1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that

Discussion in 'Asuswrt-Merlin' started by Dee dee, Nov 12, 2019.

  1. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Hi All,

    I just loaded Asus Merlin fimrware and love it!

    I wanted to set up a specific routing rule and am confused on how to do it on the UI.

    I basically wanted to set a specific internal IP(item on my network) (static) 192.168.2.26 (for example) to block all traffic outgoing ingoing to it.

    Then allow only certain websites to access (siteexample.com) that device and not allow other sites and route the traffic on top of that through a VPN Server(NordVPN) ( which i setup on the VPN setting and have it working already).

    I tried the firewall option and blocking the website name but the site and all subdomains are still pingable.

    Any idea what I am doing wrong.

    P.S. Also is there a log where i can see the traffic going from and to a device so i can better isolate the traffic(with a UI perhaps?)
    Thanks in advance,
    Dee
     
  2. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    Not 100% sure if I correctly understand your requirements

    e.g. say Website is 'www.ibm.com'

    Requirement Option 1.
    Code:
    Internet ==+==========>>Router      Allow www.ibm.com
              ¦^¦           + + + +
              ¦^¦           | ^ ^ ^
              ¦|¦           | | | |
        NordVPN Client      | | | |
              ¦^¦           | | | |
              ¦|¦           | v v v
              ¦|¦           | 192.168.2.xxx
              ¦|¦           |
              ¦|¦           |
              ¦|¦           v
              ¦|¦      192.168.2.26    (Selective Routing GUI rule: THISPC   192.168.2.26   0.0.0.0   VPN)
              ¦|¦          ¦|¦
              ¦|¦          ¦|¦
       ONLY www.ibm.com    ¦|¦
              ¦|¦          ¦|¦
              ¦|¦==========¦|¦
              ¦+------------+¦
              ¦==============¦
    or

    Requirement Option 2.
    Code:
    Internet ==+==========>>Router      Allow www.ibm.com
              ¦^¦           + + + +
              ¦^¦           ^ ^ ^ ^
              ¦|¦           | | | |
        NordVPN Client      | | | |
              ¦^¦           | | | |
              ¦|¦           | v v v
              ¦|¦           | 192.168.2.xxx
              ¦|¦           |
              ¦|¦           |
              ¦|¦           +----+
              ¦|¦                |
              ¦|¦                |
              ¦|¦                v
              ¦|¦           192.168.2.26 (Selective Routing GUI rule: THISPC   192.168.2.26   'xxx.xxx.xxx.xxx'   VPN)
              ¦|¦              //                where xxx.xxx.xxx.xxx is the current IP for 'www.ibm.com'
              ¦|¦             //
              ¦|¦            //
              ¦|¦           //
              ¦|¦    ONLY www.ibm.com
              ¦|¦          ¦|¦
              ¦|¦          ¦|¦
              ¦|¦          ¦|¦
              ¦|¦          ¦|¦
              ¦|¦          ¦|¦
              ¦|¦==========¦|¦
              ¦+------------+¦
              ¦==============¦
    either way you will need a script to add appropriate rules to the firewall.

    i.e. you can't Selectively Route URL/Domains using the GUI as only IPs/CIDRs are allowed in the target 'Destination IP' field, and a single URL/Domain may resolve to a range of 10s if not 100s of IPs.

    The GUI 'Firewall - URL Filter' does not physically block PING traffic.

    Also it is Global in scope, so if you filter say 'www.ibm.com', then the URL 'text-based' block is from ALL LAN devices - not just the device(s) Selectively Routed via the NordVPN Client.

    PING blocking can be explicitly enabled (but isn't intuitive) on 'Firewall - Network Services Filter' GUI, however it too is Global, meaning it will be completely DISABLED from ANY LAN device(s) regardless of target URL/IP.
    see Wiki documentation for Asuswrt-merlin or even better see @Xentrk's Blog Site for a pictorial walk-through.
     
    Last edited: Nov 13, 2019
  3. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Martineau,

    Thank you for taking the time to reply to me. I looked at his blog but just a white page renders saying hello dude.

    I dont really understand your diagrams but let me try to explain easier.

    Device on network > only allowed to ping/http connect certain site no other sites while also routing all its traffic through nordvpn.

    I know with vpn page I just click on add host on bottom and drop connection if vpn drops on top.

    Is there a entware but package I can install that would help with the filtering I want.

    Also, is there a way on the router itself to see http or dba requests from a device in the gui so I am sure I'm not blocking the wrong thing.
     
  4. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    Apologies, but I have several templates that I use to quickly compose thread posts and replies, so didn't physically check the pasted link. :rolleyes:

    Hmmm, @Xentrk's site may have been hacked? :eek:

    upload_2019-11-13_17-2-39.png

    so would advise everyone wait until @Xentrk is back online tomorrow.
     
    L&LD likes this.
  5. Grisu

    Grisu Part of the Furniture

    Joined:
    Aug 28, 2014
    Messages:
    2,692
    dont think its hacked, on http://www.x3mtek.com/ I see:
    This domain name registration has expired and renewal or deletion are pending. If you are the registrant and want to renew the domain name, please contact your registration service provider.
     
    Last edited: Nov 13, 2019
    Martineau likes this.
  6. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    Ahh OK, that is probably more reassuring, although the blank page only containing the message 'Helo Dude' is the type of thing kiddie scripters think is funny!

    NOTE: The blog Table of Contents is available in Google cache but not the linked content.
     
    Last edited: Nov 13, 2019
  7. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    So presumably you have entered something similar in the VPN Client GUI?

    upload_2019-11-13_20-5-32.png

    i.e. criteria

    1. 192.168.2.26 must NEVER use the WAN, and must honour the VPN KILL-switch if the VPN Client is DOWN

    2.
    192.168.2.26 may only access a limited number of specified Websites/Domains.

    So essentially you require to implement the 'Requirements Option 1' diagram (unlike Option 2. where 192.168.2.26 always uses the WAN except for nominated IPs/domains via the VPN)​

    The complete solution (criteria 2) requires you to manually add firewall rules to

    1. BLOCK all internet websites from 192.168.2.26 thru the VPN Client tunnel by default.
    2. Allow 192.168.2.26's nominated Domains/Websites as exceptions
    e.g. Old-skool for 'www.ibm.com' and 'www.youtube.com'
    Code:
    iptables -I FORWARD -s 192.168.2.26 -o tun1+ -j DROP
    
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.ibm.com      -j ACCEPT -m comment --comment www.ibm.com
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.youtube.com  -j ACCEPT -m comment --comment www.youtube.com
    etc.
    Code:
    nslookup www.youtube.com
    
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:      www.youtube.com
    Address 1: 2a00:1450:4009:819::200e lhr48s09-in-x0e.1e100.net
    Address 2: 216.58.213.14 ber01s14-in-f14.1e100.net
    Address 3: 216.58.213.110 lhr25s02-in-f14.1e100.net
    Address 4: 172.217.20.142 fra07s27-in-f142.1e100.net
    Address 5: 172.217.169.14 lhr25s26-in-f14.1e100.net
    Address 6: 172.217.169.46 lhr48s08-in-f14.1e100.net
    Address 7: 172.217.169.78 lhr48s09-in-f14.1e100.net
    Address 8: 216.58.204.238 par21s06-in-f14.1e100.net
    Address 9: 216.58.210.206 lhr48s11-in-f14.1e100.net
    Address 10: 216.58.210.238 mrs04s10-in-f238.1e100.net

    In the example above, nslookup (for me) currently returns nine IPv4 addresses for 'www.youtube.com' - so with just two domains, we already have 10 rules.

    Subsequently it is prudent to save all the domain IP addresses in an IPSET and rather have potentially hundreds of firewall rules have just one! :D

    P.S. @Xentrk has scripts to collect all of the IPs for a selected domain see Xentrk GitHub

    Here's how you can populate an IPSET manually:

    e.g. for 'snbforums.com' and 'www.youtube.com'
    Code:
    modprobe -sv xt_comment.ko
     
    ipset create Valid_VPN_IP hash:net comment
    
    nslookup snbforums.com;for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' |   nslookup "$1" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2');do ipset add Valid_VPN_IP $IP comment snbforums.com;done;ipset list Valid_VPN_IP
    
    nslookup www.youtube.com;for IP in $(nslookup "www.youtube.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' |   nslookup "$1" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2');do ipset add Valid_VPN_IP $IP comment www.youtube.com;done;ipset list Valid_VPN_IP
    then for the ten (or even thousands of IPs) you only need one rule!
    Code:
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))"  -s 192.168.2.26 -o tun1+ -m set  --match-set Valid_VPN_IP dst -j ACCEPT
    You can examine the firewall statistics to see if the restricted domain access is working as expected, and also interrogate the IPSET
    Code:
    ipset test Valid_VPN_IP snbforums.com
    
    104.27.127.97 is in set Valid_VPN_IP.
    Furthermore, rather than manually populate the IPSET, you can simply create an empty IPSET and have dnsmasq automatically (in real-time) add any new IPs associated with the selected domains,

    Simply issue
    Code:
    echo "ipset=/snbforums.com/www.youtube.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
    
    service restart_dnsmasq
     
    Last edited: Nov 22, 2019
  8. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Thank you very much for the explanation.
    I will try it tonight when home from work and advise if its not what I wanted. I will test it with a pc before I change the ip to what I wanted
     
  9. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Martineau
    So essentially I am just doing the 2 things below:

    So presumably you have entered something similar in the VPN Client GUI?
    (YES I DID)

    Then i SSH into my router with PUTTY and do the following commands( I am not too keen/good with these commands nor linux , sorry for any errors I type):
    "
    modprobe -sv xt_comment.ko

    ipset create Valid_VPN_IP hash:net comment

    echo "ipset=/www.siteiwanttoallow.com" >>/jffs/configs/dnsmasq.conf.add

    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT

    service restart_dnsmasq
    "
    and this will persist over reboots?

    Also what Do i want to do if I wanted to remove said rules from that IP in the future?
     
  10. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    Yes, PuTTY is fine, although you may wish to use a more feature-rich SSH client such as Xshell or MobaXterm but it should be a simple copy'n'paste into the command line.

    The following has a typo:
    Code:
    echo "ipset=/www.siteiwanttoallow.com" >>/jffs/configs/dnsmasq.conf.add
    you have omitted the IPSET name where the resolved 'www.siteiwanttoallow.com' IPs should be collated.
    Change it to
    Code:
    echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
    see dnsmasq man page for the syntax

    upload_2019-11-13_22-0-5.png

    NOTE: You will need to manually edit '/jffs/configs/dnsmasq.conf.add' if you need to add or remove domains to be automatically resolved and added.
    List the firewall rule statistics
    Code:
    iptables  --line -t filter -nvL FORWARD
    Delete the firewall rules
    Code:
    #!/bin/sh
    
    IPADDR=192.168.2.26
    
    VPN_ID=3                      # VPN Client 3
    VPN_FWMARK="0x4000/0x4000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,[/COLOR][/FONT][/LEFT]
    
    iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
    iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK
    
    
    iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
    No. you will need to create scripts that will automatically get executed when the router reboots

    e.g. Use nano editor on the router command line to create '/jffs/scripts/firewall-start' with the lines
    Code:
    #!/bin/sh
    
    IPADDR=192.168.2.26
    
    VPN_ID=3                      # VPN Client 3
    VPN_FWMARK="0x4000/0x4000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,
    
    IPSET_NAME="Valid_VPN_IP"
    
    logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"
    
    iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
    iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK
    
    # Prevent duplicates but can leave firewall exposed...
    iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
    
    # Non-destructive (but no less exposed?) method to prevent duplicates
    #[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
    #[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
    #[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
    
    and create '/jffs/scripts/services-start'
    Code:
    #!/bin/sh
    
    modprobe -sv xt_comment.ko
    RC=$?
    logger -st "($(basename $0))" $$  "Loading iptables 'comment' module xt_comment.ko rc=$RC"
    modprobe -D xt_comment.ko >>/tmp/syslog.tmp
    
    IPSET_NAME="Valid_VPN_IP"
    
    ipset create $IPSET_NAME hash:net comment
    RC=$?
    logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rc=$RC"
    
    and create '/jffs/scripts/wan-start'
    Code:
    #!/bin/sh
    
    Say(){
       echo -e $$ [email protected] | logger -st "($(basename $0))"
    }
    
    IPSET_NAME="Valid_VPN_IP"
    
    Say "Paused for 2 secs....."
    sleep 2
    
    # These are optional, but if the domains are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
    
    Say "Adding domains to IPSET '$IPSET_NAME'"
    THIS="snbforums.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
    THIS="speedtest.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
    THIS="whatismyipaddress.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS;Say "'"$THIS"' $IP rc="$?;done
    
    
    then make the scripts executable
    Code:
    chmod a+rx /jffs/scripts/*
    P.S. There is a wealth of information in the RMerlin Wiki describing how to write scripts, and for descriptions of the various files such as 'firewall-start' see User scripts
     
    Last edited: Dec 1, 2019
  11. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Martineau,

    I was looking over your lines to write and noticed this line wasn't there was it omitted? and where do put the ip's i want to allow?

    echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add


    Also I checked the website before where you posted the tutorial pics is still not available.

    Thanks for your time

     
  12. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,456
    Location:
    UK
    I'm sure @Xentrk is aware of his Blog site access issues, and will restore access ASAP.

    In the interim, this video How to setup Policy rules and KILL Switch is old but still quickly demonstrates how easy it is (only three clicks) to select a LAN device and route all of its traffic thru' the VPN tunnel.
    If you have correctly created the IPSET, when you access 'www.siteiwanttoallow.com' its IP address(s) will automatically be added to IPSET Valid_VPN_IP.

    However, if required, you can manually add them using
    Code:
    ipset add Valid_VPN_IP xxx.xxx.xxx.xxx
    
    ipset list Valid_VPN_IP
     
    Last edited: Nov 15, 2019
  13. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,521
    Location:
    The Land of Smiles
    Yikes. Thanks for the heads up. I will get on top of the issue right away.
     
    Last edited: Nov 15, 2019
    L&LD likes this.
  14. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,521
    Location:
    The Land of Smiles
    Site is online. The domain was expired. I set up a process to ensure it doesn't happen again.
     
    Last edited: Nov 16, 2019
    andresmorago and L&LD like this.
  15. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Martineau Thanks for the wealth of information, I modified the firewall-start to now always go through the VPN and wanted to do that myself as per the video you posted on youtube.

    So I modified the files thusly.

    Let me know if I messed up anything before i implement them.

    firewall-start file


    IPADDR=192.168.2.26
    iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
    iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN"
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
    iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

    Init-start file

    modprobe -sv xt_comment.ko
    IPSET_NAME="Valid_VPN_IP"
    ipset create $IPSET_NAME hash:net comment 2>/dev/null
    for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
    for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
    for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;

    then make them writable
     
  16. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Martineau These 2 rules didnt work or i did something wrong?

    I used WINSCP to edit the folders and files and I get the following:
     

    Attached Files:

  17. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,512
    Location:
    USA
    Do both scripts start with the necessary she-bang?
    Code:
    #!/bin/sh
    
     
  18. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    dave14305,

    Man do i feel like a dunce. I omitted that line.

    I put that line back in and it ran just fine.

    I didn't mess anything up in his code by removing those VPN lines did I?

    Also I don't think this one ran as the ipset doesn't show right when I run the "ipset list VALID_VPN_IP". I get the following picture, What did I do wrong?





     

    Attached Files:

  19. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,512
    Location:
    USA
    I ran the init-start commands and it worked OK.
    Code:
    ipset list Valid_VPN_IP
    Name: Valid_VPN_IP
    Type: hash:net
    Revision: 6
    Header: family inet hashsize 1024 maxelem 65536 comment
    Size in memory: 1178
    References: 0
    Number of entries: 9
    Members:
    151.101.130.219 comment "speedtest.net"
    104.27.126.97 comment "snbforums.com"
    104.16.154.36 comment "whatismyipaddress.com"
    104.27.127.97 comment "snbforums.com"
    151.101.2.219 comment "speedtest.net"
    104.16.155.36 comment "whatismyipaddress.com"
    151.101.66.219 comment "speedtest.net"
    75.75.75.75 comment "snbforums.com"
    151.101.194.219 comment "speedtest.net"
    What is the output of
    Code:
    nslookup snbforums.com
    Maybe your router isn’t resolving the names correctly.
     
  20. Dee dee

    Dee dee Occasional Visitor

    Joined:
    Nov 11, 2019
    Messages:
    37
    Attached are my outputs is anything named wrong?
     

    Attached Files: