[R7800, R9000 & probably others] Blocklist based Firewall addon

[HELLO_wORLD]

I’m working on the next version that will have some cool stuff.
Better rules for iptables, allowing logging.
Check for any available newer version. Maybe an upgrade command.

Also, while trying logging, I found that this is really blocking a lot attempts to connect either to the router or my NAS from blacklisted IPs. So this script is really useful in protecting router and local network:

[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=46.105.132.32 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=40202 DPT=9200 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15699 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=10667 PROTO=TCP SPT=45425 DPT=38398 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=193.32.163.112 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=32504 PROTO=TCP SPT=58431 DPT=3381 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=46.105.132.32 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43161 DPT=873 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=61975 PROTO=TCP SPT=45425 DPT=37674 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=142.93.211.52 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=237 ID=6539 PROTO=TCP SPT=46682 DPT=2364 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=190.255.4.26 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=2753 PROTO=TCP SPT=45797 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=111.56.44.147 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=5509 PROTO=TCP SPT=47760 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=50031 PROTO=TCP SPT=45425 DPT=883 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=3931 PROTO=TCP SPT=45425 DPT=3598 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=87.251.74.241 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=32134 PROTO=TCP SPT=51973 DPT=756 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15701 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=104.206.128.70 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=30700 PROTO=TCP SPT=50057 DPT=5432 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=6516 PROTO=TCP SPT=45425 DPT=58572 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=87.251.74.18 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x80 TTL=245 ID=11046 PROTO=TCP SPT=51205 DPT=5001 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x2
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=26830 PROTO=TCP SPT=45425 DPT=52461 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.2 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=31650 PROTO=TCP SPT=8080 DPT=8683 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN= OUT=brwan SRC=192.168.1.2 DST=192.168.1.255 LEN=242 TOS=0x00 PREC=0x00 TTL=64 ID=44813 DF PROTO=UDP SPT=138 DPT=138 LEN=222
[firewall-blocklist] IN= OUT=brwan SRC=192.168.1.2 DST=192.168.1.255 LEN=235 TOS=0x00 PREC=0x00 TTL=64 ID=10105 DF PROTO=UDP SPT=138 DPT=138 LEN=215
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.212 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54638 PROTO=TCP SPT=58013 DPT=3215 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=156.96.119.148 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=36922 DF PROTO=TCP SPT=18 DPT=3201 WINDOW=512 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.156.73.60 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=388 PROTO=TCP SPT=47677 DPT=33896 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.246 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=8037 PROTO=TCP SPT=58587 DPT=54249 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=156.96.119.148 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=36922 DF PROTO=TCP SPT=5 DPT=8092 WINDOW=512 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=19243 PROTO=TCP SPT=45425 DPT=28605 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=198.98.62.183 DST=192.168.1.2 LEN=121 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=UDP SPT=49117 DPT=1900 LEN=101 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15703 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.61.27.240 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=39339 PROTO=TCP SPT=47895 DPT=5445 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=8237 PROTO=TCP SPT=45425 DPT=590 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=60.190.96.235 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=238 ID=59389 PROTO=TCP SPT=43452 DPT=28515 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=185.176.27.2 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=42828 PROTO=TCP SPT=8080 DPT=8879 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=172.16.255.254 DST=224.0.0.1 LEN=28 TOS=0x10 PREC=0x80 TTL=1 ID=15705 PROTO=2 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.212 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=54066 PROTO=TCP SPT=58013 DPT=7385 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=92.63.196.3 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=60625 PROTO=TCP SPT=56438 DPT=9789 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=38571 PROTO=TCP SPT=45425 DPT=5096 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=94.102.56.181 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=248 ID=31650 PROTO=TCP SPT=47562 DPT=9508 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=111.229.172.178 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=237 ID=25531 PROTO=TCP SPT=56070 DPT=7384 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=45.134.179.50 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=49338 PROTO=TCP SPT=45425 DPT=16796 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=198.108.67.83 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=1252 PROTO=TCP SPT=21362 DPT=12301 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=170.130.187.10 DST=192.168.1.2 LEN=71 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=UDP SPT=64716 DPT=161 LEN=51 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=92.63.196.3 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=1504 PROTO=TCP SPT=56438 DPT=9889 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10
[firewall-blocklist] IN=brwan OUT= MAC=[UNDISCLOSED] SRC=194.26.29.114 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=34935 PROTO=TCP SPT=52196 DPT=5463 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10

 

[HELLO_wORLD]

v2.0.1

 

[NetBytes]

Thanks @HELLO_wORLD
Updated and running but still don't have a working cron job.
I am hoping the new @kamoj addon comes out soon and fixes the problem because I don't want to do a complete Entware install just for cron.

 

[NetBytes]

The github download links are all broken now.
For example
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
now appears to be
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
but even these are giving me a server error

I don't see any reference on http://iplists.firehol.org/ why this might be.

 

[kamoj]

FYI:
In the beta version you have 5 cron jobs in the GUI.

Thanks @HELLO_wORLD
Updated and running but still don't have a working cron job.
I am hoping the new @kamoj addon comes out soon and fixes the problem because I don't want to do a complete Entware install just for cron.

 

[NetBytes]

The github download links are all broken now.
For example
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
now appears to be
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
but even these are giving me a server error

I don't see any reference on http://iplists.firehol.org/ why this might be.

Looks like whatever was going on is now fixed? Both links are returning data again.

 

[NetBytes]

FYI:
In the beta version you have 5 cron jobs in the GUI.

Looking forward to try this as soon as download link is available.
To be clear - I mean a download link for @kamoj addon.

 

[HELLO_wORLD]

It is working for me now, but is a little slower to download than usual.
Likely a network related problem (overload somewhere...)

At least, with the editable sources file, it is easy to switch to other servers if needed.

Looks like whatever was going on is now fixed? Both links are returning data again.

 

[kamoj]

Really nice addon!

 

[HELLO_wORLD]

Thank you!

Coming from you, the master of add-ons, it is a strong compliment.

Really nice addon!

There is a version 2.5 in the pipes, that will use iprange (allowing to optimize the blocklist for better efficiency), that should be released in the coming days.

 

[R. Gerrits]

There is a version 2.5 in the pipes, that will use iprange (allowing to optimize the blocklist for better efficiency), that should be released in the coming days.

Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package

 

[HELLO_wORLD]

That is exactly what I had in mind.
I don’t think iprange is using any Entware dependency, and I think it’s own libraries are compiled in the binary, but that is an interesting point.

I will copy iprange in /tmp and unmount the disk with Entware, then try it. If it works, we know for sure it is fine.

If it does not, no worries, because my script can work without iprange installed, and in that case, I will have to suggest @Voxel if he is willing to include iprange in his repo.

Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package

 

[HELLO_wORLD]

Well, just tested... iprange does not work without Entware, so thank you @R. Gerrits for making me aware of this!

Unless there is a way to compile iprange and have it either self sufficient or dependent only on what is in the firmware, Entware is the way to go. I will ask @Voxel if he could add it to his repo (should not be too difficult as we already know it compiles fine, it is simple, and not updated often at all...)

I can easily adapt my script to that situation (it is already pretty much ready for it).

Just curious on how you're going to provide the iprange binary...
If you plan on including a version that you compiled yourself on your router, that might not be a good thing.
Because then it will only work on routers that also have entware. (and potentially even need the same version of entware as you).

And if you make entware a requirement, then probably better to try to get iproute in the entware repo, so that it can be maintained just as any other entware package

 

[HELLO_wORLD]

@Voxel very kindly accepted to make an iprange firmware addon (ipk), that installs it directly in /usr/bin

I tested and it works perfectly.

I also adapted my code to deal with that, and next release will be able to use iprange if installed (either from ipk or self compiled in Entware).

 

[R. Gerrits]

just also installed your firewall block-list add-on.
It seems to be working fine.

But any reason why it would be blocking these packets?
[firewall-blocklist] IN= OUT=brwan SRC=94.213.xx.xxx DST=10.10.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53667 DF PROTO=UDP SPT=54774 DPT=53 LEN=40
[firewall-blocklist] IN= OUT=brwan SRC=94.213.xx.xxx DST=10.10.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=929 DF PROTO=UDP SPT=50222 DPT=53 LEN=40

94.213.xx.xxx is the public IP of my router.
10.10.10.10 is DNS server in my test-environment, behind a separate firewall. So this router doesn't know it. (my normal internal subnet is 192.168.1.0/24)

Edit: Nevermind, apparently I was missing a route for that 10.10.10.0/24 subnet, so it was trying to route this traffic to internet. And I can imagine that the firewall would block traffic for private ranges on the public interface

 

[HELLO_wORLD]

Edit: Nevermind, apparently I was missing a route for that 10.10.10.0/24 subnet, so it was trying to route this traffic to internet. And I can imagine that the firewall would block traffic for private ranges on the public interface

Exactly, one of the sources I put by default (firehol_level1)
is blocking (among many others) private ranges as they should never be found on internet (and if they do, they are more than suspicious), they are called fullbogons.
http://iplists.firehol.org/?ipset=firehol_level1

 

[HELLO_wORLD]

V3.0.0

 

[R. Gerrits]

Readme says:

The /opt/bolemo/scripts/firewall-blocklist upgrade command will also show installed and latest version available and ask if you want to upgrade if the online version is different than the one installed.

Just used it to upgrade from v2.0.1 to v3.0.0, but it didn't show anything and also didn't ask anything.

Also, is it true that only a fresh install using install.sh install iprange, but an upgrade from an older version to v3.0.0 doesn't?

 

[HELLO_wORLD]

Yes and no

It is true that an upgrade from v2 to v3 won’t offer to install iprange (while installing from install script does).

However, you can install iprange separately.
Download (wget, curl or to computer then to router...) this: https://voxel-firmware.com/Downloads/iprange_1.0.4-1_ipq806x.ipk
And install it using the command /bin/opkg install iprange_1.0.4-1_ipq806x.ipk

PS: /opt/bolemo/scripts/firewall-blocklist info or /opt/bolemo/scripts/firewall-blocklist status should confirm to you you are now using v3.

PSS: I realized I did not answer exactly to your question. With version v2, the upgrade was not asking before upgrading, and would only show something in verbose mode. With v3, the upgrade is always verbose, and asks before upgrading.

Readme says:


Just used it to upgrade from v2.0.1 to v3.0.0, but it didn't show anything and also didn't ask anything.

Also, is it true that only a fresh install using install.sh install iprange, but an upgrade from an older version to v3.0.0 doesn't?

 

[HELLO_wORLD]

V3.0.1