Menu
What's new
By:
Filters Better Search

iblocklist.com generic ipset loader for ipset v6 and v4

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi redhat. Thanks for the script! Is there a way to change the location of where the .gz zips are located? They're currently sitting in /jffs/ipset_lists and I'd like to move it to a USB location if possible. Thanks.
 
I do not know if I am a derp and missed it going through this thread or what. But I have a questions.

1) Does this only block NEW (unsolicited) connections? Allowing ones that are RELATED,ESTABLISHED?
2) Is there an easy way to only allow 1-2 countries without having to make a huge line of all the ones you want to block?
EX: Leave BLOCKLIST_INDEXES empty and out the 1-2 country numbers in ALLOWLIST_INDEXES.
3) It looks like the country lists block to and from. Is there a way to make it only from?

Basically I want to:
- DROP all NEW (unsolicited) traffic from anywhere but the US.
- ACCEPT all RELATED,ESTABLISHED traffic. So if I actually go to a server in another country everything works fine.
 
I am going to have to hold off on using this now that I have done some testing. Nothing wrong with the script, its the blacklists.

Only enabled lists 2 and 11. Found out that Twitch video was blocked (chat loaded ok), steam would not connect, and FFXIV would not update. While making a white list for Twitch probably would not be that big of a deal and there is a list for Steam the list for Square Enix (FFXIV) is missing an entire range of IP's needed to whitelist. Because of this i have serious doubts about ALL of their lists. Making it seem like I will have to take hords of time making a custom white list to make sure everything works.
 
@unsynaps Regarding your last two posts, I'm going to implement a whitelist CIDR (for local/private IPs that are sometimes included in the ipset data) and a blacklist CIDR, as that was requested (see here and the prior post)

I'll try to have the changes completed by today
 
Ohh cool. Well that solves that extra block of IP's for Square Enix that iBlocklist didn't pick up.

Found the block googleing for like 2 seconds. lol

Gives me time to read more about iptables and ipset. Never messed with iptables outside FILTER and NAT.
Diving into the other tables also led me to why WoL from the internet was not working even though I forwarded UDP 9 to the broadcast address.
 
Okay people, a new version of iblocklist-loader is up (1.2)
The changes are in the extended version only.

It now allows you to specify a whitelist and a blacklist CIDR file where you can add manual entries. This feature has been requested a few times. In addition, if you do not have a whilelist CIDR file, one would be created that whitelists internal IPs that are unroutable over internet. This will alleviate the pain a lot of folks have experienced with bogon and other lists.

I am planning to get rid of the original version and only keep the extended version. Does anyone object to that? As @Xentrk pointed out, keeping both iblocklist-loader.sh (original script) and iblocklist-loader-v2.sh (extended version) may be confusing to many.
 
redhat27 said:
I am planning to get rid of the original version and only keep the extended version. Does anyone object to that? As @Xentrk pointed out, keeping both iblocklist-loader.sh (original script) and iblocklist-loader-v2.sh (extended version) may be confusing to many.
Click to expand...
No objections with me. I vote for only keeping the extended version.
 
redhat27 said:
Okay people, a new version of iblocklist-loader is up (1.2)
The changes are in the extended version only.

It now allows you to specify a whitelist and a blacklist CIDR file where you can add manual entries. This feature has been requested a few times. In addition, if you do not have a whilelist CIDR file, one would be created that whitelists internal IPs that are unroutable over internet. This will alleviate the pain a lot of folks have experienced with bogon and other lists.

I am planning to get rid of the original version and only keep the extended version. Does anyone object to that? As @Xentrk pointed out, keeping both iblocklist-loader.sh (original script) and iblocklist-loader-v2.sh (extended version) may be confusing to many.
Click to expand...
Is the version 2 of the script the extended one?, Iv been using the 1.1 until now runs fast...
 
Had a new issue starting last night. In the MS Edge Browser, when you open up a tab, icons from recent sites display on top. Below this are news stories. I sometimes click on one of these stories. They go to msn.com English usa site. But the pages were not loading. If I copied the url into Firefox, I had the same result. Yet, I could go directly to msn.com and click on stories and they would load with no issue. I rebooted without running my usual scripts. I ran them manually until I confirmed it was iblocklist-loader.sh.

I do use the blacklist-domains.txt to block MS Telemetry, etc.

I used AB-Solution, follows the log file option, to capture domain names that were spun up when browsing the site when I had started the router fresh without running any scripts. I then got all names with msn in them. The second domain name I whitelisted made it work again.

The fix was to whitelist: img-s-msn-com.akamaized.net

I am not sure why this happened. I have another using the same script that did not give me this issue.
 
Xentrk said:
Also, here is another url in the blacklist-domains.txt that reports as invalid:
Code: 
nslookup: can't resolve 'public-family.api.account.microsoft.com'
Click to expand...

Don't know if I'd mentioned it, but I removed that entry a while ago.
 
shooter40sw said:
Is the version 2 of the script the extended one?, Iv been using the 1.1 until now runs fast..
Click to expand...

Yes this is the extended script, and this is the original one. A bit confusing to keep both around. I'll get rid of the original one soon and just keep the extended one. The one thing that is stopping me is the thought that all the places I'd need to update the references (wiki, posts, etc) :eek:
 
@redhat27
Thanks, you have wrote nice utility MatchIP.

But requirements to install entware (to have USB drive with ext3 available) and then opkg install coreutils-paste kinda too much hassle.

You can just replace your "| paste -s" with "| tr '\n' ' ' " and that's it. MatchIP will work without that extra thingy.
 
Good change! The joys of community contribution :)
Please feel free to update the wiki.

If you want to pass on that, I'll update it when I get a chance.
 
@redhat27

One more thing. I'm playing with blocklist-loader-v2.sh. And country list [src.dst] traffic modifiers kinda reversed or I did not get it.

I tested on United-Kingdom. I put UK in BLOCKLIST_INDEXES. If I set traffic field to [src] only then I cannot update my ubuntu (address in UK). Also I cannot access UK websites. BUT when I change it to [dst] in that index line then I can access UK no problem.

Maybe it's too late and I did not think clearly... Idk.

Edit: I just tested blocking US as a country. Well, no matter what traffic flag I choose [src] or [dst] I cannot connect to my VPS's (multiple US addresses), cannot hit sites like CNN.com, cannot hit this SNB forum... I just don't understand why... I see at US match-set record in iptables raw with etither [src] or [dst] but cannot connect neither way.

PS: Well, I just tried ya-malware-block script instead and I think I'm going to stick with it. Though, just out of curiosity, why [src|dst] kinda flaky in match-sets...
 
Last edited:
src is where the traffic originates. dst is the the target for the traffic. Blocking the [src] is mostly all that is needed, specifically if the idea is to block incoming traffic from outside (potentially dangerous/mal-intentioned sites on the internet)
You'd typically use [dst] to prevent your lan machines to "dial out" to unwanted destinations. Example is when you use microsoft windows and want stop your machines from sending identifying or other data to M$ telemetry servers.
 
Also, ya-malware-block and iblocklist-loader do not conflict with each other. I use both. They have different purposes, although there may be some overlap with some of the lists. If an IP is blocked on both lists from the two scripts, there is no harm: The iptables filter that blocks it first wins, the other rule will not be enacted.
 
redhat27 said:
src is where the traffic originates. dst is the the target for the traffic. Blocking the [src] is mostly all that is needed, specifically if the idea is to block incoming traffic from outside (potentially dangerous/mal-intentioned sites on the internet)
You'd typically use [dst] to prevent your lan machines to "dial out" to unwanted destinations. Example is when you use microsoft windows and want stop your machines from sending identifying or other data to M$ telemetry servers.
Click to expand...
Hi,

Even I have only src activated it seems that some sites could not be accessed until are added to the white-list.
Please am I doing something wrong?
Thanks!
 
amplatfus said:
Hi,

Even I have only src activated it seems that some sites could not be accessed until are added to the white-list.
Please am I doing something wrong?
Thanks!
Click to expand...
Enable both [src,dst] on sites you'd want to access in your whitelist.
Can you give me an example of the site you want to access that is blocked? Perhaps an avtivated list is legitimately blocking it?
 
redhat27 said:
Enable both [src,dst] on sites you'd want to access in your whitelist.
Can you give me an example of the site you want to access that is blocked? Perhaps an avtivated list is legitimately blocking it?
Click to expand...

Thanks. For instance dropbox.com
I have activated below lists
Code: 
 BLOCKLIST_INDEXES="6 9 10 11 14 15 16 17 25 27 28 31 34"
The lists are activated as this:
Code: 
List006="rangetest        Bluetack     http://list.iblocklist.com/?list=plkehquoahljmyxjixpu  src"
So the question is why browsing to Dropbox is not working. It works only after adding it in white-lists.

Thank you,!

Sent from my ONE A2003 using Tapatalk
 
You must log in or register to reply here.

Similar threads

HELLO_wORLD
[R7800, R9000 & probably others] Blocklist based Firewall addon
5 6 7
Replies
133
Views
12K
HELLO_wORLD
HELLO_wORLD
redhat27
Peer Guardian rewrite for ipset v6
Replies
17
Views
3K
redhat27
redhat27
redhat27
Yet another malware block script using ipset (v4 and v6)
24 25 26
Replies
512
Views
129K
thelonelycoder
thelonelycoder
WQ6N
Country Whitelist and Explicit Deny with ipset
Replies
2
Views
2K
WQ6N
WQ6N
Martineau
How to Dynamically Ban Malicious IP's using IPSet (Martineau version)
20 21 22
Replies
438
Views
47K
Jack Yaz
Jack Yaz
Similar threads
Thread starter Title Forum Replies Date
E Internal Asus router IP redirecting to asusrouter.com Asuswrt-Merlin 15
B Solved need help for some DDNS problem(It is the problem of asuscomm.com) Asuswrt-Merlin 3
D Everytime I type in 192.168.50.1 into the browser address bar, it redirects to http://router.asus.com Asuswrt-Merlin 1
E Firmware/Router Causes Excessive and Unwanted DNS Queries to www.wordpress.com Asuswrt-Merlin 20
J Wireguard - NordVPN issue accessing google.com or mtu issue? Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 765 (members: 18, guests: 747)
Top