Posted: Thu Jun 16, 2022 18:50 Post subject: Geolocation IP blocking using IPSET
Hi, hopefully this little post could be stickied. This is my own adaption of an old post I found here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=960187
This script is essentially a geoip block, that uses iptables chains. This works, however its a huge list depending on setup and can get rather cpu intense to constantly search.....I tweaked the script slightly to actually use ipset instead. Hoping to post here and maybe we could sticky this as it could be useful for folks (especially if you are hosting anything behind your router)
Script code:
<code>
#!/bin/sh
set -x
##Verify the network is up before continuing
until ping -c1 www.google.com >/dev/null 2>&1; do :; done
### Block all traffic from listed. Use ISO code ###
ISO="br-aggregated cn-aggregated tw-aggregated ru-aggregated ir-aggregated ph-aggregated sg-aggregated hk-aggregated ua-aggregated ge-aggregated cz-aggregated in-aggregated ke-aggregated za-aggregated id-aggregated kh-aggregated vn-aggregated rs-aggregated tr-aggregated al-aggregated bg-aggregated kr-aggregated ph-aggregated"
#Testing
#ISO="tw-aggregated"
### Set PATH ###
IPT=/usr/sbin/ipset
WGET=/usr/bin/wget
EGREP=/bin/egrep
LOCKFILE=/tmp/ipblocklock.txt
### No editing below ###
inSPAMLIST="countrydrop"
ZONEROOT="/tmp/mnt/sda1/ipblock/zones"
DLROOT="http://www.ipdeny.com/ipblocks/data/aggregated"
iBL="/tmp/mnt/sda1/ipblock/zones/countrydrop"
if [ -e ${LOCKFILE} ] && kill -0 `cat ${LOCKFILE}`; then
echo "Lock file exist.. exiting"
exit
fi
# make sure the lockfile is removed when we exit and then claim it
trap "rm -f ${LOCKFILE}; exit" INT TERM EXIT
echo $$ > ${LOCKFILE}
cleanOldRules(){
$IPT destroy $inSPAMLIST
}
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
# clean old rules
cleanOldRules
rm -f $iBL
for c in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone
# get fresh zone file
$WGET -T 30 -O $tDB $DLROOT/$c.zone
For firewall rules I have my script using the following on the firewall up script:
ipset create countrydrop hash:net
iptables -I INPUT -m state --state NEW -m set --match-set countrydrop src -j DROP
iptables -I FORWARD -m state --state NEW -m set --match-set countrydrop src -j DROP
iptables -I FORWARD -m state --state NEW -m set --match-set countrydrop dst -j DROP
Last edited by sideup66 on Thu Jun 16, 2022 19:40; edited 1 time in total
FYI. Rule positioning only matters because you haven't included state (-m state --state NEW) as part of the firewall rules. I'm just a bit leery of trying to control rules based on absolute positioning in an environment where YOU as the user don't manage the firewall in its entirety.
I'm *assuming* two things. That iptables uses short-circuiting when testing for a match (i.e., once a match fails, all further testing is abandoned) for a given rule. And second, matches are evaluated left to right.
I've never seen any documentation that actually states that's the case. But it seems logical, and highly inefficient if it didn't. But again, I know of nothing that explicitly states this is the way it behaves. I suppose I could check the iptables source, but I'm too lazy to spend time on it.
If I'm wrong here, then it might be prudent to separate the matching into two parts, to ensure the desired behavior.
Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP
iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC
Notice that I combined the src and dst check in one rule for efficiency purposes.
-m, --match match
Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.
Forgive me if i sound silly, some of the knowledge here is a little above my paygrade currently . As for the firewall rules, I did eliminate the positioning issue by setting the NEW state on the packets .
Wouldnt having the src and dst rules potentially make troubleshooting easier as its not combining a rule?
Joined: 16 Nov 2015 Posts: 6414 Location: UK, London, just across the river..
Posted: Thu Jun 16, 2022 23:11 Post subject:
just to add that, not all the routers support IPset...
so before use check for IPset support... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6414 Location: UK, London, just across the river..
Posted: Thu Jun 16, 2022 23:51 Post subject:
bushant wrote:
Alozaros wrote:
just to add that, not all the routers support IPset...
so before use check for IPset support...
But can be installed using Entware.
i had the same believe...but i guess it needs Linux kernel instructions and CPU to support it...
it didn't work on my 1043v2 on mips 3.18X linux...
But it worked on my R7000 after a sketchy workaround in the past, luckily IPset is now fully DDWRT supported on devices with large flash size ram and running linux 4.x+
there is this excellent guide made with lots of love by egc
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12840 Location: Netherlands
Posted: Fri Jun 17, 2022 6:25 Post subject:
First of all thank you for sharing
I fully agree with @eibgrad, rule positioning is a bad idea it is totally unreliable.
I would use the code from @eibgrad:
Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP
iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC
Furthermore I would not use:
/tmp/mnt/sda1
If you want to use permanent storage use /jffs
Instruct users to make permanent storage either with a USB stick/drive and automount a partition as /jfss or use the built-in JFFS2
You use "set -x", I would make that optional e.g. (learned this from @eibgrad, but see his scripts):
DEBUG= # uncomment/comment to enable/disable debug mode
I fully agree with @eibgrad, rule positioning is a bad idea it is totally unreliable.
I would use the code from @eibgrad:
Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP
iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC
Furthermore I would not use:
/tmp/mnt/sda1
If you want to use permanent storage use /jffs
Instruct users to make permanent storage either with a USB stick/drive and automount a partition as /jfss or use the built-in JFFS2
You use "set -x", I would make that optional e.g. (learned this from @eibgrad, but see his scripts):
DEBUG= # uncomment/comment to enable/disable debug mode
Moderators will surely add useful scripts to that documentation
So again thanks for sharing
Thanks for the feedback. I am completely ok with adding in the changes asked though I do have some questions.....why would one want to make the debug switch variable? In a normal run situation (startup or say, a cronjob to update the list once a week as is my setup) output is just sent to /dev/null, If you ever need to manually debug the script simply running it would instantly give the user debug output. Kind of curious how having this on is a negative?
Also for storage, /tmp/mnt/sda1 seems to be fairly static in my own setup, as I have no other drives connected and simply use it for a flash drive containing any persistent scripts that are run. I assume the issue is other devices could connect first and instantly throw off your mount points? Something I dont mind changing either in the instructions, Just would like clarification on the issues with the setup.