This is the first time I tested ipset. I tested open ports with ShieldsUp from grc.com
ipset v4.5, protocol version 4.
Kernel module protocol version 4.
iptables v1.3.8
First I tested with blocking all of US, using CIDR from
https://www.countryipblocks.net/country_selection.php
That failed.
Then I changed the script so that all probe nodes of grc.com were added as if it were Tor nodes, and I added 4.0.0.0/8 as nethash for "country blocking" (was already present in the US CIDR):
admin@RT-AC66U:/tmp/home/root# ipset -L
Name: TorNodes
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
4.79.142.207
4.79.142.204
4.79.142.199
4.79.142.203
4.79.142.202
4.79.142.200
4.79.142.201
4.79.142.205
4.79.142.206
4.79.142.193
4.79.142.195
4.79.142.192
4.79.142.194
4.79.142.196
4.79.142.198
4.79.142.197
Name: BlockedCountries
Type: nethash
References: 1
Header: hashsize: 1024 probes: 4 resize: 50
Members:
4.0.0.0/8
admin@RT-AC66U:/tmp/home/root# iptables -L (output cropped)
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere set BlockedCountries src
DROP all -- anywhere anywhere set TorNodes src
Looking at the above output as the iptables novice that I am, it seems that it should work, but it doesn't. ShieldsUp (grc.com) keeps saying that I failed.
The port I am testing is being forwarded by the virtual server webui to my NAS. When I deploy firewall GeoIP blocking on my NAS, ShieldsUp says that I passed (full stealth). However, I want to block on the router instead of the NAS.
I have read a remark somewhere else on this forum, stating that it might be related to the RT-AC66U using an old version of iptables (1.3.8).
Is that the cause?
Can anyone confirm that blocking with ipset is, or is not, working with an RT-AC66U ?
