Need Help With Firewall Script

[djtech2k]

I have been using a firewall-start script for years but just upgraded and my script won't work. I was using a VERY old firmware, but now I am latest. I could use some help updating this, or I am open to a better option. My goal was to be able to block all subnets from certain countries and doing it in a way that will not be a perf hit.

Anyway, here is my script:

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
    ipset -N BlockedCountries nethash
    for country in pk cn ru lu my kr kp jp il ir cz mo hk br sa
    do
        [ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
        for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
        do
            ipset -A BlockedCountries $IP
        done
    done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set --set BlockedCountries src -j LOGDROP

And here is the error when I run it manually.

insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: can't insert 'ip_set_nethash.ko': No such file or directory
insmod: can't insert 'ip_set_iphash.ko': No such file or directory
insmod: can't insert 'ipt_set.ko': No such file or directory
--set option deprecated, please use --match-set
iptables v1.4.15: Set BlockedCountries doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

 

[Zonkd]

This is easy to do with skynet. use amtm to install it. Then blacklist the countries by their two letter country code (example: cn China, ru Russia). Skynet will automatically download and blacklist the IP blocks allocated to that country. It’s zero effort. Forget about doing it your old way. Skynet code is reliable and well maintained by Adamm

 

[cmkelley]

This is easy to do with skynet. use amtm to install it. Then blacklist the countries by their two letter country code (example: cn China, ru Russia). Skynet will automatically download and blacklist the IP blocks allocated to that country. It’s zero effort. Forget about doing it your old way. Skynet code is reliable and well maintained by Adamm

Second this! Skynet isn't something that runs all the time, it just automates setting up the iptables rules, so no performance hit above your custom solution. And while I'd recommend using amtm to install it (https://diversion.ch/amtm.html), you can install Skynet by itself (https://github.com/Adamm00/IPSet_ASUS). Amtm is preferred because it makes installing other scripts and such much simple.

 

[djtech2k]

I just installed it with AMTM. I enabled the default malware blocking list. I also added a list of countries to block. So far it looks great.

Any particular suggestions on configuring skynet? I just used the default malware list.

 

[skeal]

I just installed it with AMTM. I enabled the default malware blocking list. I also added a list of countries to block. So far it looks great.

Any particular suggestions on configuring skynet? I just used the default malware list.

Try the Skynet thread...