Blacklisting all countries

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Rusky
DD-WRT Novice


Joined: 02 Aug 2010
Posts: 8

PostPosted: Thu May 03, 2018 14:17    Post subject: Blacklisting all countries Reply with quote
Is there a way I can blacklist all countries by default and open up specific ones I want?
Sponsor
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu May 03, 2018 14:35    Post subject: Reply with quote
Its possible, but how efficient it will be is another story. What would you use as the basis for what defines a country in terms of IP address?

Rather than blocking all countries by default, you should probably use iptables to create a block all scenario to any request made to your external IP (this could however cause issues with certain services) and then allow the IP ranges you want.

Another more efficient method is ipset, being able to include masses of IP ranges within a single ruleset and then creating a single iptables rule to match that set for allowing traffic, problem is DD-WRT doesn't have support for it, unless you fancy compiling kernel modules/packages.

Any reason why you want to block specific countries? If its port scanning, they'll come from any country, so doesn't really seem worth it.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
Rusky
DD-WRT Novice


Joined: 02 Aug 2010
Posts: 8

PostPosted: Thu May 03, 2018 14:57    Post subject: Reply with quote
James2k wrote:
Its possible, but how efficient it will be is another story. What would you use as the basis for what defines a country in terms of IP address?

Rather than blocking all countries by default, you should probably use iptables to create a block all scenario to any request made to your external IP (this could however cause issues with certain services) and then allow the IP ranges you want.

Another more efficient method is ipset, being able to include masses of IP ranges within a single ruleset and then creating a single iptables rule to match that set for allowing traffic, problem is DD-WRT doesn't have support for it, unless you fancy compiling kernel modules/packages.

Any reason why you want to block specific countries? If its port scanning, they'll come from any country, so doesn't really seem worth it.


No specific reason other than being security conscious. Can you make any best practice suggestions? I just enabled the firewall and enabled everything under Block WAN Requests and Impede WAN DoS/Bruteforce
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu May 03, 2018 15:10    Post subject: Reply with quote
Being security minded is a good thing, but its probably excessive to do country blocking, given you've got limited memory and tools available within the firmware.

Using the built in stuff is fine. Ensure you don't respond to pings from WAN the side, enable the firewall and enable logging.

Further tips would be, don't enable uPnP and don't forward any ports to the WAN, if you want to access your LAN, considering setting up a VPN.

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
Rusky
DD-WRT Novice


Joined: 02 Aug 2010
Posts: 8

PostPosted: Thu May 03, 2018 15:58    Post subject: Reply with quote
Solid points James, appreciate your input
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu May 03, 2018 16:18    Post subject: Re: Blacklisting all countries Reply with quote
Rusky wrote:
Is there a way I can blacklist all countries by default and open up specific ones I want?

You should think otherwise mathematically:
Set a policy to block all traffic, then allow only your country's IP addresses ranges. You country should know EXACTLY what IP address it's using, right?

It's very much like MAC address list in DD-WRT.

Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY. Wink

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Rusky
DD-WRT Novice


Joined: 02 Aug 2010
Posts: 8

PostPosted: Fri May 04, 2018 16:23    Post subject: Re: Blacklisting all countries Reply with quote
mwchang wrote:
Rusky wrote:
Is there a way I can blacklist all countries by default and open up specific ones I want?

You should think otherwise mathematically:
Set a policy to block all traffic, then allow only your country's IP addresses ranges. You country should know EXACTLY what IP address it's using, right?

It's very much like MAC address list in DD-WRT.

Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY. Wink


What if this board IS the government?!?
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat May 05, 2018 14:24    Post subject: Re: Blacklisting all countries Reply with quote
[quote="Rusky"]
mwchang wrote:
Rusky wrote:
Unfortunately, are you sure that DD-WRT doesn't have back-doors or trap-doors to allow foreign government intervention? It's not written by you ONLY, right? AND... the router hardware is not designed and manufactured by you ONLY. Wink

What if this board IS the government?!?

Heading into the domain of conspiracy theories should we go further ... Smile


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum