What's new

[R7800, R9000 & probably others] Blocklist based Firewall addon

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thnx!

BTW just wondering, I do get a lot of warnings when iptables gets modified (see below). Is this something that is normal? Or do I have something wrong in my iptables?

I did an iptables -L, and do notice that I have some duplicate entries in chains INPUT, FORWARD and OUTPUT. Could this be a reason?

And, not related to the topic, but also I see a strange rule "ACCEPT tcp -- anywhere anywhere tcp dpt:42443" in my INPUT an OUTPUT chains.
I see in netgear forums that this is related to DLNA / Kwilt, and that it can be removed by disabling DLNA. But I don't think I have DLNA enabled (at least I cannot find it in the GUI.)

Do more people have that rule?


Code:
root@R7800:/etc$ /opt/bolemo/scripts/firewall-blocklist update
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
 
Are you having this problem with last version (3.1) or former one?

One of the last bug fixes is preventing this duplicate iptables that can occurs in some conditions. Your output is definitely not normal though.

Try the verbose mode to have more info :
/opt/bolemo/scripts/firewall-blocklist update -v

Also, if you use the last version, could you tell what
cat /tmp/FwBl_status
Returns ?

If problems are persisting, try this :
/opt/bolemo/scripts/firewall-blocklist clean
ipset destroy
net-wall restart
/opt/bolemo/scripts/firewall-blocklist update -v


I am not able to stay more on the forum tonight, but I will read your answer tomorrow and see what is going on if the problem persists.

As for DLNA, to turn it off, it is in ReadyShare->Media Server->OFF


Thnx!

BTW just wondering, I do get a lot of warnings when iptables gets modified (see below). Is this something that is normal? Or do I have something wrong in my iptables?

I did an iptables -L, and do notice that I have some duplicate entries in chains INPUT, FORWARD and OUTPUT. Could this be a reason?

And, not related to the topic, but also I see a strange rule "ACCEPT tcp -- anywhere anywhere tcp dpt:42443" in my INPUT an OUTPUT chains.
I see in netgear forums that this is related to DLNA / Kwilt, and that it can be removed by disabling DLNA. But I don't think I have DLNA enabled (at least I cannot find it in the GUI.)

Do more people have that rule?


Code:
root@R7800:/etc$ /opt/bolemo/scripts/firewall-blocklist update
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: Bad rule (does a matching rule exist in that chain?).
ip6tables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
 
Are you having this problem with last version (3.1) or former one?

I have the warnings with v3.1.0, but I think I saw them also with earlier versions.

verbose mode only shows that the errors occur during restarting of the firewall


cat /tmp/FwBl_status
Returns:
Wed Apr 29 18:55:05 UTC 2020
ips: BL(keep)+WL(swap)
ipt: log+BL+WL


I'll try your cleaning steps.

As for DLNA, to turn it off, it is in ReadyShare->Media Server->OFF
In Basic -> ReadySHARE, I only have section USB Storage (Basic Settings)

I think during installation of Entware, I disabled some stuff via nvram, and then deleted all related folders from /overlay/opt
(I'm using mount --bind to mount entware directly onto /opt instead of symlinking the various folders into an existing structure)
 
Last edited:
Hi,
I just upgraded to latest version and got a weird error. I then performed a 'clean' and 'update' but the issue persists.

Status:
- firewall-blocklist version: v3.1.0
- iprange is not installed.
- Something is not right! Use firewall-blocklist -v status for more details <== here
- Logging is off.

- ipset filter (blocklist) is set:
WAN gateway (0.0.0.0) is in blocklist

- ipset bypass (whitelist) is set:
WAN gateway (0.0.0.0) is NOT in whitelist!
 
If problems are persisting, try this :
/opt/bolemo/scripts/firewall-blocklist clean
ipset destroy
net-wall restart
/opt/bolemo/scripts/firewall-blocklist update -v

This didn't help: also here at the step net-wall restart, I get the warnings. So problem probably already exited before I started using your blocklist.

I did notice that Kamoj's addon also changed something in the net-wall scripts, but also if I call the original (/usr/sbin/net-wall-bin restart) I see the warnings.

Last observation: output of some iptables commands gave this:
Code:
root@R7800:/$ iptables -S loc2net
-N loc2net
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A loc2net -p tcp -m state --state INVALID -j DROP 
Can't find library for target `TRIGGER'
-A loc2net -j TRIGGER  

root@R7800:/$ iptables -S net2loc
-N net2loc
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2loc -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
Can't find library for target `CONENAT'
-A net2loc -p udp -j CONENAT

So I deleted those rules that with:
iptables -D loc2net 4 (because this was the 4th rule in chain loc2net).
iptables -D net2loc 3 (because this was the 3th rule in chain net2loc).

But this doesn't solve the problem.

Also, the moment I do a net-wall restart, the deleted rules are back in iptables...
(I also deleted the unwanted rules for tcp dpt:42443, but also these came back.)
 
@R. Gerrits : yes, if after a firewall-blocklist clean you have the error doing net-wall, it is clearly not a problem related with my script. Since net-wall-bin does it, it means you would have this on stock firmware. I will look closer tomorrow (bed time for me now) at what you posted and compare with mine to see if it can help.

@NetBytes : ok, this one seems related with my script. Can you post the result of these commands:
  • /opt/bolemo/scripts/firewall-blocklist status -v
  • cat /tmp/FwBl_status
  • iptables -S INPUT
  • iptables -S OUTPUT
  • iptables -S FwBl_DROP
  • ipset list -n
  • ipset list FwBl_WL
  • ipset test FwBl_BL 0.0.0.0
  • nvram get wan_gateway
  • nvram get wan_netmask
That should give me enough information to see what is the problem.

PS: did you have this problem with previous version? And did you change your settings (wan gateway, etc...) recently?

I will study that tomorrow morning.
 
No problems with previous version. I was trying to not post so much data but here it is:

Code:
firewall-blocklist v3.1.0 - Verbose mode
Status:
- firewall-blocklist version: v3.1.0
- iprange is not installed.
- Something is not right! Use firewall-blocklist -v status for more details
- Logging is off.
Detailed status:
- /opt/scripts/firewall-start.sh exists with correct settings.
- iptables rules are set with bypass rules (whitelist):
     iptables -N FwBl_DROP
     iptables -A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT
     iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
     iptables -A FORWARD -i brwan -m set --match-set FwBl_WL src -j ACCEPT
     iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
     iptables -A FORWARD -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
     iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
     iptables -A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
     iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
     iptables -A FwBl_DROP -j DROP
- Logging is inactive.
- ipset filter (blocklist) is set:
     WAN gateway (0.0.0.0) is in blocklist
     Name: FwBl_BL
     Type: hash:net
     Revision: 6
     Header: family inet hashsize 16384 maxelem 65536
     Size in memory: 921496
     References: 4
- ipset bypass (whitelist) is set:
     WAN gateway (0.0.0.0) is NOT in whitelist!
     Name: FwBl_WL
     Type: hash:net
     Revision: 6
     Header: family inet hashsize 1024 maxelem 1
     Size in memory: 320
     References: 4

root@R7800:/opt/bolemo/scripts$ cat /tmp/FwBl_status
Wed Apr 29 22:30:53 GMT 2020
ips: BL(keep)+WL(swap)
ipt: BL+WL

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S INPUT
-P INPUT DROP
-A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i host0 -j ACCEPT
-A INPUT -i LeafNets -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -i brwan -p igmp -j ACCEPT
-A INPUT -i brwan -j brwan_in
-A INPUT -i br0 -j br0_in
-A INPUT -j common
-A INPUT -j reject

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S OUTPUT
-P OUTPUT DROP
-A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT
-A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o host0 -j ACCEPT
-A OUTPUT -o LeafNets -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p ipv6 -j ACCEPT
-A OUTPUT -o brwan -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -o brwan -p igmp -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
-A OUTPUT -o brwan -j fw2net
-A OUTPUT -o br0 -j fw2loc
-A OUTPUT -j common
-A OUTPUT -j reject

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ iptables -S FwBl_DROP
-N FwBl_DROP
-A FwBl_DROP -j DROP

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list -n
FwBl_BL
FwBl_WL

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list FwBl_Bl_WL   
ipset v6.24: The set with the given name does not exist

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ ipset list FwBl_BL 0.0.0.0
ipset v6.24: Unknown argument 0.0.0.0
Try `ipset help' for more information.

root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ nvram get wan_gateway
0.0.0.0
root@R7800:/tmp/mnt/sdb2/bolemo/scripts$ nvram get wan_netmask
0.0.0.0
 
Last edited:
@NetBytes please use the 'Code' box in the Insert icon instead of the raw code. :)
 
Ok, the problem is with the WAN gateway that is 0.0.0.0/0.
This is a very special range of adresses that is not valid (invalid CIDR) if treated like a regular netset. It is ‘legal’ as it means the entire local network. You do not have to change that address that. I will just change my script to ignore this specific set.

Next release will be today, with also possibility to have custom whitelist.
 
This is new ground for me if you have the time I would like to ask a few questions.

Do I understand it correctly if this type of Blocklist is like putting an open source "antivirus" on your network that blocks known malware locations?

I am sure you already wrote it somewhere but I didn't comprehend it:) But as i understand you download blocklists? I guess it is some great people that like you do allot of work and put in allot of effort just to give other people security and that these lists need to be updated all the time. Do you have to maintain these lists or will it update by itself from the trusted source you choosed?

If you have a adblock on your router, does this differ? Is it a point to have both this and adblock with the existing lists of bad sites that some adblock lists claim they offer?

Last but not least should a fool like me try it or is it to advanced. In English is it easy to use?:)

Thank you allot have tried to do some research but left out with these questions and ask with curiosity and great respect for you work!

PS: I wait for your next release and will try it anyway:)
 
V3.2.0

@KW. : I will answer to you, no time right now.
 
This is new ground for me if you have the time I would like to ask a few questions.
Sure

Do I understand it correctly if this type of Blocklist is like putting an open source "antivirus" on your network that blocks known malware locations?
In a way yes.
What it does exactly is filtering (blocking) IP adresses transiting between internet (WAN) and the local network (LAN).

I am sure you already wrote it somewhere but I didn't comprehend it:) But as i understand you download blocklists? I guess it is some great people that like you do allot of work and put in allot of effort just to give other people security and that these lists need to be updated all the time. Do you have to maintain these lists or will it update by itself from the trusted source you choosed?
Yes, the script downloads lists that the user can define in a specific file. I put some well known and maintained lists by default, they are indeed open source and documented. Any user can change, remove or add their own sources.
The lists can be updated automatically with cron. The easiest way to do that is using @kamoj ’s addon. I might integrate that into the script one day.
Anyway, once it is setup, it is pretty much maintenance free.

If you have a adblock on your router, does this differ? Is it a point to have both this and adblock with the existing lists of bad sites that some adblock lists claim they offer?
It works differently and is complementary.
Ad blocking works with http(s) protocol and dns resolution (domain names).
A firewall blocklist is blocking raw ip adresses.
The goal is slightly different as a firewall blocklist will focus on protecting from bogus IPs, known malware servers or hacked servers, known hacking adresses... well places you want to protect yourself from. It is possible to use a firewall blocklist for some ad blocking, but this is not the best way to do it.
An ad-blocker will focus on blocking ads.

Simple answer: they are complementary and you can use both.

Last but not least should a fool like me try it or is it to advanced. In English is it easy to use?:)
I tried to make this script as user friendly as possible.
Unfortunately, it still requires to have a minimum knowledge to access the router (telnet or ssh), and a USB drive named optware.
I might change the install script to allow installation without a USB drive.
Also, installation and setup is done via telnet or ssh only. One day maybe, a web interface...

Thank you allot have tried to do some research but left out with these questions and ask with curiosity and great respect for you work!

PS: I wait for your next release and will try it anyway:)
You’re welcome, thank you for your interest! :)
 
@R. Gerrits , I did not have much time today to look at your problem.Even if it is not related to my script, it seems simpler to talk about this here, but maybe we should open a new thread?

One other person reported having the same iptables warnings, so this is a problem related with the internal firewall and some router settings. I don’t have those warnings, but I do have the same output for net2loc and loc2net chains.

For info/comparison, here is my entire iptables output:
Code:
root@HERMES:~$ iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N FwBl_DROP
-N all2all
-N br0_fwd
-N br0_in
-N brwan_fwd
-N brwan_in
-N common
-N fw2loc
-N fw2net
-N icmpdef
-N igmp_fwd
-N loc2fw
-N loc2loc
-N loc2net
-N net2all
-N net2fw
-N net2loc
-N reject
-A INPUT -i brwan -m set --match-set FwBl_WL src -j ACCEPT 
-A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i host0 -j ACCEPT 
-A INPUT -i LeafNets -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -p ipv6 -j ACCEPT 
-A INPUT -i brwan -p igmp -j ACCEPT 
-A INPUT -i brwan -j brwan_in 
-A INPUT -i br0 -j br0_in 
-A INPUT -j common 
-A INPUT -j reject 
-A FORWARD -i brwan -m set --match-set FwBl_WL src -j ACCEPT 
-A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP 
-A FORWARD -o brwan -m set --match-set FwBl_WL dst -j ACCEPT 
-A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP 
-A FORWARD -i brwan -j brwan_fwd 
-A FORWARD -i br0 -j br0_fwd 
-A FORWARD -j common 
-A FORWARD -j reject 
-A OUTPUT -o brwan -m set --match-set FwBl_WL dst -j ACCEPT 
-A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o host0 -j ACCEPT 
-A OUTPUT -o LeafNets -j ACCEPT 
-A OUTPUT -p gre -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 1723 -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT 
-A OUTPUT -p ipv6 -j ACCEPT 
-A OUTPUT -o brwan -p igmp -j ACCEPT 
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT 
-A OUTPUT -o brwan -j fw2net 
-A OUTPUT -o br0 -j fw2loc 
-A OUTPUT -j common 
-A OUTPUT -j reject 
-A FwBl_DROP -j DROP 
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A all2all -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A all2all -j common 
-A all2all -j reject 
-A br0_fwd -o brwan -j loc2net 
-A br0_fwd -o br0 -j loc2loc 
-A br0_in -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A br0_in -j loc2fw 
-A brwan_fwd -o br0 -j net2loc 
-A brwan_in -p icmp -m icmp --icmp-type 8 -j DROP 
-A brwan_in -j net2fw 
-A common -p icmp -j icmpdef 
-A common -p tcp -m state --state INVALID -j DROP 
-A common -p udp -m udp --dport 137:139 -j REJECT --reject-with icmp-port-unreachable 
-A common -p udp -m udp --dport 445 -j REJECT --reject-with icmp-port-unreachable 
-A common -p tcp -m tcp --dport 135 -j reject 
-A common -p udp -m udp --dport 1900 -j DROP 
-A common -d 255.255.255.255/32 -j DROP 
-A common -d 224.0.0.0/4 -j DROP 
-A common -p udp -m state --state NEW -m udp --sport 53 -j DROP 
-A common -d 192.168.1.255/32 -j DROP 
-A common -d 192.168.0.255/32 -j DROP 
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2loc -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A fw2loc -j ACCEPT 
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A fw2net -p udp -m state --state NEW -m multiport --dports 520,5050,53,123,6060,67,68 -j ACCEPT 
-A fw2net -p tcp -m state --state NEW -m multiport --dports 119,25,80,2345,3495,7070,20,21,5050,6060 -j ACCEPT 
-A fw2net -j ACCEPT 
-A icmpdef -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A igmp_fwd -d 224.0.0.0/4 -i brwan -p udp -j ACCEPT 
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2fw -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A loc2fw -p udp -m state --state NEW -m multiport --dports 161,162 -j DROP 
-A loc2fw -j ACCEPT 
-A loc2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2loc -j ACCEPT 
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -p tcp -m state --state NEW -m tcp ! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j DROP 
-A loc2net -p tcp -m state --state INVALID -j DROP 
Can't find library for target `TRIGGER'
-A loc2net -j TRIGGER
 
Thank you very much for your answers now I think I understand the theory of this and even more thank you for making this available. It is really something I want on my router. Im on a r9000 and this posts headline "R7800 & probably others"makes me a bit scared.

But that also means that I can do some good and test it and let you know how it works on r9000. Even if my father believes that testing new stuff or even clicking to fast on electronics can make it explode, it never happened to me.:)

I'll leave my comfort zone and try to learn something new. Have never dealt with crons and stuff. But the short time I've been on this forum and the unbelievable support you get from you guys with skills I feel I already learned allot and its time for a new challenge:)

I hope I will find time this evening to try to get this working. But I will report back as soon as I got it running.

Thank you again!

Sure


In a way yes.
What it does exactly is filtering (blocking) IP adresses transiting between internet (WAN) and the local network (LAN).


Yes, the script downloads lists that the user can define in a specific file. I put some well known and maintained lists by default, they are indeed open source and documented. Any user can change, remove or add their own sources.
The lists can be updated automatically with cron. The easiest way to do that is using @kamoj ’s addon. I might integrate that into the script one day.
Anyway, once it is setup, it is pretty much maintenance free.


It works differently and is complementary.
Ad blocking works with http(s) protocol and dns resolution (domain names).
A firewall blocklist is blocking raw ip adresses.
The goal is slightly different as a firewall blocklist will focus on protecting from bogus IPs, known malware servers or hacked servers, known hacking adresses... well places you want to protect yourself from. It is possible to use a firewall blocklist for some ad blocking, but this is not the best way to do it.
An ad-blocker will focus on blocking ads.

Simple answer: they are complementary and you can use both.


I tried to make this script as user friendly as possible.
Unfortunately, it still requires to have a minimum knowledge to access the router (telnet or ssh), and a USB drive named optware.
I might change the install script to allow installation without a USB drive.
Also, installation and setup is done via telnet or ssh only. One day maybe, a web interface...


You’re welcome, thank you for your interest! :)
 
Sadly the setup did not work for me and I could not install iprange.

Iprange problem:

Code:
iprange does not seem to be installed.                                                                                 
Do you want to install iprange into internal flash (/usr/bin)? [y/n] -y                                                 
Installing iprange...                                                                                                 
 Unknown package 'iprange'.                                                                                             
 Collected errors:                                                                                                       
* pkg_hash_fetch_best_installation_candidate: Packages for iprange found, but incompatible with the architectures configured                                                                                                                    
* opkg_install_cmd: Cannot install package iprange.                                                                   
Done!

Install info:

Code:
The script is properly installed.
- firewall-blocklist version: v3.2.0                                                                                 
  - This is the last version.                                                                                             
- iprange is not installed.

"Something is not working"

Code:
firewall-blocklist v3.2.0 - Verbose mode                                                                               
Initializing...                                                                                                         
/opt/scripts/firewall-start.sh is in place and ok
 Updating blocklist from sources...                                                                                      
- Downloading lists defined in /opt/bolemo/etc/firewall-blocklist.sources 1) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset -  100%
[===================>]  38.91K  --.-KB/s    in 0.003s 2) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset -     100%
[===================>] 274.35K  --.-KB/s    in 0.04s 3) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset -    100%
[===================>] 258.58K  --.-KB/s    in 0.02s 4) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iblocklist_ciarmy_malicious.netset   100%
[===================>] 203.26K  --.-KB/s    in 0.01s 5) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset - 100%
[===================>]  14.49K  --.-KB/s    in 0.02s - iprange not installed, passing optimization and reduction process. - Removing duplicates...                                                                                               
 - Done.                                                                                                               
 Building ipset blocklist (45300 entries blocking 619991870 ips)... -
 Created blocklist, swapping it.                                                                                     
  - Done.                                                                                                               
 Restarting firewall...                                                                                                 
iptables v1.4.21: mark: bad mark value for option "--mark", or out of range. Try `iptables -h' or 'iptables --help' for more information. grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^                                                                                     
  - Built-in firewall restarted.                                                                                         
 Status:                                                                                                               
 - firewall-blocklist version: v3.2.0                                                                                   
 - iprange is not installed.                                                                                           
 - Something is not right!
Use firewall-blocklist -v status for more details                                            
 - Logging is off.                                                                                                       
Detailed status:                                                                                                       
 - /opt/scripts/firewall-start.sh exists with correct settings.
- iptables rules are not set properly: iptables -N FwBl_DROP iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A FwBl_DROP -j DROP                                                                                     
 - Logging is inactive.                                                                                                 
- ipset filter (blocklist) is set: blocklist is not used by iptables                                                                                     
 Name: FwBl_BL                                                                                                           
Type: hash:net                                                                                                         
Revision: 6                                                                                                             
Header: family inet hashsize 16384 maxelem 65536 Size in memory: 998068 References: 4                                                                                                           
Number of entries: 45300                                                                                           
- ipset bypass (whitelist) is not set.
 
Ok, there are two problems:
  1. iprange: you have a R9000 right? Seems that the iprange firmware addon only works with R7800. You could still install it with Entware, but you would have to install Entware first... Anyway, iprange is great and I recommend to install it as it does strong optimizations, however, it is not mandatory and the blocklist script can work without it.
  2. the error you have with the script is not related to iprange not being installed. I am not sure at this stage if it is a problem related to differences between R9000 and R7800 or something else. In theory, my script should be able to work on R9000. I will study your output.

Sadly the setup did not work for me and I could not install iprange.

Iprange problem:

Code:
iprange does not seem to be installed.                                                                                
Do you want to install iprange into internal flash (/usr/bin)? [y/n] -y                                                
Installing iprange...                                                                                                
 Unknown package 'iprange'.                                                                                            
 Collected errors:                                                                                                      
* pkg_hash_fetch_best_installation_candidate: Packages for iprange found, but incompatible with the architectures configured                                                                                                                   
* opkg_install_cmd: Cannot install package iprange.                                                                  
Done!

Install info:

Code:
The script is properly installed.
- firewall-blocklist version: v3.2.0                                                                                
  - This is the last version.                                                                                            
- iprange is not installed.

"Something is not working"

Code:
firewall-blocklist v3.2.0 - Verbose mode                                                                              
Initializing...                                                                                                        
/opt/scripts/firewall-start.sh is in place and ok
 Updating blocklist from sources...                                                                                     
- Downloading lists defined in /opt/bolemo/etc/firewall-blocklist.sources 1) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset -  100%
[===================>]  38.91K  --.-KB/s    in 0.003s 2) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset -     100%
[===================>] 274.35K  --.-KB/s    in 0.04s 3) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset -    100%
[===================>] 258.58K  --.-KB/s    in 0.02s 4) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/iblocklist_ciarmy_malicious.netset   100%
[===================>] 203.26K  --.-KB/s    in 0.01s 5) https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset - 100%
[===================>]  14.49K  --.-KB/s    in 0.02s - iprange not installed, passing optimization and reduction process. - Removing duplicates...                                                                                              
 - Done.                                                                                                              
 Building ipset blocklist (45300 entries blocking 619991870 ips)... -
 Created blocklist, swapping it.                                                                                    
  - Done.                                                                                                              
 Restarting firewall...                                                                                                
iptables v1.4.21: mark: bad mark value for option "--mark", or out of range. Try `iptables -h' or 'iptables --help' for more information. grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^ grep: xregcomp: Unmatched [ or [^                                                                                    
  - Built-in firewall restarted.                                                                                        
 Status:                                                                                                              
 - firewall-blocklist version: v3.2.0                                                                                  
 - iprange is not installed.                                                                                          
 - Something is not right!
Use firewall-blocklist -v status for more details                                           
 - Logging is off.                                                                                                      
Detailed status:                                                                                                      
 - /opt/scripts/firewall-start.sh exists with correct settings.
- iptables rules are not set properly: iptables -N FwBl_DROP iptables -A INPUT -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -i brwan -m set --match-set FwBl_BL src -j FwBl_DROP iptables -A FORWARD -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A OUTPUT -o brwan -m set --match-set FwBl_BL dst -j FwBl_DROP iptables -A FwBl_DROP -j DROP                                                                                    
 - Logging is inactive.                                                                                                
- ipset filter (blocklist) is set: blocklist is not used by iptables                                                                                    
 Name: FwBl_BL                                                                                                          
Type: hash:net                                                                                                        
Revision: 6                                                                                                            
Header: family inet hashsize 16384 maxelem 65536 Size in memory: 998068 References: 4                                                                                                          
Number of entries: 45300                                                                                          
- ipset bypass (whitelist) is not set.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top