Geolocation IP blocking using IPSET

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
sideup66
DD-WRT User


Joined: 26 Nov 2016
Posts: 102

PostPosted: Thu Jun 16, 2022 18:50    Post subject: Geolocation IP blocking using IPSET Reply with quote
Hi, hopefully this little post could be stickied. This is my own adaption of an old post I found here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=960187
This script is essentially a geoip block, that uses iptables chains. This works, however its a huge list depending on setup and can get rather cpu intense to constantly search.....I tweaked the script slightly to actually use ipset instead. Hoping to post here and maybe we could sticky this as it could be useful for folks (especially if you are hosting anything behind your router)

Script code:
<code>
#!/bin/sh

set -x

##Verify the network is up before continuing
until ping -c1 www.google.com >/dev/null 2>&1; do :; done

### Block all traffic from listed. Use ISO code ###
ISO="br-aggregated cn-aggregated tw-aggregated ru-aggregated ir-aggregated ph-aggregated sg-aggregated hk-aggregated ua-aggregated ge-aggregated cz-aggregated in-aggregated ke-aggregated za-aggregated id-aggregated kh-aggregated vn-aggregated rs-aggregated tr-aggregated al-aggregated bg-aggregated kr-aggregated ph-aggregated"

#Testing
#ISO="tw-aggregated"

### Set PATH ###
IPT=/usr/sbin/ipset
WGET=/usr/bin/wget
EGREP=/bin/egrep
LOCKFILE=/tmp/ipblocklock.txt

### No editing below ###
inSPAMLIST="countrydrop"
ZONEROOT="/tmp/mnt/sda1/ipblock/zones"
DLROOT="http://www.ipdeny.com/ipblocks/data/aggregated"
iBL="/tmp/mnt/sda1/ipblock/zones/countrydrop"

if [ -e ${LOCKFILE} ] && kill -0 `cat ${LOCKFILE}`; then
echo "Lock file exist.. exiting"
exit
fi

# make sure the lockfile is removed when we exit and then claim it
trap "rm -f ${LOCKFILE}; exit" INT TERM EXIT
echo $$ > ${LOCKFILE}

cleanOldRules(){
$IPT destroy $inSPAMLIST
}

# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT

# clean old rules
cleanOldRules
rm -f $iBL

for c in $ISO
do
# local zone file
tDB=$ZONEROOT/$c.zone

# get fresh zone file
$WGET -T 30 -O $tDB $DLROOT/$c.zone

awk -v inSPAMLIST=$inSPAMLIST '{print """ "$1""}' $tDB >> $iBL

done

#sync to flush buffers
sync

#add to ipset now
$IPT create $inSPAMLIST hash:net

#add the entries in ere
while read line
do
#add to the ipset
$IPT add $inSPAMLIST $line

done < $iBL

rm -f ${LOCKFILE}
</code>

Also can be found here on github if you like:
https://gist.github.com/sideup66/18e8377c2fd0bc111deeb9457ca486e9

For firewall rules I have my script using the following on the firewall up script:
ipset create countrydrop hash:net
iptables -I INPUT -m state --state NEW -m set --match-set countrydrop src -j DROP
iptables -I FORWARD -m state --state NEW -m set --match-set countrydrop src -j DROP
iptables -I FORWARD -m state --state NEW -m set --match-set countrydrop dst -j DROP


Last edited by sideup66 on Thu Jun 16, 2022 19:40; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 19:05    Post subject: Reply with quote
FYI. Rule positioning only matters because you haven't included state (-m state --state NEW) as part of the firewall rules. I'm just a bit leery of trying to control rules based on absolute positioning in an environment where YOU as the user don't manage the firewall in its entirety.

In some cases, I might instead delete and reinsert the RELATED,ESTABLISHED rule back to the top of the chain rather than try to manage absolute positioning.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
sideup66
DD-WRT User


Joined: 26 Nov 2016
Posts: 102

PostPosted: Thu Jun 16, 2022 19:40    Post subject: Reply with quote
Changed to remove the absolute states and specify NEW packets Smile.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 20:22    Post subject: Reply with quote
I should add one qualification here.

I'm *assuming* two things. That iptables uses short-circuiting when testing for a match (i.e., once a match fails, all further testing is abandoned) for a given rule. And second, matches are evaluated left to right.

I've never seen any documentation that actually states that's the case. But it seems logical, and highly inefficient if it didn't. But again, I know of nothing that explicitly states this is the way it behaves. I suppose I could check the iptables source, but I'm too lazy to spend time on it.

If I'm wrong here, then it might be prudent to separate the matching into two parts, to ensure the desired behavior.

Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP

iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC


Notice that I combined the src and dst check in one rule for efficiency purposes.

Again, I don't know if this is really necessary, but I wanted to mention it for completeness. And if it is necessary, it's still better than absolute positioning.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 21:03    Post subject: Reply with quote
P.S. Well I did find the following.

https://www.man7.org/linux/man-pages/man8/iptables.8.html

Specifically ...

Quote:
-m, --match match
Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.


So perhaps my concerns were unwarranted. (note sure why I never noticed this before; maybe the documentation was updated since last I looked)

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
sideup66
DD-WRT User


Joined: 26 Nov 2016
Posts: 102

PostPosted: Thu Jun 16, 2022 22:49    Post subject: Reply with quote
Forgive me if i sound silly, some of the knowledge here is a little above my paygrade currently Razz. As for the firewall rules, I did eliminate the positioning issue by setting the NEW state on the packets Smile.

Wouldnt having the src and dst rules potentially make troubleshooting easier as its not combining a rule?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jun 16, 2022 23:01    Post subject: Reply with quote
sideup66 wrote:
Wouldnt having the src and dst rules potentially make troubleshooting easier as its not combining a rule?


I suppose to the extent that troubleshooting is an issue, that's true. I was only looking at it from the perspective of efficiency.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6414
Location: UK, London, just across the river..

PostPosted: Thu Jun 16, 2022 23:11    Post subject: Reply with quote
just to add that, not all the routers support IPset...
so before use check for IPset support...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2030

PostPosted: Thu Jun 16, 2022 23:38    Post subject: Reply with quote
Alozaros wrote:
just to add that, not all the routers support IPset...
so before use check for IPset support...


But can be installed using Entware.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6414
Location: UK, London, just across the river..

PostPosted: Thu Jun 16, 2022 23:51    Post subject: Reply with quote
bushant wrote:
Alozaros wrote:
just to add that, not all the routers support IPset...
so before use check for IPset support...


But can be installed using Entware.


i had the same believe...but i guess it needs Linux kernel instructions and CPU to support it...
it didn't work on my 1043v2 on mips 3.18X linux...
But it worked on my R7000 after a sketchy workaround in the past, luckily IPset is now fully DDWRT supported on devices with large flash size ram and running linux 4.x+
there is this excellent guide made with lots of love by egc

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12840
Location: Netherlands

PostPosted: Fri Jun 17, 2022 6:25    Post subject: Reply with quote
First of all thank you for sharing Smile

I fully agree with @eibgrad, rule positioning is a bad idea it is totally unreliable.

I would use the code from @eibgrad:
Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP

iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC   


Furthermore I would not use:
/tmp/mnt/sda1

If you want to use permanent storage use /jffs
Instruct users to make permanent storage either with a USB stick/drive and automount a partition as /jfss or use the built-in JFFS2

You use "set -x", I would make that optional e.g. (learned this from @eibgrad, but see his scripts):

DEBUG= # uncomment/comment to enable/disable debug mode

[ ${DEBUG+x} ] && set -x


Some really good examples of (b)ash scripts:
https://pastebin.com/u/eibgrad

We do have some IPSET instructions with examples (a sticky in this forum):
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

Moderators will surely add useful scripts to that documentation Smile

So again thanks for sharing Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
sideup66
DD-WRT User


Joined: 26 Nov 2016
Posts: 102

PostPosted: Fri Jun 17, 2022 21:07    Post subject: Reply with quote
egc wrote:
First of all thank you for sharing Smile

I fully agree with @eibgrad, rule positioning is a bad idea it is totally unreliable.

I would use the code from @eibgrad:
Code:
iptables -N GEOLOC
iptables -A GEOLOC -m set --match-set countrydrop src,dst -j DROP

iptables -I INPUT -m state --state NEW -j GEOLOC
iptables -I FORWARD -m state --state NEW -j GEOLOC   


Furthermore I would not use:
/tmp/mnt/sda1

If you want to use permanent storage use /jffs
Instruct users to make permanent storage either with a USB stick/drive and automount a partition as /jfss or use the built-in JFFS2

You use "set -x", I would make that optional e.g. (learned this from @eibgrad, but see his scripts):

DEBUG= # uncomment/comment to enable/disable debug mode

[ ${DEBUG+x} ] && set -x


Some really good examples of (b)ash scripts:
https://pastebin.com/u/eibgrad

We do have some IPSET instructions with examples (a sticky in this forum):
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

Moderators will surely add useful scripts to that documentation Smile

So again thanks for sharing Smile


Thanks for the feedback. I am completely ok with adding in the changes asked though I do have some questions.....why would one want to make the debug switch variable? In a normal run situation (startup or say, a cronjob to update the list once a week as is my setup) output is just sent to /dev/null, If you ever need to manually debug the script simply running it would instantly give the user debug output. Kind of curious how having this on is a negative?

Also for storage, /tmp/mnt/sda1 seems to be fairly static in my own setup, as I have no other drives connected and simply use it for a flash drive containing any persistent scripts that are run. I assume the issue is other devices could connect first and instantly throw off your mount points? Something I dont mind changing either in the instructions, Just would like clarification on the issues with the setup. Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum