Blocking IP Range

Discussion in 'Asuswrt-Merlin' started by AnthonyArmato, Feb 26, 2013.

  1. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Is it possible to block a range of IPs without having to enter them one at a time via Firewall/Network Services Filter ?
     
  2. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Guess that's a no ?
     
  3. wiz

    wiz Occasional Visitor

    Joined:
    Feb 15, 2013
    Messages:
    45
    The Network Services filter blocks the LAN to WAN packet exchanges and restricts devices from using specific network services.

    So that's not blocking Ip ranges, thats for denying local hosts access to specific ports / hosts you put in this list.

    What you can do is figure out how you block a range with iptables and then put this in the script "firewall-start" on the jffs partition. I think that's the only way you would be able to get this going.

    something like iptables INPUT -p all -s aaa.bbb.ccc.ddd/netmask -j DROP should work I think
     
  4. chamberc

    chamberc Occasional Visitor

    Joined:
    Feb 5, 2013
    Messages:
    47
    Location:
    Texas
    Trying to do this to fix youtube by chance?
     
  5. sabot105mm

    sabot105mm Regular Contributor

    Joined:
    Feb 1, 2013
    Messages:
    52
    opendns allows you to filter ip addresses. It's what I used when I had a guest account, to filter adult websites and email.
    http://www.dd-wrt.com/wiki/index.php/OpenDNS
     
  6. Mistermoonlight

    Mistermoonlight Regular Contributor

    Joined:
    Feb 16, 2013
    Messages:
    83
    I am also using opendns (free service) and this is really good for web content filtering. Here is the procedure using merlin firmware:

    1- Create an account on opendns, and create also a dnsomatic account:

    see
    http://dnsomatic.com/
    https://store.opendns.com/get/home-free

    You will use the dnsomatic account to update your server address provided by dyndns or any other dynamic ip service, usefull if you are running any kind of web/ftp server on your computer. The dnsomatic account will also be used to update your address to the opendns server (don't forget to link your opendns account with dnsomatic for this purpose) so specific web content filtering can be used according to your opendns account setting. So configure your dnsomatic account with all dynamic dns service you may want to update (dyndns, etc)

    Specify the web content filtering level you want in your opendns account just created.

    2- In the router wan ddns tab, enter your dnsomatic account information, so everytime the router log to internet, it will give your internet address info to opendns server so your own custom web filtering rules (in your opendns account) could be used when navigating internet with your router.

    3- In the router wan internet connection tab, change the wan dns setting "Connect to DNS Server automatically" to no, and type opendns dns server addresses in DNS server1 and server2.

    opendns dns servers
    208.67.222.222
    208.67.220.220

    4- As a safety measure, you can create a jffs script "firewall-start" like this (check merlin firmware wiki to get info about how to create a jffs script):

    -------------------------------
    #!/bin/sh

    #############
    # Firewalling
    #############
    iptables -I FORWARD 1 -p udp -d 208.67.220.220 --dport 53 -j ACCEPT
    iptables -I FORWARD 2 -p udp -d 208.67.222.222 --dport 53 -j ACCEPT
    iptables -I FORWARD 5 -p udp --dport 53 -j DROP
    iptables -I FORWARD 6 -p tcp -d 208.67.220.220 --dport 53 -j ACCEPT
    iptables -I FORWARD 7 -p tcp -d 208.67.222.222 --dport 53 -j ACCEPT
    iptables -I FORWARD 10 -p tcp --dport 53 -j DROP
    -------------------------------

    This script will prevent any user of any wireless/pc devices on your network to use a different dns server then the one from opendns. With this feature, there is no way to bypass your web content filtering rules by using another dns server by just changing for example the dns server in the NIC setup of your window computer. So the DNS setting is setup automatic (and would be provided by the router) when each device on the network is using dhcp to get an address from the router.

    IMPORTANT: The reason i am using a jffs script to filter non authorize dns request is that there is a bug in the network service filter (from firewall router menu) and you cannot filter correctly and easily all other dns server (different from opendns ones you want to use) if you are using "parental control" feature of your router: parental control feature active will make your network filter rules (from the router gui menu) going wild with firmware 3.0.0.4.270.24 (merlin).


    Final words:

    The beauty of a setup like this, is that any devices connected to the router in your network will have web content filtering as your requierements, no matter if it is a WII, a PC, a playstation, web tv, etc... and is quite difficult to bypass for your childs...
     
    Last edited: Feb 27, 2013
  7. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    If you want to take it one step forward, the following will force all DNS queries to go through your router (which will in turn go through OpenDNS). That way, a misconfigured client will still have Internet access, just that it will be forced to to through your configured DNS.

    Code:
    iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`
    
    Repeat the same for TCP if you wish. I haven't tested it myself, this is just based on Tomato code that I looked at a few weeks ago.

    Cleaner than just dropping connection to other DNS servers.
     
    Last edited: Feb 27, 2013
  8. Mistermoonlight

    Mistermoonlight Regular Contributor

    Joined:
    Feb 16, 2013
    Messages:
    83
    Merlin said:
    Yes very good idea. That way it will silently force to use the opendns dns server instead of dropping the undesired dns attempt. I would try this improvement as soon as i have a chance to.

    This modification has to be added to another script than "firewall-start" i guess?

    Thanks
     
    Last edited: Feb 27, 2013
  9. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    Use it instead of your current series of rules.
     
  10. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Yes, exactly. I entered them in Windows Firewall but I normally have this disabled. Plus I have quite a few devices on my network so being able to block them via the router would be much more effective.

    Don't want to use OpenDNS. Get better performance on my current ones.
     
    Last edited: Feb 28, 2013
  11. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Absolutely no idea how to do that.
     
  12. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Think I got it. Spoke to Asus. The guy had me block 3 IPs to block a whole subnet. Something about a broadcast address etc etc. But like I said to him, I didn't need the whole subnet blocked.

    So I found something online that said to run the following commands. (I inserted the IP range I needed blocked)

    Does this look correct ?

    iptables -i eth1 -A INPUT -s 173.194.55.0/24 -j DROP
    iptables -i eth1 -A INPUT -s 206.111.0.0/16 -j DROP

    Running iptables -L shows this...
    DROP all -- 173.194.55.0/24 anywhere
    DROP all -- 206.111.0.0.ptr.us.xo.net/16 anywhere
     
  13. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    eth1 is wifi 2.4G.

    eth0 is WAN.
    eth2 is Wifi 5 G
    br0 is the whole LAN.
     
  14. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Oh thanks ! How can I delete those two entries I added so I can change it to br0 ?
     
  15. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Figured that out too.

    Only thing I can't figure out is saving. Is it saved automatically or do I need to run a command to do that ?
     
  16. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    You will need to create a user script to have these commands run at boot time. Probably best to use a firewall-start script for these.
     
  17. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Any chance you can walk me through those steps ?
     
  18. Mistermoonlight

    Mistermoonlight Regular Contributor

    Joined:
    Feb 16, 2013
    Messages:
    83
  19. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Great thanks. Will try that when I get home from work today.
     
  20. AnthonyArmato

    AnthonyArmato Senior Member

    Joined:
    Apr 13, 2012
    Messages:
    261
    Eh still a bit confused. I downloaded the programs and got everything working. I know I need to create "firewall-start" and enter the iptable info I had posted earlier. Then what ?
     

Share This Page