Blocking Regions/Countries Help

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Nov 04, 2009 8:23    Post subject: Reply with quote
You could simplify it slightly by giving the temporary script a .wanup extension and putting it in /tmp/etc/config/ instead of checking/adding it to the firewall script.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Sponsor
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Wed Nov 04, 2009 10:02    Post subject: Reply with quote
frater wrote:
But nobody's downloading it?

Oh, I am going to ! I thought about building a dedicated Linux box to include this exact function and use it as a gateway controller. I need to run your process before I can generate any questions about it though. (Tomorrow. I've gotta crash for now Sad )

I think this is going to become an essential component of most internet access. It is a fantastic tool against spam and a huge help for controlling the spread of malware.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Wed Nov 04, 2009 20:02    Post subject: Reply with quote
I gave it a complete overhaul and if you don't mind blocking the good people from down under, the script will bring it down to a mere 39 rules....

I also discovered you should whitelist the US as well as it has some subnets too within those subnets...

And could someone please look if I have the iptables rules themselves correct.
I was all the time focused on getting a compact list of rules...

If you want only specific traffic blocked you should adapt that rule in which I chain it with FORWARD.
Maybe it's better to only create the chain and you should chain it yourself.....

I will now leave it as is and wait for some input from you guys.....

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Thu Nov 05, 2009 2:28    Post subject: Reply with quote
Whelp.... What am I doing wrong ?


ScreenShot002.jpg
 Description:
 Filesize:  31.38 KB
 Viewed:  11936 Time(s)

ScreenShot002.jpg


frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Thu Nov 05, 2009 3:48    Post subject: Reply with quote
GeeTek wrote:
Whelp.... What am I doing wrong ?

You never installed my optware framework.... Twisted Evil

Code:
cd /tmp
wget -O /tmp/prep_optware http://wd.mirmana.com/prep_optware
sh prep_optware


Or you just create that directory...
Code:
mkdir -p /opt/usr/sbin
wget -O /opt/usr/sbin/optlog http://wd.mirmana.com/optlog
ipkg-opt update
ipkg-opt install ipcalc


The only other thing I can think of is that you're within my blocklist Wink
I turned it off here..

Code:
mkdir -p /opt/usr/sbin
[ -d /opt/usr/sbin ] || You need a writable /opt
wget -O /opt/sbin/aggregate http://wd.mirmana.com/aggregate
chmod +x /opt/sbin/aggregate
# echo "192.168.5.0/24
192.168.6.0/24
192.168.7.0/24" | aggregate
192.168.5.0/24
192.168.6.0/23



PS... Changed the commands to put aggregate in /opt/sbin for those that don't want my whole optware collection yet.... You also need ipcalc to properly run the program...

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Thu Nov 05, 2009 5:05    Post subject: Reply with quote
I got your message to mount /opt from the webinterface.

I'm afraid this may all be more than I can handle. Before I waste any more of your time, let me tell you that I am a copy and paste artist, at best. I have no experience at all with Linux other than pasting in the scripts that knowledgable folks like you write. Worse yet, I have no idea what /opt is or how to mount it.
Mad

Testing with Whr-g-54s, BS 12874 STD.

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.


Last edited by GeeTek on Thu Nov 05, 2009 5:18; edited 1 time in total
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Thu Nov 05, 2009 5:13    Post subject: Reply with quote
optware is really a prerequisite....
You should ask Santa Claus for an Asus RTN16 if the DD-WRT firmware is ready before that time....

And some storage too!

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Thu Nov 05, 2009 5:25    Post subject: Reply with quote
Thanks for your efforts Frater. I hope others will be able to make usage of your nice work.

If you ever build a complete platform with a GUI to enter the country white list into, then I'm sure it would be a raging large scale success. I know I.T. nerdz everywhere would love to have this and would pay good money for it. A boot CD along the lines of m0n0wall would be superb.

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Thu Nov 05, 2009 5:39    Post subject: Reply with quote
You can also use just the result of my program....
The lists are quite static...
All IP's in China/India/Pakistan/Cambodia are listed
and most of the rest of Asia..

Alas.. this list also includes the Aussies...

These are the tables....

http://pastebin.com/f671890df

It will create 2 chains, asia and SPAMasia.

If that script is called each firewall restart and you chain "asia" in with this command then Bob's your uncle...

Code:
iptables -I FORWARD -j asia


If you use this rule instead of the previous one, only http-traffic will be blocked.
Code:
iptables -I FORWARD -p tcp --dport 80 -j asia

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Thu Nov 05, 2009 6:20    Post subject: Reply with quote
frater wrote:
You can also use just the result of my program....
...
These are the tables....

http://pastebin.com/f671890df

It will create 2 chains, asia and SPAMasia.

If that script is called each firewall restart and you chain "asia" in with this command then Bob's your uncle...

Code:
iptables -I FORWARD -j asia


Cool ! This is something that I will be able to use right away, and I plan to. Thanks again !

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Thu Nov 05, 2009 18:07    Post subject: Reply with quote
phuzi0n wrote:
You could simplify it slightly by giving the temporary script a .wanup extension and putting it in /tmp/etc/config/ instead of checking/adding it to the firewall script.


I'm going to do something with this info, but I'm not putting my file there.
I'm going to put a symbolic link there which can be removed / created.

I do think I'm going to keep the chain insertion in rc_firewall otherwise there's no way of seeing this rule in the webif. I might leave those rules in rc_firewall alone and just make the chains.

I also noticed you can only have 1 .wanup script there....

I'm now only blocking incoming http traffic from Asia by just adding

Code:
iptables -I FORWARD -p tcp --dport 80 -j asia


Such a powerful tool iptables.
In the near future I'll be looking at TPROXY and iptables to make pound completely transparent.....

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Nov 06, 2009 17:12    Post subject: Reply with quote
Using /tmp/etc/config/*.wanup scripts is possible and in some tests I did I was able to use multiple files.

I just can't really tell in which order the are being executed. Anyone knows?
I do know it is being executed after rc_firewall which means I can't reference any chains there as they don't exist yet. That's a bummer really as I just wanted to create some chains first and then reference them in rc_firewall.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Nov 06, 2009 21:38    Post subject: Reply with quote
Refresher course. http://www.dd-wrt.com/wiki/index.php/Script_Execution
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Nov 06, 2009 22:28    Post subject: Reply with quote
Who the $^#%$# is this mixmasta guy?
http://svn.dd-wrt.com:8000/dd-wrt/ticket/1283

DAMN YOU!

This is the 2nd time he puts a useless comment after I place a ticket in trac. I've spent numerous hours helping others on this forum and I can safely say I've helped more than enough members and for sure more than he ever will.

After he pulled that same stunt the first time I pm'd him but he didn't even have the decency to reply.

@holes... there's one born every minute it seems.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)


Last edited by frater on Fri Nov 06, 2009 22:45; edited 1 time in total
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Fri Nov 06, 2009 22:42    Post subject: Reply with quote
Meh ... if it helps any, I tried to make a useful comment for you. And honestly, I do think it would improve the modularity of what you are doing.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum