What's new

Need Help With Firewall Script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

djtech2k

Senior Member
I have been using a firewall-start script for years but just upgraded and my script won't work. I was using a VERY old firmware, but now I am latest. I could use some help updating this, or I am open to a better option. My goal was to be able to block all subnets from certain countries and doing it in a way that will not be a perf hit.

Anyway, here is my script:

Code:
# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn ru lu my kr kp jp il ir cz mo hk br sa
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set --set BlockedCountries src -j LOGDROP

And here is the error when I run it manually.

Code:
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: can't insert 'ip_set_nethash.ko': No such file or directory
insmod: can't insert 'ip_set_iphash.ko': No such file or directory
insmod: can't insert 'ipt_set.ko': No such file or directory
--set option deprecated, please use --match-set
iptables v1.4.15: Set BlockedCountries doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.
 
This is easy to do with skynet. use amtm to install it. Then blacklist the countries by their two letter country code (example: cn China, ru Russia). Skynet will automatically download and blacklist the IP blocks allocated to that country. It’s zero effort. Forget about doing it your old way. Skynet code is reliable and well maintained by Adamm
 
This is easy to do with skynet. use amtm to install it. Then blacklist the countries by their two letter country code (example: cn China, ru Russia). Skynet will automatically download and blacklist the IP blocks allocated to that country. It’s zero effort. Forget about doing it your old way. Skynet code is reliable and well maintained by Adamm
Second this! Skynet isn't something that runs all the time, it just automates setting up the iptables rules, so no performance hit above your custom solution. And while I'd recommend using amtm to install it (https://diversion.ch/amtm.html), you can install Skynet by itself (https://github.com/Adamm00/IPSet_ASUS). Amtm is preferred because it makes installing other scripts and such much simple.
 
I just installed it with AMTM. I enabled the default malware blocking list. I also added a list of countries to block. So far it looks great.

Any particular suggestions on configuring skynet? I just used the default malware list.
 
I just installed it with AMTM. I enabled the default malware blocking list. I also added a list of countries to block. So far it looks great.

Any particular suggestions on configuring skynet? I just used the default malware list.
Try the Skynet thread...:rolleyes::rolleyes::rolleyes:
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top