Skynet Ban outgoing only from specific subnet?

sbsnb

Very Senior Member
My mission is to block the entire IP space of China for my IOT guest network, which has it's own IP subnet (I may experiment with blocking all SYN packets regardless of destination - not sure how to handle UDP data yet). I can do it with 7,000 lines of iptables commands, but seeing as how Skynet has some of this functionality already I didn't want to reinvent the wheel if I can use it for my purposes.

Is there a way in Skynet to specify that I want to block outgoing packets only that originate from a specific subnet?
 

Tech Junky

Very Senior Member
Make a group in iptables to make a chain from instead of 7k lines. Throw all of the CN subnets CIDRs into it and then it's a single line to deal with. You can add and remove from the group without reloading the rules and it processes faster to keep speeds up.
 

sbsnb

Very Senior Member
I'm afraid that's beyond my level of expertise with iptables.
 

Tech Junky

Very Senior Member
https://serverfault.com/a/996252 - this might work easier
https://docs.rackspace.com/support/how-to/block-ip-range-from-countries-with-geoip-and-iptables/ - similar
https://linoxide.com/block-ips-countries-geoip-addons/ - a little more in depth


# ipset create countryblock nethash
This is how you make a container for iptable and then just dump the CIDR's into it with the command
# ipset add countryblock 1.0.1.0/24
The one aside when creating the ipste list is to use the highest option for nethash to make sure you can fit all of the CIDR's into the same list

https://wiki.archlinux.org/title/Ipset - goes a little more in depth on ipset commands

You can also make ipset groups for TCP / UDP filtering as well by port number. It might take some tinkering but, if you grab the CIDR's you want to block converting them into commands is easiest by using notepad++ to do a find and replace to insert the command before the CIDR in bulk fashion. The perk though is you can add / remove IP's w/o messing with the rule in iptables or reordering them with -I / -A / -D and getting caught up in refreshing the view to make sure they're all in the right spot. For making the rules / adding the group use the -N to add it as an option in IPT before it can be used but, once it's there you're done. Then it's just adding the single line rule to block based on the container / list used for ipset.
 

sbsnb

Very Senior Member
OK. Seems simple enough. My only worry is that creating the group involves about 13,000 networks. Is this something the router can handle efficiently? How does Skynet do it?
 

Tech Junky

Very Senior Member
I don't know how skynet does it but, you can condense the networks into higher level /'s looking them up on https://bgp.he.net/ to find the /12 /8/ or higher level. This reduces the lookups as only the first octet needs to hit a match vs the whole /24 IP. Since you seem to only want to block in one direction and on one subnet it shouldn't take up much resources on the router.
 

sbsnb

Very Senior Member
I think I might experiment with blocking all outgoing TCP connections first. I can't think of any reason I want an IOT device initiating a connection with anything.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top