DD-WRT on Linksys WRT32X--Possible to Block Countries IP blo

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Basspig
DD-WRT User


Joined: 15 Jul 2023
Posts: 54

PostPosted: Mon Jun 24, 2024 0:56    Post subject: DD-WRT on Linksys WRT32X--Possible to Block Countries IP blo Reply with quote
Is it possible to block whole countries' IP blocks in the present firmware version for this router? I'm doing it in the Windows Firewall, but I'd like to block it at the router if possible.
If this is possible, how does one go about it?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9227

PostPosted: Fri Jun 28, 2024 18:00    Post subject: Reply with quote
Outbound? Inbound? Both?

It matters because, for example, you could block DNS for specific countries by adding something like the following to DNSMasq.

address=/.ru/0.0.0.0

IOW, any domain name for the Russia TLD can't be resolved. But that does NOTHING to prevent inbound access from public IPs for the same TLD. In this latter case, you'd need a database containing information that links domain names to location (they do exist but are usually prohibitively large for the router, and sometimes costly since it needs continual updating) and an iptables netfilter/extension (iirc, geoip) that references that database, or instead, perhaps firewall rules using ipset w/ that same database.

All that said, even if "technically" it works, it's a simple matter for the inbound traffic to be routing through a VPN w/ a public IP that's unlikely to be blocked.

BTW, your PC's firewall stands a far better chance of supporting such functionality because of its much greater resources, both processing power and storage capacity. Anything done on the router itself is unlikely to be as efficient and functional. You'd be better off offloading it to something like a pihole (which probably has this capability built-in).

So unless you only have a need for outbound protection through DNSMasq as I described above (simple and lightweight), I would NOT recommend using the router.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh
Basspig
DD-WRT User


Joined: 15 Jul 2023
Posts: 54

PostPosted: Fri Jun 28, 2024 19:20    Post subject: Reply with quote
The reason I asked is because there's been a sudden uptick in hackerbots hitting my router since June 12. My nginx logs used to average 250MB for a whole year. In just a few days, the newest log grew to 9GB!

So I wish to block entire countries INcoming traffic for that reason. The server is a small fanless mini computer, not much horsepower. Would prefer to reserve it for serving webpages and media if possible.

The database doesn't have to be updated constantly. Even if I can block 70% of the traffic, it would take huge load off my server.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6910
Location: Romerike, Norway

PostPosted: Sat Jun 29, 2024 7:53    Post subject: Reply with quote
My only suggestion is to put another server in front with Nginx or Træffik configured as a Reverse Proxy.
Basspig
DD-WRT User


Joined: 15 Jul 2023
Posts: 54

PostPosted: Sat Jun 29, 2024 23:28    Post subject: Reply with quote
I had been thinking about a PFSense box ahead of the main router to pre filter all that traffic, but I am not that knowledgeable on this stuff, and don't understand how a reverse proxy works or how to configure it.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9227

PostPosted: Sat Jun 29, 2024 23:46    Post subject: Reply with quote
Is this web server open to the public generally, or ONLY for your own use? Because if it's the latter, you shouldn't be exposing it directly anyway. Instead, use a VPN server and reference the web server's private ip. Or else use something other than the well-known ports (80/443) for the web server. For home users, the use of well-known ports for *any* services offered via the WAN is just asking for trouble. A little bit of "security through obscurity" can go a long way.
_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh
Basspig
DD-WRT User


Joined: 15 Jul 2023
Posts: 54

PostPosted: Sun Jun 30, 2024 0:46    Post subject: Reply with quote
It's a public server, a "web" server, so it has to be exposed.

I have an nginx server running RTMP streaming and that server's logs are seeing a lot of traffic since 6/12. Strings with /XX0/00X/ like strings.

VPNs are expensive, and slow, so I don't think that would be a good solution for the server.

I thought about Cloudfare, which is said to have free tier for filtering requests to the server. Might try that.

But from the responses here, I assume the answer is "no" for blocking countries in DD-WRT.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9227

PostPosted: Sun Jun 30, 2024 1:07    Post subject: Reply with quote
The following is how *I* would do it on the router.

https://blog.ip2location.com/knowledge-base/how-to-block-ip-addresses-from-a-country-using-ipset/

This assumes that ipset is enabled on the router (I know it is for some builds, but not all (e.g., x86 does NOT (which frankly baffles me)). You can verify whether your router does support it w/ the following command.

Code:
dnsmasq -v


You'll see either ipset or no-ipset in the list of supported features.

ipset is key here because that will make the process MUCH more efficient. It only requires a single firewall rule to attempt to find a match. And those matches are based on subnets, NOT individual IPs.

It's just that it's a bit tedious since it appears you have to gather the lists manually, per country. Perhaps w/ some screen scraping and wget/curl you could programmatically gather what interests you. Obviously the provider would prefer you pay for API access to make it easier. But it doesn't seem to prevent you from manually gathering what you want.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9227

PostPosted: Sun Jun 30, 2024 1:23    Post subject: Reply with quote
I should add that the link I provided is the "general" approach I would take. It assumes the target device itself is filtering via iptables. That's why it does the checking on the INPUT chain of the filter table. For router purposes, it would make more sense to check on the PREROUTING chain of the nat table. That would limit the checking to only when a new connection is being attempted. If no match is found, subsequent packets do NOT need to be checked! That link makes the mistake of having to check each and every packet on the INPUT chain, unless there's a RELATED/ESTABLISHED ... ACCEPT rule before it. If not, then he could have just checked on the first packet (i.e., -m state --state NEW) to avoid further checking.

IOW, you need to slightly adapt what the author suggests to meet the unique needs of the router.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum