Country Blocking

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next
Author Message
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Mon Dec 28, 2015 3:44    Post subject: Reply with quote
JAMESMTL wrote:
set capath & cacert

make sure to use full path for cacert

ex. curl --capath /opt/usr/bin --cacert /opt/usr/bin/ca-bundle.crt .....

I was so close! Full path for the cacert did the trick! Thanks again, JAMESMTL.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Sponsor
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Sat Jan 09, 2016 15:33    Post subject: Reply with quote
I need some help with curl, where do I get the certificate from?
_________________
Netgear R9000 main router
RAX80 as AP
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Sat Jan 09, 2016 16:42    Post subject: Reply with quote
blaser wrote:
I need some help with curl, where do I get the certificate from?

I searched "ca-bundle.crt download dd-wrt". The source I found was a Mozilla ca-bundle.crt, but there are other sources you can find (i.e. Microsoft). I put the ca-bundle.crt on my USB thumbdrive in /opt and specified the full path to the file to get the curl command to work.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
blaser
DD-WRT Guru


Joined: 16 Jul 2006
Posts: 525

PostPosted: Sun Jan 10, 2016 15:24    Post subject: Reply with quote
Thanks, works now
_________________
Netgear R9000 main router
RAX80 as AP
ddwrtjim
DD-WRT Novice


Joined: 02 Mar 2015
Posts: 20

PostPosted: Mon Mar 28, 2016 18:08    Post subject: Affecting WAN speeds Reply with quote
Hi badmoon & JAMESMTL,

Thanks for taking time to write and improve the script. I am facing one issue with the script. When I add this to my router (R7000, DD-WRT v3.0-r29193 std) after a few hours or a day or so, my WAN speeds come to crawl.

I have a 25Mbps connection and after some times, it goes into 4-5 Mbps speeds on speedtest. If I remove the firewall rules mentioned in the OP, the speed jumps back to 25+.

Any guess what could be going on?
Avichi
DD-WRT User


Joined: 03 Nov 2013
Posts: 52

PostPosted: Mon Mar 28, 2016 23:00    Post subject: Badmoon & JAMES- Thank you for your help with the script Reply with quote
Badmoon and JAMES,

Thank you for your help in teaching the noobies with ideas about scripting, please advice which directory should the shell script be located ,and also the invocation script is it part of firewall command on DD-WRT router, appreciate if you could post the step by step method to include this script in to the router.

TIA
Avi
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Mar 30, 2016 6:48    Post subject: Re: Affecting WAN speeds Reply with quote
ddwrtjim wrote:
Hi badmoon & JAMESMTL,

Thanks for taking time to write and improve the script. I am facing one issue with the script. When I add this to my router (R7000, DD-WRT v3.0-r29193 std) after a few hours or a day or so, my WAN speeds come to crawl.

I have a 25Mbps connection and after some times, it goes into 4-5 Mbps speeds on speedtest. If I remove the firewall rules mentioned in the OP, the speed jumps back to 25+.

Any guess what could be going on?


Without any diagnostic info all I can do is guess. Short list:
1. I am not sure which kernal that version is using but there have been numerous reports of slow downs over time with 4.x. You may to give kong's latest build a try as he has reverted to 3.x kernel for his builds which seems to have resolved the issue for others.

2. over time something is making changes to the iptables chains order of execution. thats just a guess with nothing to back it up

I would start with a kong's 3.x build and if that doesn't fix it you will need post debug info.
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed Mar 30, 2016 6:55    Post subject: Re: Badmoon & JAMES- Thank you for your help with the sc Reply with quote
Avichi wrote:
Badmoon and JAMES,

Thank you for your help in teaching the noobies with ideas about scripting, please advice which directory should the shell script be located ,and also the invocation script is it part of firewall command on DD-WRT router, appreciate if you could post the step by step method to include this script in to the router.

TIA
Avi


I'll give badmoon a chance to respond as this is his script. If he hasn't had a chance to support it within a few days bump the thread. I try to limit my involvement to a thread or two a day.
VictorPT
DD-WRT Novice


Joined: 21 Feb 2017
Posts: 10

PostPosted: Tue Feb 21, 2017 13:26    Post subject: Whitelist/allowed countries - block the rest script Reply with quote
Hi guys,

This is my first post, therefore, first and foremost, big thank you to EVERYONE for EVERYTHING on DD-WRT, I love DD-WRT and this forum make this project possible.

Thank you Badmoon and JAMESMTL for your hard work on this script.

I would like to ask you, and please, correct me if I'm wrong, that it seems the original script by Badmoon, could be easily tweaked to allow/whitelist 1, 2 or 3 countries and block the rest of the world.

In case this is possible, I would like to start a new thread with the recycled script converted to a Whitelist/allowed countries.

What I'm trying to do, is to make SSH on 443 and maybe FTP on any high random port like 54321 available just from any IP in UK, Ireland and Spain.

I'm completely newbie on Linux but I will try my best. I found that http://www.ipdeny.com/ipblocks/ has been updated recently, and I think we could keep using it.

I've recently bought a refur WRT1900AC v2 and I'm using Kong 31100M on it for this purpose.

Thanks in advance.
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Thu Feb 23, 2017 5:15    Post subject: Re: Whitelist/allowed countries - block the rest script Reply with quote
VictorPT wrote:
Hi guys,

This is my first post, therefore, first and foremost, big thank you to EVERYONE for EVERYTHING on DD-WRT, I love DD-WRT and this forum make this project possible.

Thank you Badmoon and JAMESMTL for your hard work on this script.

I would like to ask you, and please, correct me if I'm wrong, that it seems the original script by Badmoon, could be easily tweaked to allow/whitelist 1, 2 or 3 countries and block the rest of the world.

In case this is possible, I would like to start a new thread with the recycled script converted to a Whitelist/allowed countries.

What I'm trying to do, is to make SSH on 443 and maybe FTP on any high random port like 54321 available just from any IP in UK, Ireland and Spain.

I'm completely newbie on Linux but I will try my best. I found that http://www.ipdeny.com/ipblocks/ has been updated recently, and I think we could keep using it.

I've recently bought a refur WRT1900AC v2 and I'm using Kong 31100M on it for this purpose.

Thanks in advance.

Go for it, post a link to the new thread and let us know how it goes. I'm interested to see how it goes.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Thu Feb 23, 2017 5:27    Post subject: Reply with quote
@VictorPT

yes it's feasible and is how I do it. I allow US & CA and drop the rest.

instead of using DROP or REJECT in the chains use RETURN then append DROP or REJECT at the end.

so if IP matches rule RETURN, continue processing ruleset.

if IP doesn't match then DROP
VictorPT
DD-WRT Novice


Joined: 21 Feb 2017
Posts: 10

PostPosted: Sat Feb 25, 2017 23:33    Post subject: Reply with quote
@JAMESMTL

Thank you very much for your guidance. I used ACCEPT instead of RETURN, it is the same, isn't it?

@HalfBit

I believe I managed to do it and I publish it on the following thread:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1068738#1068738

Please, bear in mind that I'm completely new to linux and the script may contain errors/be improved in many aspects.

Thanks again guys.

_________________
Chop your own wood & it will warm you twice.

Main: Linksys WRT1900ACv2 v3.0 K3 31100M Kong
Backup: Linksys E3000 v2.4 K2.6 30880M BS
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sat Feb 25, 2017 23:55    Post subject: Reply with quote
VictorPT wrote:
@JAMESMTL

Thank you very much for your guidance. I used ACCEPT instead of RETURN, it is the same, isn't it?

@HalfBit

I believe I managed to do it and I publish it on the following thread:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1068738#1068738

Please, bear in mind that I'm completely new to linux and the script may contain errors/be improved in many aspects.

Thanks again guys.


no it's not. ACCEPT explicitly allows the connection whereas RETURN allows other rules to be evaluated.
VictorPT
DD-WRT Novice


Joined: 21 Feb 2017
Posts: 10

PostPosted: Sun Feb 26, 2017 1:54    Post subject: Reply with quote
Thanks, it's changed now.
_________________
Chop your own wood & it will warm you twice.

Main: Linksys WRT1900ACv2 v3.0 K3 31100M Kong
Backup: Linksys E3000 v2.4 K2.6 30880M BS
fatalhalt
DD-WRT Novice


Joined: 29 Oct 2015
Posts: 39

PostPosted: Tue May 09, 2017 3:58    Post subject: IPv6? Reply with quote
Has anybody adapted this script to IPv6? I'm interested in blocking all known Chinese IPv6 ranges.
With IPv6, would we be inserting anything into FORWARD chain since IPv6 are not NATted?
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next Display posts from previous:    Page 9 of 10
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum