bayern1975
Very Senior Member
no, jffs partition is on router side...
iblocklist.com generic ipset loader for ipset v6 and v4
- Thread starter redhat27
- Start date
Xentrk
Part of the Furniture
Mine returns 24 entries in the Whitelist. I was adding whitelist entries earlier today as the script is causing issues with yahoo.com and mg.mail.yahoo.com. I'm still having issues and have temporarily disabled the script. I'll pick it back up in the next day or two . I am using the domains in the Blacklist file to block Microsoft telemetry and want to get that one working again ASAP.
bayern1975
Very Senior Member
i would realy like to know why whitelist not working for me? for example i insert 12.12.12.12 IP to whitelist-domains.txt but still showing zero? is this correctly?
EDIT: i put command iptables -S and there are no DROP rules from iblocklist-loader?
Code:
####Whitelist-Domains##########
12.12.12.12
Code:
May 21 15:29:02 Firewall: iblocklist-loader.sh: Added WhitelistDomains (0 entries)EDIT: i put command iptables -S and there are no DROP rules from iblocklist-loader?
Code:
admin@RT-AC3200-7180:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
Last edited:
Xentrk
Part of the Furniture
You are using the wrong format for whitelist. The entries need to be a url e.g. yahoo.com and not an IP address.
Go to @redhat27 GitHub site where the code is.
https://github.com/shounak-de/iblocklist-loader. You can see the whitelist-domains.txt file on the site.
Download the file whitelist-domains.txt to /jffs/ipset_lists folder. Add your own whitelist entries and try again. You can use the command below to download the whitelist-domains.txt file:
Code:
wget https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-domains.txt -O /jffs/ipset_lists/whitelist-domains.txt
Last edited:
redhat27
Very Senior Member
If nslookup provides that IP (209.73.190.12) for you, and mg.mail.yahoo.com is in your whitelist-domains.txt file, it should be in the WhitelistDomains ipset after you run iblocklist-loader script.
Can you post:
Code:
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"I did not understand this: 192.12 is not a full IP address. Can you post the command that produced that output?
redhat27
Very Senior Member
Xentrk
Part of the Furniture
Sorry, copy and paste issue. It is 209.73.190.12. I also noticed in The nslookup to also resolve to 209.73.190.11. I will pick things back up tomorrow.
bayern1975
Very Senior Member
hmm, still not working....i have ban country Ukraina but i need to access to one domain which is located in Ukraina....insert that domain still blocking me to access....
redhat27
Very Senior Member
This script should be able to handle that. Make sure index 281 is part of your BLOCKLIST_INDEXES. Also, the domain you want to whitelist as part of the whitelist-domains.txt file. It should be straight forward. Let me know if you are still having problem setting this up.
Xentrk
Part of the Furniture
yahoo.com and yahoo mail are working now. The solution is to whitelist all of the yahoo.com entries returned by the nslookup command below:
Here are the entries to add to whitelist-domains.txt file to get yahoo.com and yahoo mail to play nice in the sand box:
Code:
admin@RT-AC88U:/jffs/scripts# nslookup mg.mail.yahoo.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: mg.mail.yahoo.com
Address 1: 2406:2000:a4:800::32 e2.ycpi.vip.jpa.yahoo.com
Address 2: 119.161.9.49 e5-ha.ycpi.hkb.yahoo.com
Address 3: 119.161.9.149 e4-ha.ycpi.hkb.yahoo.com
Address 4: 119.161.8.149 e6-ha.ycpi.hkb.yahoo.com
Address 5: 119.161.9.99 e3-ha.ycpi.hkb.yahoo.com
Address 6: 119.161.8.99 e1-ha.ycpi.hkb.yahoo.com
Address 7: 119.161.8.199 e2-ha.ycpi.hkb.yahoo.comHere are the entries to add to whitelist-domains.txt file to get yahoo.com and yahoo mail to play nice in the sand box:
Code:
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDRXentrk
Part of the Furniture
Another question..
When I rerun iblocklist-loader.sh, I get the output below:
Is there an option I need to specify for the To force reloading, set USE_LOCAL_CACHE=N message?
Thank you!
When I rerun iblocklist-loader.sh, I get the output below:
Code:
admin@RT-AC88U:/jffs/scripts# ./iblocklist-loader.sh
iblocklist-loader.sh: Skipped loading BluetackSpider blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackDshield blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackWebexploit blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
iblocklist-loader.sh: Skipped loading BluetackProxy blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N
nslookup: can't resolve 'compatexchange.cloudapp.net'
iblocklist-loader.sh: Added BlacklistDomains (72 entries)
iblocklist-loader.sh: Added WhitelistDomains (31 entries)Is there an option I need to specify for the To force reloading, set USE_LOCAL_CACHE=N message?
Thank you!
redhat27
Very Senior Member
If you want the iblocklist-loader to download the data from the iblocklist.com website on each run, you'd need to set USE_LOCAL_CACHE to N. You will not get those messages anymore. However, the script will take longer to run due to the downloading and processing each time.
Also, I think you may have a bad entry 'compatexchange.cloudapp.net' in your whitelist-domains.txt or blacklist-domains.txt. I tried running hostip on it, and it could not find an IP for that domain.
Xentrk
Part of the Furniture
I see 'compatexchange.cloudapp.net' in the blacklist-domains.txt file. I had downloaded it from your GitHub site. I believe early last week. I see it is still there.
https://github.com/shounak-de/iblocklist-loader/blob/master/blacklist-domains.txt
I can remove it from the file. THANKS!!
redhat27
Very Senior Member
The iblocklist-loader should have created all these IPs for you... You do not need to whitelist them individually. Can you post:
Code:
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"Xentrk
Part of the Furniture
I did not see your post until after I did some more testing with the other two routers. I added some more entries as a result:
When I replied earlier, I was at the school where I do some volunteer work. When I got home, I tested the same entries I made at the school with the router with vpn all traffic and the one with policy rules. I ended up getting different nslookup results for mg.mail.yahoo.com on each one. yahoo.com results are the same for all three routers. If mg.mail.yahoo.com ends up being a moving target, I will remove list 13 from the iblocker script.
Router with VPN All Traffic
Router with policy rules
School router
Code:
yahoo.com # blocked by BluetackSpiderCIDR
mg.mail.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.jpa.yahoo.com # blocked by BluetackSpiderCIDR
e5-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e4-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e6-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e3-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e1-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2-ha.ycpi.hkb.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.nya.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.dca.yahoo.com # blocked by BluetackSpiderCIDR
e1.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
e2.ycpi.vip.laa.yahoo.com # blocked by BluetackSpiderCIDR
fd-geoycpi-uno.gycpi.b.yahoodns.net # blocked by BluetackSpiderCIDR
ir1.fp.vip.gq1.yahoo.com #blocked by BluetackSpiderCIDRWhen I replied earlier, I was at the school where I do some volunteer work. When I got home, I tested the same entries I made at the school with the router with vpn all traffic and the one with policy rules. I ended up getting different nslookup results for mg.mail.yahoo.com on each one. yahoo.com results are the same for all three routers. If mg.mail.yahoo.com ends up being a moving target, I will remove list 13 from the iblocker script.
Router with VPN All Traffic
Code:
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
206.190.36.45
98.138.253.109
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
209.73.190.11
209.73.190.12Router with policy rules
Code:
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
98.139.183.24
98.138.253.109
206.190.36.45
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
68.180.134.8
68.180.134.7School router
Code:
nslookup yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
206.190.36.45
98.139.183.24
98.138.253.109
nslookup mg.mail.yahoo.com | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"
119.161.8.149
119.161.8.99
119.161.8.199
119.161.9.49redhat27
Very Senior Member
Would the correct IPs for each location be added to the WhitelistDomains ipset? I mean if you just whitelist:
yahoo.com
mail.yahoo.com
mg.mail.yahoo.com
would that not be enough? Even if mg.mail.yahoo.com resolves to different IPs in different locations, it would still whitelist the IPs it resolves to at each location and for the traffic each location handles.
joesixpack
New Around Here
Hi, been making the transition from PeerBlock to this script for systemic protection. It is very good for what it does but also cumbersome to manage. Some random comments:
MatchIP is of limited use to find partial IP or CIDR matching.
WhitelistDomains really needs to support CIDR. It is too functionally limited to solve cloud access problems, e.g. Amazon EC2/AWS and Azure. Currently I have to manually add missing CIDR's to the WhitelistDomain table via ipset commands at the end of the script. Not elegant.
All of the Bluetack lists have not been updated for almost a decade. Do not load as they contain many valid current IP's. The bogon, IANA's, nonLAN and Proxies lists will also specifically kill your local LAN. Likewise, do not load the bogon from CIDR. Furthermore, the SpyEye and Palevo from abuse have been discontinued.
I do not know how responsive i-Blocklist is to fixing the missing Amazon CIDR's, adding Microsoft to the Organization category as well as adding the two new lists from abuse.
Support for premium subscribers should be built in. It was very annoying having to edit every single URL to add the information and re-line up all the columns because nano kept screwing it all up until I wised up. I finally gave up and used EditPad Lite instead.
I don't like how long it takes to extract from the gzip lists on each reboot, leaving the LAN completely exposed as the router becomes available while the script is still processing. Can't the script halt further execution until it is completely done loading?
I've yet to find anything that logs and displays the disallowed connections in a manner similar to PeerBlock so that the IP and port can be readily and easily identified? There is no log being saved in /var as far as I can tell. Can that information be sent to the syslog so the web administration be used?
Also, I don't like the allow lists being processed before the disallow lists. What if zombie computers are using AWS or Azure? There should be fall-through after disallow down to allow. So right now the allows list are a huge security risk used in combination with the disallow lists.
MatchIP is of limited use to find partial IP or CIDR matching.
WhitelistDomains really needs to support CIDR. It is too functionally limited to solve cloud access problems, e.g. Amazon EC2/AWS and Azure. Currently I have to manually add missing CIDR's to the WhitelistDomain table via ipset commands at the end of the script. Not elegant.
All of the Bluetack lists have not been updated for almost a decade. Do not load as they contain many valid current IP's. The bogon, IANA's, nonLAN and Proxies lists will also specifically kill your local LAN. Likewise, do not load the bogon from CIDR. Furthermore, the SpyEye and Palevo from abuse have been discontinued.
I do not know how responsive i-Blocklist is to fixing the missing Amazon CIDR's, adding Microsoft to the Organization category as well as adding the two new lists from abuse.
Support for premium subscribers should be built in. It was very annoying having to edit every single URL to add the information and re-line up all the columns because nano kept screwing it all up until I wised up. I finally gave up and used EditPad Lite instead.
I don't like how long it takes to extract from the gzip lists on each reboot, leaving the LAN completely exposed as the router becomes available while the script is still processing. Can't the script halt further execution until it is completely done loading?
I've yet to find anything that logs and displays the disallowed connections in a manner similar to PeerBlock so that the IP and port can be readily and easily identified? There is no log being saved in /var as far as I can tell. Can that information be sent to the syslog so the web administration be used?
Also, I don't like the allow lists being processed before the disallow lists. What if zombie computers are using AWS or Azure? There should be fall-through after disallow down to allow. So right now the allows list are a huge security risk used in combination with the disallow lists.
Last edited:
redhat27
Very Senior Member
@joesixpack Some of your concerns are valid. This script specifically caters to loading lists form the iblocklist.com site, with some limited customizations. For general overall security, I would recommend you to try out the ya-malware-block script that blocks a wide variety of malware sources. Please give post #1 a good read. It is quite fast and does not leave your LAN exposed while it is running (for that matter neither does this one). Let me know if that script would work for you. For myself, I've enabled Level4 on my router, but note it is disabled by default (Levels 1 to 3 enabled)
Edit: Oh, welcome to the snbforums, BTW 
If you plan to keep using this, I could have a WhitelistCIDR set created if (lets say) a /jffs/ipset_lists/whitelist-cidr.txt exists with CIDR entries. LMK if that would work.
AFAIK, premium users need to supply their username and pin to the url, you can just append your premium lists URL to the end of the given lists and reference them from the BLOCKLIST_INDEXES= line.
Care to explain what you mean? Did not understand.
The target for a match is either DROP/REJECT (choice) or ACCEPT. I've not opted to use logdrop or logaccept as I do not like too much chatter in the syslog. If you have firewall logging enabled, just change this line, for example to "logdrop" instead of "DROP"
Okay, I see your point there. I can make the processing order like this:
Code:
WHITELIST_DOMAINS_FILE
BLACKLIST_DOMAINS_FILE
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES
or, possibly
WHITELIST_DOMAINS_FILE
WHITELIST_CIDR_FILE (not yet there)
BLACKLIST_DOMAINS_FILE
BLACKLIST_CIDR_FILE (not yet there)
BLOCKLIST_INDEXES
ALLOWLIST_INDEXES
Last edited:
Similar threads
Similar threads
Similar threads
-
Internal Asus router IP redirecting to asusrouter.com
- Started by Ellenswamy
- Replies: 15
-
Solved need help for some DDNS problem(It is the problem of asuscomm.com)
- Started by BubbleBubble
- Replies: 3
-
-
Firmware/Router Causes Excessive and Unwanted DNS Queries to www.wordpress.com
- Started by explain-appendix-length
- Replies: 20
-
Wireguard - NordVPN issue accessing google.com or mtu issue?
- Started by JonathanS
- Replies: 5