Sanity check my firewall-start

Richard O'Hara · Jun 2, 2016

Hi,

I am a long time merlinwrt user. I love the firmware and greatly appreciate the work and effort put into it.

I was wondering if I could get a second (3rd, 4th...nth) set of eyes on my firewall-start script prior to deployment on my router.

Code:

#!/bin/sh
msbl="dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net
v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
www.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net"

countries="cn
pk
kp"

start=`date +'%s'`
IPT=`which iptables`
IPSET=`which ipset`
IPSET_DIR=/jffs/ipset_list_dir
#LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
#SYNOPT="-m limit --limit 5/second --limit-burst 10"

lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

$IPSET -N blockedcountries nethash #block countries
$IPSET -N msblklist iphash #block microsoft telemetry servers
$IPSET -N adware iphash #block adware
$IPSET -N ciscore iphash
$IPSET -N malwaredom

for i in $msbl
do
    $IPSET -A msblklist ${i}
done
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET msblklist dst -j logdrop

for ip in `cat $IPSET_DIR/ciscore.lst`
do
    $IPSET -A ciscore ${i}
done

for ip in `cat $IPSET_DIR/malwaredom.lst`
do
    $IPSET -A malwaredom ${i}
done
for country in $countries
do
    [ -e $IPSET_DIR/$country ]
        for ip in `cat $IPSET_DIR/${country}.lst`
        do
            ipset -q -A blockedcountries $ip
        done
done
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET blockedcountries src -j logdrop

Thread starter	Title	Forum	Replies	Date
E	PSA: Check your local DST settings for accuracy	Asuswrt-Merlin	0	Oct 13, 2024
O	Firmware version check for RT-AX58U Merlin support	Asuswrt-Merlin	14	Aug 5, 2024
	PSA - Check TrendMicro Signature	Asuswrt-Merlin	58	Mar 20, 2024
D	Entware Can we check how much life a USB flashdrive has left?	Asuswrt-Merlin	4	Feb 22, 2024
M	Scheduled check for new firmware availability source	Asuswrt-Merlin	4	Nov 27, 2023
Z	Dual WAN + Dual Firewall	Asuswrt-Merlin	11	Nov 4, 2024
K	Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers	Asuswrt-Merlin	7	Sep 9, 2024
M	wan dhcpv6 blocked by firewall	Asuswrt-Merlin	2	Jul 8, 2024
L	is enabling firewall necessary (same for upnp) when on a provider with cgnat?	Asuswrt-Merlin	5	Jul 3, 2024
M	Advance firewall rules	Asuswrt-Merlin	5	May 28, 2024

Search

Search

Sanity check my firewall-start

Richard O'Hara

New Around Here

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online