wallyg8r
Occasional Visitor
ipset v6.29: The set with the given name does not exist
AC66U doen't block countries
- Thread starter Tallguynl
- Start date
redhat27
Very Senior Member
Thanks for bearing with me. Not having ipset v6 here makes it a tad difficult.
I've cleaned up the script a bit so it does not use "paste", so you can get rid of it:
You should be able to use this as is withou any modifications:
You can create a handy alias in your profile (in /opt/etc/profile or /jffs/configs/profile.add)
then you can quickly check up on how your blocklists are functioning, how many packets blocked etc. by just typing 'blockstats'
Thanks for testing the changes
I've cleaned up the script a bit so it does not use "paste", so you can get rid of it:
Code:
opkg remove coreutils-pasteYou should be able to use this as is withou any modifications:
Code:
#!/bin/sh
# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Check dependencies exist
[ -x "/usr/sbin/ip6tables-save" ] && LIST6TABLE="ip6tables-save" || LIST6TABLE="ip6tables -L"
# Different routers got different iptables and ipset syntax
case $(uname -m) in
armv7l)
MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
# Loading ipset modules
lsmod | grep -q "xt_set" || \
for module in ip_set ip_set_nethash ip_set_iphash xt_set; do
insmod $module
done;;
mips)
MATCH_SET='--set'; CREATE='--create'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'
# Loading ipset modules
lsmod | grep -q "ipt_set" || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
insmod $module
done;;
esac
# Block traffic from Tor nodes [IPv4 nodes only]
if $(ipset $SWAP TorNodes TorNodes 2>&1 | grep -q "$SETNOTFOUND"); then
ipset $CREATE TorNodes $IPHASH
[ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
for IP in $(cat $IPSET_LISTS_DIR/tor.lst); do
ipset $ADD TorNodes $IP
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
logger -t Firewall "$0: Added TorNodes list ($entryCount entries)"
fi
iptables-save | grep -q TorNodes || iptables -I INPUT -m set $MATCH_SET TorNodes src -j DROP
# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
country_list="au br ca cn de fr gb jp kr pk ru sa sc tr tw ua vn"
if $(ipset $SWAP BlockedCountries BlockedCountries 2>&1 | grep -q "$SETNOTFOUND"); then
ipset $CREATE BlockedCountries $NETHASH
for country in ${country_list}; do
entryCount=0
[ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
for IP in $(cat $IPSET_LISTS_DIR/$country.lst); do
ipset $ADD BlockedCountries $IP
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
logger -t Firewall "$0: Added country [$country] to BlockedCountries list ($entryCount entries)"
done
fi
iptables-save | grep -q BlockedCountries || iptables -I INPUT -m set $MATCH_SET BlockedCountries src -j DROP
if [ $(nvram get ipv6_fw_enable) -eq 1 -a $(uname -m) = "armv7l" ]; then
if $(ipset $SWAP BlockedCountries6 BlockedCountries6 2>&1 | grep -q "$SETNOTFOUND"); then
ipset $CREATE BlockedCountries6 $NETHASH6
for country in ${country_list}; do
entryCount=0
[ -e $IPSET_LISTS_DIR/${country}6.lst ] || wget -q -O $IPSET_LISTS_DIR/${country}6.lst http://www.ipdeny.com/ipv6/ipaddresses/aggregated/${country}-aggregated.zone
for IP6 in $(cat $IPSET_LISTS_DIR/${country}6.lst); do
ipset $ADD BlockedCountries6 $IP6
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
logger -t Firewall "$0: Added country [$country] to BlockedCountries6 list ($entryCount entries)"
done
fi
$LIST6TABLE | grep -q BlockedCountries6 || ip6tables -I INPUT -m set $MATCH_SET BlockedCountries6 src -j DROP
fi
# Block Microsoft telemetry spying servers [IPv4 only]
if $(ipset $SWAP MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -q "$SETNOTFOUND"); then
ipset $CREATE MicrosoftSpyServers $IPHASH
[ $? -eq 0 ] && entryCount=0
for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254; do
ipset $ADD MicrosoftSpyServers $IP
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
logger -t Firewall "$0: Added MicrosoftSpyServers list ($entryCount entries)"
fi
iptables-save | grep -q MicrosoftSpyServers || iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers src,dst -j DROP
# Block traffic from custom block list
if $(ipset $SWAP CustomBlock CustomBlock 2>&1 | grep -q "$SETNOTFOUND"); then
if [ -e $IPSET_LISTS_DIR/custom.lst ]; then
ipset $CREATE CustomBlock $IPHASH
[ $? -eq 0 ] && entryCount=0
for IP in $(cat $IPSET_LISTS_DIR/custom.lst); do
ipset $ADD CustomBlock $IP
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
logger -t Firewall "$0: Added CustomBlock list ($entryCount entries)"
fi
fi
iptables-save | grep -q CustomBlock || iptables -I INPUT -m set $MATCH_SET CustomBlock src -j DROP
# Allow traffic from Whitelist [IPv4 only] [$IPSET_LISTS_DIR/whitelist.lst can contain a combination of IPv4 IP or IPv4 netmask]
if $(ipset $SWAP Whitelist Whitelist 2>&1 | grep -q "$SETNOTFOUND"); then
if [ -e $IPSET_LISTS_DIR/whitelist.lst ]; then
ipset $CREATE Whitelist $NETHASH
[ $? -eq 0 ] && entryCount=0
for IP in $(cat $IPSET_LISTS_DIR/whitelist.lst); do
[ "${IP##*/}" == "$IP" ] && ipset $ADD Whitelist $IP/31 || ipset $ADD Whitelist $IP
[ $? -eq 0 ] && entryCount=$((entryCount+1))
done
fi
logger -t Firewall "$0: Added Whitelist ($entryCount entries)"
fi
iptables-save | grep -q Whitelist || iptables -I INPUT -m set $MATCH_SET Whitelist src -j ACCEPTYou can create a handy alias in your profile (in /opt/etc/profile or /jffs/configs/profile.add)
Code:
alias blockstats='iptables -L -v | grep " set"; ip6tables -L -v | grep " set"'then you can quickly check up on how your blocklists are functioning, how many packets blocked etc. by just typing 'blockstats'
Thanks for testing the changes
wallyg8r
Occasional Visitor
Thanks for that. It ran ok except for:
iptables v1.4.14: Set CustomBlock doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.14: Set Whitelist doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
wallyg8r
Occasional Visitor
It ran perfectly this time!
The output of cat /tmp/syslog.log | grep "Firewall"
admin@NETGEAR-87C8:/jffs/scripts# cat /tmp/syslog.log | grep "Firewall"
Mar 1 03:11:19 Firewall: ./firewall-start2: Added TorNodes list (7019 entries)
Mar 1 03:11:27 Firewall: ./firewall-start2: Added country [au] to BlockedCountr ies6 list (993 entries)
Mar 1 03:11:56 Firewall: ./firewall-start2: Added country [br] to BlockedCountr ies6 list (3987 entries)
Mar 1 03:12:05 Firewall: ./firewall-start2: Added country [cn] to BlockedCountr ies6 list (1225 entries)
Mar 1 03:12:06 Firewall: ./firewall-start2: Added country [kr] to BlockedCountr ies6 list (109 entries)
Mar 1 03:12:07 Firewall: ./firewall-start2: Added country [pk] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [ru] to BlockedCountr ies6 list (1308 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [sa] to BlockedCountr ies6 list (74 entries)
Mar 1 03:12:18 Firewall: ./firewall-start2: Added country [sc] to BlockedCountr ies6 list (9 entries)
Mar 1 03:12:20 Firewall: ./firewall-start2: Added country [tr] to BlockedCountr ies6 list (283 entries)
Mar 1 03:12:21 Firewall: ./firewall-start2: Added country [tw] to BlockedCountr ies6 list (84 entries)
Mar 1 03:12:23 Firewall: ./firewall-start2: Added country [ua] to BlockedCountr ies6 list (352 entries)
Mar 1 03:12:24 Firewall: ./firewall-start2: Added country [vn] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:25 Firewall: ./firewall-start2: Added MicrosoftSpyServers list (45 entries)
the output of iptables -L -v | grep " set"; ip6tables -L -v | grep " set" didn't return anything.
Thanks for fixing the script!
The output of cat /tmp/syslog.log | grep "Firewall"
admin@NETGEAR-87C8:/jffs/scripts# cat /tmp/syslog.log | grep "Firewall"
Mar 1 03:11:19 Firewall: ./firewall-start2: Added TorNodes list (7019 entries)
Mar 1 03:11:27 Firewall: ./firewall-start2: Added country [au] to BlockedCountr ies6 list (993 entries)
Mar 1 03:11:56 Firewall: ./firewall-start2: Added country [br] to BlockedCountr ies6 list (3987 entries)
Mar 1 03:12:05 Firewall: ./firewall-start2: Added country [cn] to BlockedCountr ies6 list (1225 entries)
Mar 1 03:12:06 Firewall: ./firewall-start2: Added country [kr] to BlockedCountr ies6 list (109 entries)
Mar 1 03:12:07 Firewall: ./firewall-start2: Added country [pk] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [ru] to BlockedCountr ies6 list (1308 entries)
Mar 1 03:12:17 Firewall: ./firewall-start2: Added country [sa] to BlockedCountr ies6 list (74 entries)
Mar 1 03:12:18 Firewall: ./firewall-start2: Added country [sc] to BlockedCountr ies6 list (9 entries)
Mar 1 03:12:20 Firewall: ./firewall-start2: Added country [tr] to BlockedCountr ies6 list (283 entries)
Mar 1 03:12:21 Firewall: ./firewall-start2: Added country [tw] to BlockedCountr ies6 list (84 entries)
Mar 1 03:12:23 Firewall: ./firewall-start2: Added country [ua] to BlockedCountr ies6 list (352 entries)
Mar 1 03:12:24 Firewall: ./firewall-start2: Added country [vn] to BlockedCountr ies6 list (77 entries)
Mar 1 03:12:25 Firewall: ./firewall-start2: Added MicrosoftSpyServers list (45 entries)
the output of iptables -L -v | grep " set"; ip6tables -L -v | grep " set" didn't return anything.
Thanks for fixing the script!
redhat27
Very Senior Member
I wonder why you have BlockedCountries6 and not BlockedCountries list created 
. You should have both
I am guessing the more accurate command to show the lists for your model would be
If possible, can you run the above?
. You should have bothI am guessing the more accurate command to show the lists for your model would be
Code:
iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"wallyg8r
Occasional Visitor
Here is the output:I wonder why you have BlockedCountries6 and not BlockedCountries list created
I am guessing the more accurate command to show the lists for your model would beIf possible, can you run the above?Code:iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
admin@NETGEAR-87C8:/jffs/scripts# iptables -L -v | grep "match-set"; ip6tables -L -v | grep "match-set"
0 0 DROP all -- any any anywhere anywhere match-set BlockedCountries src
0 0 DROP all -- any any anywhere anywhere match-set TorNodes src
0 0 DROP all -- any any anywhere anywhere match-set MicrosoftSpyServers src,dst
0 0 DROP all any any anywhere anywhere match-set BlockedCountries6 src
redhat27
Very Senior Member
You got all of them
Did you test it works from that webpagetest website? You can test this if you have a webserver running on your router. Or else just use the traceroute test.
wallyg8r
Occasional Visitor
I don't have a webserver running on my router. Not sure what the traceroute test is. I am able to open pages in Poland and Russia (just two of the countries I checked) which I have as blocked countries in the script. Not sure what is going on. Any ideas?You got all of them
Did you test it works from that webpagetest website? You can test this if you have a webserver running on your router. Or else just use the traceroute test.
redhat27
Very Senior Member
Setting up the block rules is to prevent machines from those countries connecting to your router or your home network behind the router. If you have no servers of any kind running, you do not even need to worry about blocking anything (provided ofcourse there is no trojan/malware server you are not aware of). Exception to this is the 'MicrosoftSpyServers' block rule, which aims to prevent windows machines in your LAN to connect to M$ telemetry servers (Note the 'dst' on the filter rule)
wallyg8r
Occasional Visitor
Ok thanks. Appreciate all your help.
swetoast
Guest
my privacy filter covers this really well
Similar threads
Similar threads
Similar threads
-
-
Issue Updating Merlin Firmware to 386.12_2 on my ASUS RT-AC66U B1
- Started by meton66
- Replies: 2
-
AC5300 with Merlin can I use RT AC66u_B1 as a mesh node with either stock Asus FW or the AC66U merlin FW?
- Started by aross1976
- Replies: 11
-
-
Asus merlin: How to block communication between two device on the network?
- Started by sudodavi
- Replies: 14
-
-
How to block access to specific IP addresses for OpenVPN clients?
- Started by Bieniu
- Replies: 0
-
Latest threads
-
How to insert a startup script for Merlin custom scripts
- Started by klcb2010
- Replies: 0
-
Release ASUS GT-BE98 Pro Firmware version 3.0.0.6.102_34491
- Started by ehajjar
- Replies: 0
-
-
Latest firmware 388.7 for AX88U and AX11000 and 386.13 for AC88U
- Started by welim
- Replies: 0
-
FlexQoS FlexQoS - Setting up a Multicast IPTV box- Started by poolbeetse7en
- Replies: 4
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!