What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

no, jffs partition is on router side...
Mine returns 24 entries in the Whitelist. I was adding whitelist entries earlier today as the script is causing issues with yahoo.com and mg.mail.yahoo.com. I'm still having issues and have temporarily disabled the script. I'll pick it back up in the next day or two . I am using the domains in the Blacklist file to block Microsoft telemetry and want to get that one working again ASAP.
 
i would realy like to know why whitelist not working for me? for example i insert 12.12.12.12 IP to whitelist-domains.txt but still showing zero? is this correctly?
Code:
####Whitelist-Domains##########
12.12.12.12
Code:
May 21 15:29:02 Firewall: iblocklist-loader.sh: Added WhitelistDomains (0 entries)

EDIT: i put command iptables -S and there are no DROP rules from iblocklist-loader?
Code:
admin@RT-AC3200-7180:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
 
Last edited:
i would realy like to know why whitelist not working for me? for example i insert 12.12.12.12 IP to whitelist-domains.txt but still showing zero? is this correctly?
Code:
####Whitelist-Domains##########
12.12.12.12
Code:
May 21 15:29:02 Firewall: iblocklist-loader.sh: Added WhitelistDomains (0 entries)

EDIT: i put command iptables -S and there are no DROP rules from iblocklist-loader?
Code:
admin@RT-AC3200-7180:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP

You are using the wrong format for whitelist. The entries need to be a url e.g. yahoo.com and not an IP address.
Go to @redhat27 GitHub site where the code is.
https://github.com/shounak-de/iblocklist-loader. You can see the whitelist-domains.txt file on the site.

Download the file whitelist-domains.txt to /jffs/ipset_lists folder. Add your own whitelist entries and try again. You can use the command below to download the whitelist-domains.txt file:

Code:
wget https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-domains.txt -O /jffs/ipset_lists/whitelist-domains.txt
 
Last edited:
admin@RT-AC88U:/jffs/scripts# nslookup mg.mail.yahoo.com Server: 127.0.0.1 Address 1: 127.0.0.1 localhost.localdomain Name: mg.mail.yahoo.com Address 1: 2001:4998:28:800::4001 e2.ycpi.vip.laa.yahoo.com Address 2: 209.73.190.11 e1.ycpi.vip.laa.yahoo.com Address 3: 209.73.190.12 e2.ycpi.vip.laa.yahoo.com
If nslookup provides that IP (209.73.190.12) for you, and mg.mail.yahoo.com is in your whitelist-domains.txt file, it should be in the WhitelistDomains ipset after you run iblocklist-loader script.
Can you post:
Code:
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"

And the source of the following CIDR is iblocklist-loader or ya-malware-filter?
Code:
190.12 found in BluetackSpiderCIDR
Thanks!
I did not understand this: 192.12 is not a full IP address. Can you post the command that produced that output?
 
If nslookup provides that IP (209.73.190.12) for you, and mg.mail.yahoo.com is in your whitelist-domains.txt file, it should be in the WhitelistDomains ipset after you run iblocklist-loader script.
Can you post:
Code:
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"


I did not understand this: 192.12 is not a full IP address. Can you post the command that produced that output?
Sorry, copy and paste issue. It is 209.73.190.12. I also noticed in The nslookup to also resolve to 209.73.190.11. I will pick things back up tomorrow.
 
@Xentrk Might I also add, that if Bluetack Spider is creating issues for you , you can opt to remove it from your active blocklists (remove "13" from BLOCKLIST_INDEXES)
 
You are using the wrong format for whitelist. The entries need to be a url e.g. yahoo.com and not an IP address.
Go to @redhat27 GitHub site where the code is.
https://github.com/shounak-de/iblocklist-loader. You can see the whitelist-domains.txt file on the site.

Download the file whitelist-domains.txt to /jffs/ipset_lists folder. Add your own whitelist entries and try again. You can use the command below to download the whitelist-domains.txt file:

Code:
wget https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-domains.txt -O /jffs/ipset_lists/whitelist-domains.txt
hmm, still not working....i have ban country Ukraina but i need to access to one domain which is located in Ukraina....insert that domain still blocking me to access....
 
yahoo.com and yahoo mail are working now. The solution is to whitelist all of the yahoo.com entries returned by the nslookup command below:
Code:
admin@RT-AC88U:/jffs/scripts# nslookup mg.mail.yahoo.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      mg.mail.yahoo.com
Address 1: 2406:2000:a4:800::32 e2.ycpi.vip.jpa.yahoo.com
Address 2: 119.161.9.49 e5-ha.ycpi.hkb.yahoo.com
Address 3: 119.161.9.149 e4-ha.ycpi.hkb.yahoo.com
Address 4: 119.161.8.149 e6-ha.ycpi.hkb.yahoo.com
Address 5: 119.161.9.99 e3-ha.ycpi.hkb.yahoo.com
Address 6: 119.161.8.99 e1-ha.ycpi.hkb.yahoo.com
Address 7: 119.161.8.199 e2-ha.ycpi.hkb.yahoo.com

Here are the entries to add to whitelist-domains.txt file to get yahoo.com and yahoo mail to play nice in the sand box:
Code:
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
 
Another question..
When I rerun iblocklist-loader.sh, I get the output below:
Code:
admin@RT-AC88U:/jffs/scripts# ./iblocklist-loader.sh
iblocklist-loader.sh: Skipped loading BluetackSpider blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackDshield blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackWebexploit blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackProxy blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
nslookup: can't resolve 'compatexchange.cloudapp.net'
iblocklist-loader.sh: Added BlacklistDomains (72 entries)
iblocklist-loader.sh: Added WhitelistDomains (31 entries)

Is there an option I need to specify for the To force reloading, set USE_LOCAL_CACHE=N message?

Thank you!
 
Is there an option I need to specify for the To force reloading, set USE_LOCAL_CACHE=N message?
If you want the iblocklist-loader to download the data from the iblocklist.com website on each run, you'd need to set USE_LOCAL_CACHE to N. You will not get those messages anymore. However, the script will take longer to run due to the downloading and processing each time.

Also, I think you may have a bad entry 'compatexchange.cloudapp.net' in your whitelist-domains.txt or blacklist-domains.txt. I tried running hostip on it, and it could not find an IP for that domain.
 
If you want the iblocklist-loader to download the data from the iblocklist.com website on each run, you'd need to set USE_LOCAL_CACHE to N. You will not get those messages anymore. However, the script will take longer to run due to the downloading and processing each time.

Also, I think you may have a bad entry 'compatexchange.cloudapp.net' in your whitelist-domains.txt or blacklist-domains.txt. I tried running hostip on it, and it could not find an IP for that domain.
I see 'compatexchange.cloudapp.net' in the blacklist-domains.txt file. I had downloaded it from your GitHub site. I believe early last week. I see it is still there.
https://github.com/shounak-de/iblocklist-loader/blob/master/blacklist-domains.txt
I can remove it from the file. THANKS!!
 
Here are the entries to add to whitelist-domains.txt file to get yahoo.com and yahoo mail to play nice in the sand box:
Code:
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
The iblocklist-loader should have created all these IPs for you... You do not need to whitelist them individually. Can you post:
Code:
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
The IPs from the above command should get added to the WhitelistDomains ipset without adding the individual entries.
 
I did not see your post until after I did some more testing with the other two routers. I added some more entries as a result:
Code:
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
fd-geoycpi-uno.gycpi.b.yahoodns.net # blocked by BluetackSpiderCIDR
ir1.fp.vip.gq1.yahoo.com #blocked by BluetackSpiderCIDR

When I replied earlier, I was at the school where I do some volunteer work. When I got home, I tested the same entries I made at the school with the router with vpn all traffic and the one with policy rules. I ended up getting different nslookup results for mg.mail.yahoo.com on each one. yahoo.com results are the same for all three routers. If mg.mail.yahoo.com ends up being a moving target, I will remove list 13 from the iblocker script.

Router with VPN All Traffic
Code:
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
206.190.36.45
98.138.253.109

nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
209.73.190.11
209.73.190.12

Router with policy rules
Code:
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
98.138.253.109
206.190.36.45

nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
68.180.134.8
68.180.134.7

School router
Code:
 nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
206.190.36.45
98.139.183.24
98.138.253.109

nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
119.161.8.149
119.161.8.99
119.161.8.199
119.161.9.49
 
I ended up getting different nslookup results for mg.mail.yahoo.com on each one.
Would the correct IPs for each location be added to the WhitelistDomains ipset? I mean if you just whitelist:
yahoo.com
mail.yahoo.com
mg.mail.yahoo.com
would that not be enough? Even if mg.mail.yahoo.com resolves to different IPs in different locations, it would still whitelist the IPs it resolves to at each location and for the traffic each location handles.
 
Hi, been making the transition from PeerBlock to this script for systemic protection. It is very good for what it does but also cumbersome to manage. Some random comments:

MatchIP is of limited use to find partial IP or CIDR matching.

WhitelistDomains really needs to support CIDR. It is too functionally limited to solve cloud access problems, e.g. Amazon EC2/AWS and Azure. Currently I have to manually add missing CIDR's to the WhitelistDomain table via ipset commands at the end of the script. Not elegant.

All of the Bluetack lists have not been updated for almost a decade. Do not load as they contain many valid current IP's. The bogon, IANA's, nonLAN and Proxies lists will also specifically kill your local LAN. Likewise, do not load the bogon from CIDR. Furthermore, the SpyEye and Palevo from abuse have been discontinued.

I do not know how responsive i-Blocklist is to fixing the missing Amazon CIDR's, adding Microsoft to the Organization category as well as adding the two new lists from abuse.

Support for premium subscribers should be built in. It was very annoying having to edit every single URL to add the information and re-line up all the columns because nano kept screwing it all up until I wised up. I finally gave up and used EditPad Lite instead.

I don't like how long it takes to extract from the gzip lists on each reboot, leaving the LAN completely exposed as the router becomes available while the script is still processing. Can't the script halt further execution until it is completely done loading?

I've yet to find anything that logs and displays the disallowed connections in a manner similar to PeerBlock so that the IP and port can be readily and easily identified? There is no log being saved in /var as far as I can tell. Can that information be sent to the syslog so the web administration be used?

Also, I don't like the allow lists being processed before the disallow lists. What if zombie computers are using AWS or Azure? There should be fall-through after disallow down to allow. So right now the allows list are a huge security risk used in combination with the disallow lists.
 
Last edited:
@joesixpack Some of your concerns are valid. This script specifically caters to loading lists form the iblocklist.com site, with some limited customizations. For general overall security, I would recommend you to try out the ya-malware-block script that blocks a wide variety of malware sources. Please give post #1 a good read. It is quite fast and does not leave your LAN exposed while it is running (for that matter neither does this one). Let me know if that script would work for you. For myself, I've enabled Level4 on my router, but note it is disabled by default (Levels 1 to 3 enabled)

WhitelistDomains really needs to support CIDR. It is too functionally limited to solve cloud access problems, e.g. Amazon EC2/AWS and Azure. Currently I have to manually add missing CIDR's to the WhitelistDomain table via ipset commands at the end of the script. Not elegant.
If you plan to keep using this, I could have a WhitelistCIDR set created if (lets say) a /jffs/ipset_lists/whitelist-cidr.txt exists with CIDR entries. LMK if that would work.

Support for premium subscribers should be built in
AFAIK, premium users need to supply their username and pin to the url, you can just append your premium lists URL to the end of the given lists and reference them from the BLOCKLIST_INDEXES= line.

I don't like how long it takes to extract from the gzip lists on each reboot, leaving the LAN completely exposed as the router becomes available while the script is still processing. Can't the script halt further execution until it is completely done loading?
Care to explain what you mean? Did not understand.

I've yet to find anything that logs and displays the disallowed connections in a manner similar to PeerBlock so that the IP and port can be readily and easily identified? There is no log being saved
The target for a match is either DROP/REJECT (choice) or ACCEPT. I've not opted to use logdrop or logaccept as I do not like too much chatter in the syslog. If you have firewall logging enabled, just change this line, for example to "logdrop" instead of "DROP"

Also, I don't like the allow lists being processed before the disallow lists
Okay, I see your point there. I can make the processing order like this:
Code:
WHITELIST_DOMAINS_FILE
BLACKLIST_DOMAINS_FILE
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES

or, possibly

WHITELIST_DOMAINS_FILE
WHITELIST_CIDR_FILE (not yet there)
BLACKLIST_DOMAINS_FILE
BLACKLIST_CIDR_FILE (not yet there)
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES
Edit: Oh, welcome to the snbforums, BTW :)
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top