bayern1975
Very Senior Member
no, jffs partition is on router side...Is your /jffs partition on a usb drive?
no, jffs partition is on router side...Is your /jffs partition on a usb drive?
Mine returns 24 entries in the Whitelist. I was adding whitelist entries earlier today as the script is causing issues with yahoo.com and mg.mail.yahoo.com. I'm still having issues and have temporarily disabled the script. I'll pick it back up in the next day or two . I am using the domains in the Blacklist file to block Microsoft telemetry and want to get that one working again ASAP.no, jffs partition is on router side...
####Whitelist-Domains##########
12.12.12.12
May 21 15:29:02 Firewall: iblocklist-loader.sh: Added WhitelistDomains (0 entries)
admin@RT-AC3200-7180:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
i would realy like to know why whitelist not working for me? for example i insert 12.12.12.12 IP to whitelist-domains.txt but still showing zero? is this correctly?
Code:####Whitelist-Domains########## 12.12.12.12
Code:May 21 15:29:02 Firewall: iblocklist-loader.sh: Added WhitelistDomains (0 entries)
EDIT: i put command iptables -S and there are no DROP rules from iblocklist-loader?
Code:admin@RT-AC3200-7180:/tmp/home/root# iptables -S -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N FUPNP -N NSFW -N PControls -N SECURITY -N SECURITY_PROTECT -N logaccept -N logdrop -A INPUT -i tun21 -j ACCEPT -A INPUT -p udp -m udp --dport 1195 -j ACCEPT -A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -i br0 -m state --state NEW -j ACCEPT -A INPUT -i lo -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i tun21 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD ! -i br0 -o ppp0 -j DROP -A FORWARD ! -i br0 -o eth0 -j DROP -A FORWARD -i eth0 -m state --state INVALID -j DROP -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -j NSFW -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A PControls -j ACCEPT -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP -A SECURITY -j RETURN -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options -A logaccept -j ACCEPT -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -j DROP
wget https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-domains.txt -O /jffs/ipset_lists/whitelist-domains.txt
If nslookup provides that IP (209.73.190.12) for you, and mg.mail.yahoo.com is in your whitelist-domains.txt file, it should be in the WhitelistDomains ipset after you run iblocklist-loader script.admin@RT-AC88U:/jffs/scripts# nslookup mg.mail.yahoo.com Server: 127.0.0.1 Address 1: 127.0.0.1 localhost.localdomain Name: mg.mail.yahoo.com Address 1: 2001:4998:28:800::4001 e2.ycpi.vip.laa.yahoo.com Address 2: 209.73.190.11 e1.ycpi.vip.laa.yahoo.com Address 3: 209.73.190.12 e2.ycpi.vip.laa.yahoo.com
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
I did not understand this: 192.12 is not a full IP address. Can you post the command that produced that output?And the source of the following CIDR is iblocklist-loader or ya-malware-filter?
Thanks!Code:190.12 found in BluetackSpiderCIDR
try iptables -t raw -Si put command iptables -S and there are no DROP rules from iblocklist-loader?
Sorry, copy and paste issue. It is 209.73.190.12. I also noticed in The nslookup to also resolve to 209.73.190.11. I will pick things back up tomorrow.If nslookup provides that IP (209.73.190.12) for you, and mg.mail.yahoo.com is in your whitelist-domains.txt file, it should be in the WhitelistDomains ipset after you run iblocklist-loader script.
Can you post:
Code:nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
I did not understand this: 192.12 is not a full IP address. Can you post the command that produced that output?
hmm, still not working....i have ban country Ukraina but i need to access to one domain which is located in Ukraina....insert that domain still blocking me to access....You are using the wrong format for whitelist. The entries need to be a url e.g. yahoo.com and not an IP address.
Go to @redhat27 GitHub site where the code is.
https://github.com/shounak-de/iblocklist-loader. You can see the whitelist-domains.txt file on the site.
Download the file whitelist-domains.txt to /jffs/ipset_lists folder. Add your own whitelist entries and try again. You can use the command below to download the whitelist-domains.txt file:
Code:wget https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-domains.txt -O /jffs/ipset_lists/whitelist-domains.txt
This script should be able to handle that. Make sure index 281 is part of your BLOCKLIST_INDEXES. Also, the domain you want to whitelist as part of the whitelist-domains.txt file. It should be straight forward. Let me know if you are still having problem setting this up.i have ban country Ukraina but i need to access to one domain which is located in Ukraina
admin@RT-AC88U:/jffs/scripts# nslookup mg.mail.yahoo.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: mg.mail.yahoo.com
Address 1: 2406:2000:a4:800::32 e2.ycpi.vip.jpa.yahoo.com
Address 2: 119.161.9.49 e5-ha.ycpi.hkb.yahoo.com
Address 3: 119.161.9.149 e4-ha.ycpi.hkb.yahoo.com
Address 4: 119.161.8.149 e6-ha.ycpi.hkb.yahoo.com
Address 5: 119.161.9.99 e3-ha.ycpi.hkb.yahoo.com
Address 6: 119.161.8.99 e1-ha.ycpi.hkb.yahoo.com
Address 7: 119.161.8.199 e2-ha.ycpi.hkb.yahoo.com
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
admin@RT-AC88U:/jffs/scripts# ./iblocklist-loader.sh
iblocklist-loader.sh: Skipped loading BluetackSpider blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackDshield blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackWebexploit blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackProxy blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
nslookup: can't resolve 'compatexchange.cloudapp.net'
iblocklist-loader.sh: Added BlacklistDomains (72 entries)
iblocklist-loader.sh: Added WhitelistDomains (31 entries)
If you want the iblocklist-loader to download the data from the iblocklist.com website on each run, you'd need to set USE_LOCAL_CACHE to N. You will not get those messages anymore. However, the script will take longer to run due to the downloading and processing each time.Is there an option I need to specify for the To force reloading, set USE_LOCAL_CACHE=N message?
I see 'compatexchange.cloudapp.net' in the blacklist-domains.txt file. I had downloaded it from your GitHub site. I believe early last week. I see it is still there.If you want the iblocklist-loader to download the data from the iblocklist.com website on each run, you'd need to set USE_LOCAL_CACHE to N. You will not get those messages anymore. However, the script will take longer to run due to the downloading and processing each time.
Also, I think you may have a bad entry 'compatexchange.cloudapp.net' in your whitelist-domains.txt or blacklist-domains.txt. I tried running hostip on it, and it could not find an IP for that domain.
The iblocklist-loader should have created all these IPs for you... You do not need to whitelist them individually. Can you post:Here are the entries to add to whitelist-domains.txt file to get yahoo.com and yahoo mail to play nice in the sand box:
Code:yahoo.com # blocked by BluetackSpiderCIDR mg.mail.yahoo.com # blocked by BluetackSpiderCIDR e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
fd-geoycpi-uno.gycpi.b.yahoodns.net # blocked by BluetackSpiderCIDR
ir1.fp.vip.gq1.yahoo.com #blocked by BluetackSpiderCIDR
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
206.190.36.45
98.138.253.109
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
209.73.190.11
209.73.190.12
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
98.138.253.109
206.190.36.45
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
68.180.134.8
68.180.134.7
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
206.190.36.45
98.139.183.24
98.138.253.109
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
119.161.8.149
119.161.8.99
119.161.8.199
119.161.9.49
Would the correct IPs for each location be added to the WhitelistDomains ipset? I mean if you just whitelist:I ended up getting different nslookup results for mg.mail.yahoo.com on each one.
If you plan to keep using this, I could have a WhitelistCIDR set created if (lets say) a /jffs/ipset_lists/whitelist-cidr.txt exists with CIDR entries. LMK if that would work.WhitelistDomains really needs to support CIDR. It is too functionally limited to solve cloud access problems, e.g. Amazon EC2/AWS and Azure. Currently I have to manually add missing CIDR's to the WhitelistDomain table via ipset commands at the end of the script. Not elegant.
AFAIK, premium users need to supply their username and pin to the url, you can just append your premium lists URL to the end of the given lists and reference them from the BLOCKLIST_INDEXES= line.Support for premium subscribers should be built in
Care to explain what you mean? Did not understand.I don't like how long it takes to extract from the gzip lists on each reboot, leaving the LAN completely exposed as the router becomes available while the script is still processing. Can't the script halt further execution until it is completely done loading?
The target for a match is either DROP/REJECT (choice) or ACCEPT. I've not opted to use logdrop or logaccept as I do not like too much chatter in the syslog. If you have firewall logging enabled, just change this line, for example to "logdrop" instead of "DROP"I've yet to find anything that logs and displays the disallowed connections in a manner similar to PeerBlock so that the IP and port can be readily and easily identified? There is no log being saved
Okay, I see your point there. I can make the processing order like this:Also, I don't like the allow lists being processed before the disallow lists
WHITELIST_DOMAINS_FILE
BLACKLIST_DOMAINS_FILE
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES
or, possibly
WHITELIST_DOMAINS_FILE
WHITELIST_CIDR_FILE (not yet there)
BLACKLIST_DOMAINS_FILE
BLACKLIST_CIDR_FILE (not yet there)
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!