What's new

Sanity check my firewall-start

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Richard O'Hara

New Around Here
Hi,

I am a long time merlinwrt user. I love the firmware and greatly appreciate the work and effort put into it.

I was wondering if I could get a second (3rd, 4th...nth) set of eyes on my firewall-start script prior to deployment on my router.

Code:
#!/bin/sh
msbl="dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net
v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
www.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net"

countries="cn
pk
kp"

start=`date +'%s'`
IPT=`which iptables`
IPSET=`which ipset`
IPSET_DIR=/jffs/ipset_list_dir
#LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
#SYNOPT="-m limit --limit 5/second --limit-burst 10"

lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

$IPSET -N blockedcountries nethash #block countries
$IPSET -N msblklist iphash #block microsoft telemetry servers
$IPSET -N adware iphash #block adware
$IPSET -N ciscore iphash
$IPSET -N malwaredom

for i in $msbl
do
    $IPSET -A msblklist ${i}
done
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET msblklist dst -j logdrop

for ip in `cat $IPSET_DIR/ciscore.lst`
do
    $IPSET -A ciscore ${i}
done

for ip in `cat $IPSET_DIR/malwaredom.lst`
do
    $IPSET -A malwaredom ${i}
done
for country in $countries
do
    [ -e $IPSET_DIR/$country ]
        for ip in `cat $IPSET_DIR/${country}.lst`
        do
            ipset -q -A blockedcountries $ip
        done
done
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET blockedcountries src -j logdrop
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top