Its possible, but how efficient it will be is another story. What would you use as the basis for what defines a country in terms of IP address?
Rather than blocking all countries by default, you should probably use iptables to create a block all scenario to any request made to your external IP (this could however cause issues with certain services) and then allow the IP ranges you want.
Another more efficient method is ipset, being able to include masses of IP ranges within a single ruleset and then creating a single iptables rule to match that set for allowing traffic, problem is DD-WRT doesn't have support for it, unless you fancy compiling kernel modules/packages.
Any reason why you want to block specific countries? If its port scanning, they'll come from any country, so doesn't really seem worth it. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Its possible, but how efficient it will be is another story. What would you use as the basis for what defines a country in terms of IP address?
Rather than blocking all countries by default, you should probably use iptables to create a block all scenario to any request made to your external IP (this could however cause issues with certain services) and then allow the IP ranges you want.
Another more efficient method is ipset, being able to include masses of IP ranges within a single ruleset and then creating a single iptables rule to match that set for allowing traffic, problem is DD-WRT doesn't have support for it, unless you fancy compiling kernel modules/packages.
Any reason why you want to block specific countries? If its port scanning, they'll come from any country, so doesn't really seem worth it.
No specific reason other than being security conscious. Can you make any best practice suggestions? I just enabled the firewall and enabled everything under Block WAN Requests and Impede WAN DoS/Bruteforce
Being security minded is a good thing, but its probably excessive to do country blocking, given you've got limited memory and tools available within the firmware.
Using the built in stuff is fine. Ensure you don't respond to pings from WAN the side, enable the firewall and enable logging.
Further tips would be, don't enable uPnP and don't forward any ports to the WAN, if you want to access your LAN, considering setting up a VPN. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Thu May 03, 2018 16:18 Post subject: Re: Blacklisting all countries
Rusky wrote:
Is there a way I can blacklist all countries by default and open up specific ones I want?
You should think otherwise mathematically:
Set a policy to block all traffic, then allow only your country's IP addresses ranges. You country should know EXACTLY what IP address it's using, right?
It's very much like MAC address list in DD-WRT.
Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Posted: Fri May 04, 2018 16:23 Post subject: Re: Blacklisting all countries
mwchang wrote:
Rusky wrote:
Is there a way I can blacklist all countries by default and open up specific ones I want?
You should think otherwise mathematically:
Set a policy to block all traffic, then allow only your country's IP addresses ranges. You country should know EXACTLY what IP address it's using, right?
It's very much like MAC address list in DD-WRT.
Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY.
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Sat May 05, 2018 14:24 Post subject: Re: Blacklisting all countries
[quote="Rusky"]
mwchang wrote:
Rusky wrote:
Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY.
What if this board IS the government?!?
Heading into the domain of conspiracy theories should we go further ...
_________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!