Richard O'Hara
New Around Here
Hi,
I am a long time merlinwrt user. I love the firmware and greatly appreciate the work and effort put into it.
I was wondering if I could get a second (3rd, 4th...nth) set of eyes on my firewall-start script prior to deployment on my router.
I am a long time merlinwrt user. I love the firmware and greatly appreciate the work and effort put into it.
I was wondering if I could get a second (3rd, 4th...nth) set of eyes on my firewall-start script prior to deployment on my router.
Code:
#!/bin/sh
msbl="dns.msftncsi.com
ipv6.msftncsi.com
win10.ipv6.microsoft.com
ipv6.msftncsi.com.edgesuite.net
a978.i6g1.akamai.net
win10.ipv6.microsoft.com.nsatc.net
en-us.appex-rf.msn.com
v10.vortex-win.data.microsoft.com
client.wns.windows.com
wildcard.appex-rf.msn.com.edgesuite.net
v10.vortex-win.data.metron.life.com.nsatc.net
wns.notify.windows.com.akadns.net
americas2.notify.windows.com.akadns.net
travel.tile.appex.bing.com
www.bing.com
any.edge.bing.com
fe3.delivery.mp.microsoft.com
fe3.delivery.dsp.mp.microsoft.com.nsatc.net
ssw.live.com
ssw.live.com.nsatc.net
login.live.com
login.live.com.nsatc.net
directory.services.live.com
directory.services.live.com.akadns.net
bl3302.storage.live.com
skyapi.live.net
bl3302geo.storage.dkyprod.akadns.net
skyapi.skyprod.akadns.net
skydrive.wns.windows.com
register.mesh.com
BN1WNS2011508.wns.windows.com
settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com
OneSettings-bn2.metron.live.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net"
countries="cn
pk
kp"
start=`date +'%s'`
IPT=`which iptables`
IPSET=`which ipset`
IPSET_DIR=/jffs/ipset_list_dir
#LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
#SYNOPT="-m limit --limit 5/second --limit-burst 10"
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
$IPSET -N blockedcountries nethash #block countries
$IPSET -N msblklist iphash #block microsoft telemetry servers
$IPSET -N adware iphash #block adware
$IPSET -N ciscore iphash
$IPSET -N malwaredom
for i in $msbl
do
$IPSET -A msblklist ${i}
done
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET msblklist dst -j logdrop
for ip in `cat $IPSET_DIR/ciscore.lst`
do
$IPSET -A ciscore ${i}
done
for ip in `cat $IPSET_DIR/malwaredom.lst`
do
$IPSET -A malwaredom ${i}
done
for country in $countries
do
[ -e $IPSET_DIR/$country ]
for ip in `cat $IPSET_DIR/${country}.lst`
do
ipset -q -A blockedcountries $ip
done
done
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET blockedcountries src -j logdrop
