You could simplify it slightly by giving the temporary script a .wanup extension and putting it in /tmp/etc/config/ instead of checking/adding it to the firewall script. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Wed Nov 04, 2009 10:02 Post subject:
frater wrote:
But nobody's downloading it?
Oh, I am going to ! I thought about building a dedicated Linux box to include this exact function and use it as a gateway controller. I need to run your process before I can generate any questions about it though. (Tomorrow. I've gotta crash for now )
I think this is going to become an essential component of most internet access. It is a fantastic tool against spam and a huge help for controlling the spread of malware.
I gave it a complete overhaul and if you don't mind blocking the good people from down under, the script will bring it down to a mere 39 rules....
I also discovered you should whitelist the US as well as it has some subnets too within those subnets...
And could someone please look if I have the iptables rules themselves correct.
I was all the time focused on getting a compact list of rules...
If you want only specific traffic blocked you should adapt that rule in which I chain it with FORWARD.
Maybe it's better to only create the chain and you should chain it yourself.....
I will now leave it as is and wait for some input from you guys..... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
The only other thing I can think of is that you're within my blocklist
I turned it off here..
Code:
mkdir -p /opt/usr/sbin
[ -d /opt/usr/sbin ] || You need a writable /opt
wget -O /opt/sbin/aggregate http://wd.mirmana.com/aggregate
chmod +x /opt/sbin/aggregate
# echo "192.168.5.0/24
192.168.6.0/24
192.168.7.0/24" | aggregate
192.168.5.0/24
192.168.6.0/23
PS... Changed the commands to put aggregate in /opt/sbin for those that don't want my whole optware collection yet.... You also need ipcalc to properly run the program... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Thu Nov 05, 2009 5:05 Post subject:
I got your message to mount /opt from the webinterface.
I'm afraid this may all be more than I can handle. Before I waste any more of your time, let me tell you that I am a copy and paste artist, at best. I have no experience at all with Linux other than pasting in the scripts that knowledgable folks like you write. Worse yet, I have no idea what /opt is or how to mount it.
Testing with Whr-g-54s, BS 12874 STD. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
Last edited by GeeTek on Thu Nov 05, 2009 5:18; edited 1 time in total
optware is really a prerequisite....
You should ask Santa Claus for an Asus RTN16 if the DD-WRT firmware is ready before that time....
And some storage too! _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Thu Nov 05, 2009 5:25 Post subject:
Thanks for your efforts Frater. I hope others will be able to make usage of your nice work.
If you ever build a complete platform with a GUI to enter the country white list into, then I'm sure it would be a raging large scale success. I know I.T. nerdz everywhere would love to have this and would pay good money for it. A boot CD along the lines of m0n0wall would be superb. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
You can also use just the result of my program....
The lists are quite static...
All IP's in China/India/Pakistan/Cambodia are listed
and most of the rest of Asia..
If that script is called each firewall restart and you chain "asia" in with this command then Bob's your uncle...
Code:
iptables -I FORWARD -j asia
If you use this rule instead of the previous one, only http-traffic will be blocked.
Code:
iptables -I FORWARD -p tcp --dport 80 -j asia
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
If that script is called each firewall restart and you chain "asia" in with this command then Bob's your uncle...
Code:
iptables -I FORWARD -j asia
Cool ! This is something that I will be able to use right away, and I plan to. Thanks again ! _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
You could simplify it slightly by giving the temporary script a .wanup extension and putting it in /tmp/etc/config/ instead of checking/adding it to the firewall script.
I'm going to do something with this info, but I'm not putting my file there.
I'm going to put a symbolic link there which can be removed / created.
I do think I'm going to keep the chain insertion in rc_firewall otherwise there's no way of seeing this rule in the webif. I might leave those rules in rc_firewall alone and just make the chains.
I also noticed you can only have 1 .wanup script there....
I'm now only blocking incoming http traffic from Asia by just adding
Code:
iptables -I FORWARD -p tcp --dport 80 -j asia
Such a powerful tool iptables.
In the near future I'll be looking at TPROXY and iptables to make pound completely transparent..... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Using /tmp/etc/config/*.wanup scripts is possible and in some tests I did I was able to use multiple files.
I just can't really tell in which order the are being executed. Anyone knows?
I do know it is being executed after rc_firewall which means I can't reference any chains there as they don't exist yet. That's a bummer really as I just wanted to create some chains first and then reference them in rc_firewall. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Refresher course. http://www.dd-wrt.com/wiki/index.php/Script_Execution _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
This is the 2nd time he puts a useless comment after I place a ticket in trac. I've spent numerous hours helping others on this forum and I can safely say I've helped more than enough members and for sure more than he ever will.
After he pulled that same stunt the first time I pm'd him but he didn't even have the decency to reply.
@holes... there's one born every minute it seems. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Fri Nov 06, 2009 22:42 Post subject:
Meh ... if it helps any, I tried to make a useful comment for you. And honestly, I do think it would improve the modularity of what you are doing. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.