PeerGuardian Whitelist?

[prp2]

Hello, I'm trying to use the PeerGuardian rules (v2) found in the Wiki, but the issue I'm having is that some of the IPs blocked by the BluetackLevel1 list are ones from which I still need to accept connections.

Trying to setup a whitelist of sorts, or just another iptables rule to allow certain IPs through, but keeping PeerGuardian filters in effect.

Any thoughts on where I'm going wrong would be greatly appreciated. Running RT-N66R, latest f/w (374.40).

Here's what I have in my /jffs/scripts/firewall-start:

# PeerGuardian rules

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iptreemap ipt_set; do
    insmod $module
done

# Create the BluetackLevel1 (primary) if does not exists
if [ "$(ipset --swap BluetackLevel1 BluetackLevel1 2>&1 | grep 'Unknown set')" != "" ]; then
  ipset --create BluetackLevel1 iptreemap && \
  iptables -I FORWARD -m set --set BluetackLevel1 src,dst -j DROP
fi
# Destroy this transient set just in case
ipset --destroy BluetackLevel2 > /dev/null 2>&1

# Load the latest rule(s)

(echo -e "-N BluetackLevel2 iptreemap\n" && \
 nice wget -q -O - "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz" | \
    nice gunzip | nice cut -d: -f2 | nice grep -E "^[-0-9.]+$" | \
    nice sed 's/^/-A BluetackLevel2 /' && \
 echo -e "\nCOMMIT\n" \
) | \
nice ipset --restore && \
nice ipset --swap BluetackLevel2 BluetackLevel1 && \
nice ipset --destroy BluetackLevel2

# Allow traffic through T-Mobile USA IP Addresses
ipset -N TMUS nethash
ipset -A TMUS 172.56.0.0/16
ipset -A TMUS 208.54.0.0/17
#iptables -A INPUT -m set --set TMUS src -j ACCEPT
iptables -I FORWARD -m set --set TMUS src,dst -j ACCEPT

#exit $?

 

[prp2]

Any ideas why this isn't working? Do I need to add the allow rules somewhere else?

 

[fantom]

Did you try filtering out the addresses you do not want included by using "(e)grep -v" ?

nice egrep -v ":208\.54|:172\.56" | nice sed 's/^/-A BluetackLevel2 /' && \

 

[Mark Jacobs]

Appologies for posting on a pretty old thread but I have a similar issue and need. I see how the suggestion from fantom could work however my setup is a little different. I'm actually pulling the CIDR list from iBlock and placing this into a hash:net IPSET. I'm doing this because it is faster and requires less RAM on the router.

I want to allow access to the Steam list from iBlock and also a single IP in a larger blocked range that is used by Vodafone (Mobile/Cell provider in the UK).

Here is what I have created, note I've added a sort -u to remove duplicate entries from the iBlock lists. As I understand it because the ACCEPT is added with a -I it is placed at the top of the iptable list and should be matched first and therefore allow the traffic.

#!/bin/sh

logger "PeerGuardian rules"

logger "Loading ipset modules"
ipset -v | grep -i "v4" > /dev/null 2>&1
if [ $? -eq 0 ];
then
   # old ipset
   ipsetv=4
   lsmod | grep "ipt_set" > /dev/null 2>&1 || \
   for module in ip_set ip_set_nethash ip_set_iphash ipt_set
   do
       insmod $module
   done
else
   # new ipset
   ipsetv=6
   lsmod | grep "xt_set" > /dev/null 2>&1 || \
   for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
   do
       insmod $module
   done
fi

logger "Check for the PGBlock1 (primary) set"
if [ "$(ipset --swap PGBlock1 PGBlock1 2>&1 | grep 'The set with the given name does not exist')" != "" ]; then
  ipset --create PGBlock1 hash:net maxelem 1000000 && \
  iptables -I FORWARD -m set --match-set PGBlock1 src,dst -j DROP
  logger "Created PGBlock1"
fi

logger "Destroy and create PGBlock2 (transient) set"
ipset --destroy PGBlock2 > /dev/null 2>&1

logger "Load the latest rules (Level 1 and Spyware)"
(
    (
        (
            nice wget -q -O - "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz" | \
            nice gunzip | nice cut -d: -f2 | nice grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}\|[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'  \
        ) && \
        (
            nice wget -q -O - "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=cidr&archiveformat=gz" | \
            nice gunzip | nice cut -d: -f2 | nice grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}\|[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'  \
        )
    ) | nice sort -u | \
    (
        nice sed '/^$/d' | \
        nice sed 's/^/-A PGBlock2 /' | \
        nice sed '1s/^/-N PGBlock2 hash:net maxelem 1000000\n/' && \
        echo -e "\nCOMMIT\n" \
    )
#) > output
) | \
nice ipset --restore && \
nice ipset --swap PGBlock2 PGBlock1 && \
nice ipset --destroy PGBlock2

logger "Check for the PGAllow1 (primary) set"
if [ "$(ipset --swap PGAllow1 PGAllow1 2>&1 | grep 'The set with the given name does not exist')" != "" ]; then
  ipset --create PGAllow1 hash:net maxelem 1000000 && \
  iptables -I FORWARD -m set --match-set PGAllow1 src,dst -j ACCEPT
  logger "Created PGAllow1"
fi

logger "Destroy and create PGAllow2 (transient) set"
ipset --destroy PGAllow2 > /dev/null 2>&1

logger "Load the latest rules (Steam)"
(
    (
        (
            nice wget -q -O - "http://list.iblocklist.com/?list=cnxkgiklecdaihzukrud&fileformat=cidr&archiveformat=gz" | \
            nice gunzip | nice cut -d: -f2 | nice grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,2\}\|[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'  \
        )
    ) | nice sort -u | \
    (
        nice sed '/^$/d' | \
        nice sed 's/^/-A PGAllow2 /' | \
        nice sed '1s/^/-N PGAllow2 hash:net maxelem 1000000\n/' && \
        echo -e "\nCOMMIT\n" \
    )
#) > output
) | \
nice ipset --restore && \
nice ipset add PGAllow2 212.183.133.177/32 && \
nice ipset --swap PGAllow2 PGAllow1 && \
nice ipset --destroy PGAllow2


logger "Exiting Peerguarding rules"
exit $?