[R7800, R9000 & probably others] Blocklist based Firewall addon

[HELLO_wORLD]

DEPRECATED

Now use aegis:
https://www.snbforums.com/threads/aegis-a-firewall-blocklist.64128/

I made a blocklist based firewall addon for myself, and I improved it to share it here as it can interest others.

Firewall Blocklist

Firewall blocklist script for Netgear R7800 and R9000 Routers with Voxel firmware.
Should work with some other models as well.

What is it?

It is a script that allows to block a list of IP adresses or ranges for inbound and outbound traffic.
The main purpose is blocking dangerous adresses known for spam, hacking, malware, etc...
The blocklist is automatically generated from known sources (this is editable) and you can add your own IP adresses/ranges as well.

Instructions

Due to limited space per post, and having to write everything twice (different format), I invite now to read them here:
https://github.com/bolemo/firewall-blocklist/blob/master/README.md

Change log

v3.3.2

• Fixed a bug with installer for new installs
• Minor bug fixes and optimizations

v3.3.0

• Can be installed either on USB or internal memory (for people without USB drive)
• Protection will stay active after a router reboot if it was set and running before reboot
• If installed on USB, it will continue to work after a firmware update or reflash.
• The internal firewall will only be restarted if needed, so during an update, there should be no interruption in the blocklist protection, even for a second.
• blocklist can have more than 65536 elements (max elements will match number of netset entries)

v3.2.3

• Minor bugfix
• Now install script offers to install iprange on R9000 models and to remove install files (one less install step).

v3.2.2

• Upgrade fixed on routers without Entware (upgrade to 3.2.2 will still not work, but from 3.2.2 will work)
• Optimizations, code cleaning...

v3.2.1

• Status should now be accurate on R9000.
• More details in verbose status.
• More optimizations and bugfixes.

v3.2.0

• Custom black list of IPs file is now named /opt/bolemo/etc/firewall-blocklist.custom-bl.netset (the file does not exist by default, and is not mandatory: only if you have custom ip sets to add).
• Now, support custom white list. Works the same as the custom black list, and the file is /opt/bolemo/etc/firewall-blocklist.custom-wl.netset
• More bugfixes and optimizations (like when having 0.0.0.0/0 wan gateway)
• The generated netset file is now named /opt/bolemo/etc/firewall-blocklist-bl.netset so after upgrading, you can delete the old one: rm /opt/bolemo/etc/firewall-blocklist.netset
• It is recommended to clean before upgrading, so upgrade procedure is

/opt/bolemo/scripts/firewall-blocklist clean
/opt/bolemo/scripts/firewall-blocklist upgrade
/opt/bolemo/scripts/firewall-blocklist update

• It is also to be noted that our great @Voxel updated his Entware Repo and now iprange is also available this way as well (so can easily be installed on the router as an ipk or on USB Entware with /opt/bin/opkg install iprange). Thank you again @Voxel !

v3.0.1

• Minor bugfixes and optimizations

v3.0.0

• Now uses iprange when installed (install script allows to install it; can also be installed separately, see instructions https://github.com/bolemo/firewall-blocklist/blob/master/README.md#iprange )
• Now white lists the wan gateway only if it is in the block list
• Command parameters have been changed a little (and new ones)
• New commands to enable, disable and show the log
• Optimizations and bug fixes

v2.0.1

• If you upgrade from v1, please use /opt/bolemo/script/firewall-blocklist clean before installing v2
  
• Better filtering rules.
• Prevents wan gateway and its defined netmask to be blocked
• Possible to log activity in sys log
• test command is replaced by info command
• Usage of colors in terminal
• Have now an upgrade function to download and install latest version

v1.5.4 :

• install.sh now asks before overwriting existing firewall-blocklist.sources file.
• Version is displayed with status command

v1.5.3:

• Fixed creation of duplicate iptables rules overtime.
• Minor bug fixes

v1.5.1:

• Fixed the firewall-blocklist test that was returning an error if /opt/scripts does not exists at first. Since at this stage this directory might not exist, and since it is created if needed, testing this dir was unnecessary.

v1.5:

• if /opt/scripts/firewall-start.sh already exists, it won’t be replaced. Existing rules will be preserved.
• ipset generation is a lot faster
• no need to restart the script after a reboot

 

[HELLO_wORLD]

V1.5

 

[NetBytes]

I tried installing this on .72SF and no go. What is the minimum Voxel FW version?

 

[HELLO_wORLD]

I believe it should work on any version.

Can you be more specific on what is not working?

Did the installation process go ok?

What is

/opt/bolemo/scripts/firewall-blocklist test

returning?

What is

/opt/bolemo/scripts/firewall-blocklist status

returning?

I tried installing this on .72SF and no go. What is the minimum Voxel FW version?

 

[NetBytes]

Originally I ran the test() script and it just told me something was wrong.
So I modified it to tell me what it was looking for.
My install does not have the FWS_FILE.
It does not have that file anywhere.

root@R7800:/tmp/mnt/sda1/bolemo/scripts$ ./firewall-blocklist test
SRC_LIST is /opt/bolemo/etc/firewall-blocklist.sources
IP_LIST is /opt/bolemo/etc/firewall-blocklist.netset
TMP_FILE is /opt/bolemo/etc/firewall-blocklist.netset.tmp
FWS_FILE is /opt/scripts/firewall-start.sh
Something is wrong!

 

[HELLO_wORLD]

Ok, I see the problem, thank you.
It is fine if FWS_FILE does not exist initially (/opt/scripts/firewall-start.sh) and if so, my script will create it.
The test function is testing if the directory /opt/scripts/exists, and it probably does not, bu this is not a problem as my script will create it as well. This is a big I need to fix, but it should not impact the script.

In the script, the first line in the test () function should be:

if [ -r "$SRC_LIST" ] && [ -d $(dirname "$IP_LIST") ] && [ -d $(dirname "$TMP_FILE") ];

If you change that, the test function should says it is fine.

Do you have the following file installed?
/opt/bolemo/etc/firewall-blocklist.sources
If so, you should be all fine.

Can you tell me what the following command returns?

/opt/bolemo/scripts/firewall-blocklist status

Originally I ran the test() script and it just told me something was wrong.
So I modified it to tell me what it was looking for.
My install does not have the FWS_FILE.
It does not have that file anywhere.

root@R7800:/tmp/mnt/sda1/bolemo/scripts$ ./firewall-blocklist test
SRC_LIST is /opt/bolemo/etc/firewall-blocklist.sources
IP_LIST is /opt/bolemo/etc/firewall-blocklist.netset
TMP_FILE is /opt/bolemo/etc/firewall-blocklist.netset.tmp
FWS_FILE is /opt/scripts/firewall-start.sh
Something is wrong!

 

[NetBytes]

Ok, I see the problem, thank you.
It is fine if FWS_FILE does not exist initially (/opt/scripts/firewall-start.sh) and if so, my script will create it.
The test function is testing if the directory /opt/scripts/exists, and it probably does not, bu this is not a problem as my script will create it as well. This is a big I need to fix, but it should not impact the script.

In the script, the first line in the test () function should be:

if [ -r "$SRC_LIST" ] && [ -d $(dirname "$IP_LIST") ] && [ -d $(dirname "$TMP_FILE") ];

If you change that, the test function should says it is fine.

Do you have the following file installed?
/opt/bolemo/etc/firewall-blocklist.sources
If so, you should be all fine.

Can you tell me what the following command returns?

/opt/bolemo/scripts/firewall-blocklist status

Thanks for this, I will modify this later today.
To be clear - all the other tests are valid and exist, the FWS_FILE was the only failure.

Edit - the /opt/scripts directory does not exist at all.
I ran the test:
root@R7800:/tmp/mnt/sda1/bolemo/scripts$ ./firewall-blocklist status
ipset v6.24: The set with the given name does not exist
ipset v6.24: The set with the given name does not exist
Firewall is not active; Settings are clean

- /opt/scripts/firewall-start.sh does not exist or does not have settings
- INPUT firewall filter is inactive
- FORWARD firewall filter inactive
- INPUT firewall whitelist inactive
- FORWARD firewall whitelist inactive
- ipset filter does not exist
- ipset whitelist does not exist

 

[HELLO_wORLD]

ok, so you are all set

You can run /opt/bolemo/scripts/firewall-blocklist -v update

And voilà

Thanks for this, I will modify this later today.
To be clear - all the other tests are valid and exist, the FWS_FILE was the only failure.

Edit - the /opt/scripts directory does not exist at all.
I ran the test:
root@R7800:/tmp/mnt/sda1/bolemo/scripts$ ./firewall-blocklist status
ipset v6.24: The set with the given name does not exist
ipset v6.24: The set with the given name does not exist
Firewall is not active; Settings are clean

- /opt/scripts/firewall-start.sh does not exist or does not have settings
- INPUT firewall filter is inactive
- FORWARD firewall filter inactive
- INPUT firewall whitelist inactive
- FORWARD firewall whitelist inactive
- ipset filter does not exist
- ipset whitelist does not exist

 

[HELLO_wORLD]

V1.5.1

 

[NetBytes]

I believe I am all set, thank you.
I have set the update cron job for 3:15am.
P.S. you can change "rm -r fbl" to be instead "rm -rf fbl" and the *yes* will be forced (i.e. implied) for all deletes

Just FYI:
root@R7800:/tmp/mnt/sda1/bolemo/scripts$ ./firewall-blocklist -v update
Verbose mode
Initializing...
- firewall-start.sh not ok; generating it.
- built-in firewire restarted.
Initialization done.
Downloading lists defined in /opt/bolemo/etc/firewall-blocklist.sources
1) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
- 100%[===================>] 38.76K --.-KB/s in 0.06s
2) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
- 100%[===================>] 324.32K 905KB/s in 0.4s
3) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
- 100%[===================>] 253.71K 1.04MB/s in 0.2s
4) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iblocklist_ciarmy_malicious.netset
- 100%[===================>] 201.65K 1.05MB/s in 0.2s
5) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
- 100%[===================>] 14.49K --.-KB/s in 0.04s
Removing duplicates...
Done
Building ipset blocklist (48469 entries)...
Firewall is set and active

- /opt/scripts/firewall-start.sh exists with correct settings
- INPUT firewall filter is active:
iptables -A INPUT -i brwan -m set --match-set blocklist src -j DROP
- FORWARD firewall filter is active:
iptables -A FORWARD -i brwan -m set --match-set blocklist src -j DROP
- INPUT firewall whitelist is active:
iptables -A INPUT -i brwan -m set --match-set whitelist src -j ACCEPT
- FORWARD firewall whitelist is active:
iptables -A FORWARD -i brwan -m set --match-set whitelist src -j ACCEPT
- ipset filter is set:
Name: blocklist
Type: hash:net
Revision: 6
Header: family inet hashsize 16384 maxelem 65536
Size in memory: 964184
References: 2
- ipset whitelist is set:
Name: whitelist
Type: bitmap:ip
Revision: 3
Header: range 0.0.0.0-0.0.0.1
Size in memory: 64
References: 2

 

[HELLO_wORLD]

Great, you’re welcome!

About rm -rf, I prefer to show the interactive -r for less experienced users.
rm -rf can be very dangerous with a typo or misused... Power users like you know how to avoid repetitive yes ;-)

 

[NetBytes]

Great, you’re welcome!

About rm -rf, I prefer to show the interactive -r for less experienced users.
rm -rf can be very dangerous with a typo or misused... Power users like you know how to avoid repetitive yes ;-)

I thought it might be that.
Thanks for this system - will be reporting back if errors/problems so - no news is good news!

 

[HELLO_wORLD]

V1.5.3
Recommended update!
Fixed a bug where each init would duplicate the iptables rule in firewall-start.sh
Also improved the checking at init to remove any duplicate rule in firewall-start.sh
Now displays version in verbose mode and test

Next release will ask before overwriting default sources file with install.sh script (to not delete any custom setting in there, after all, the design of a separate sources file is customization). This release still overwrites /opt/bolemo/etc/firewall-blocklist.sources
If you have custom settings, make a backup or just change in install.sh the following line before running it:
Change:

cp "$SELF_PATH/firewall-blocklist.sources" "$BASE_DIR/bolemo/etc/"

By:

cp -i "$SELF_PATH/firewall-blocklist.sources" "$BASE_DIR/bolemo/etc/"

And when running, it will ask to overwrite or not.

 

[NetBytes]

A few questions:
1) how do I update my existing scripts? complete re-install?
2) can you output the version of the script in the 'status' output?

 

[HELLO_wORLD]

A few questions:
1) how do I update my existing scripts? complete re-install?

Yes (no need to delete anything before, just follow install procedure again)

2) can you output the version of the script in the 'status' output?

Done (v1.5.4)

 

[HELLO_wORLD]

V1.5.4

TODO (when I will have time). Version check and update from the script itself

 

[NetBytes]

I don't want to derail this thread too much but weird things:
1) the kamoj addon cronjob wont stick.
2) the standard cron job is permanently always overwritten with a 4:30am streamboost update
any ideas?

 

[HELLO_wORLD]

Yes: Install and use Entware cron
With Entware installed (see Voxel’s docs)
/opt/bin/opkg install cron
Then use /opt/bin/crontab
Works perfect for me.

I don't want to derail this thread too much but weird things:
1) the kamoj addon cronjob wont stick.
2) the standard cron job is permanently always overwritten with a 4:30am streamboost update
any ideas?

 

[kamoj]

Kamoj cron works for me.
Others have reported it is working. Don't know when it broke.
Don't know what version you use though.
5.0?:
https://www.snbforums.com/threads/k...00-x4s-and-r9000-x10.60590/page-7#post-556746
Your problem description could be better. There are quite a number of kamoj cron jobs. Not just one.
If I get a good description I'll fix it to next beta of course.

Also you can follow Voxel and HELLO_wORLD recommendation and install Entware cron if others fail.
Thank you for reporting.

 

[NetBytes]

Kamoj cron works for me.
Others have reported it is working. Don't know when it broke.
Don't know what version you use though.
5.0?:
https://www.snbforums.com/threads/k...00-x4s-and-r9000-x10.60590/page-7#post-556746
Your problem description could be better. There are quite a number of kamoj cron jobs. Not just one.
If I get a good description I'll fix it to next beta of course.

Also you can follow Voxel and HELLO_wORLD recommendation and install Entware cron if others fail.
Thank you for reporting.

I am using the one from kamoj-addon_191214-083737-1_ipq806x.ipk.
I click the On button, enter the time and job '15 03 * * *' and '<the update script above>' and when i press OK the page refreshes and everything is blank