[slidermike]

Guys,
I finally got the usb drive to mount; added UUID to /opts; created the .sh file & placed it in the appropriate folder.
I was having minor issues (the usb was 1) with the newest BS firmware so I reverted back to the latest Kong firmware. Fixed all those issues I was having.

Anyway, I put the file in place, added the FW rules as indicated. (rebooted of course)

Now how do I know if its working?
Generally I have logging disabled though for testing I could enable it if needed.

Thank you
Mike

[HalfBit]

Mike,

The following commands posted by JAMESMTL have shown me that the rules are working:

iptables -vnL INPUT
iptables -vnL FORWARD
iptables -vnL countrydropin | tail -n 5
iptables -vnL countrydropout | tail -n 5
iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
iptables -vnL countrydropout | awk '{ if ($1 > 0) print $0 }'

[slidermike]

HB,
thank you for the commands.
So I ran each of the commands you listed and I have results but I don't see any hits.
I don't know if I should see hits unless I am trying to access (or be accessed by)one of the blocked country codes.

Here are the outputs of each command as listed.

root@R7000:~# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24754 2950K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
204K 14M countrydropin 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/ 0
144 47232 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 DROP udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
130 6760 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:443
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:222
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:23
66 6670 DROP icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
12 744 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
79053 8615K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
204K 14M DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@R7000:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 137 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.7 udp dpt:61250
0 0 ACCEPT 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
33M 47G countrydropin 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0
19M 2054M countrydropout 0 -- * vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
52M 49G lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
52M 49G ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:8800
2381 124K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpts:5009:5010
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:5050
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:5050
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:1194
73 4036 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:22
15 788 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpts:9007:9008
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpts:9007:9008
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:9091
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4243
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4243
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4672
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.88 tcp spt:8443
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp spt:443
2 88 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:21
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
243K 16M trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
241K 16M ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1743 89610 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@R7000:~# iptables -vnL countrydropin | tail -n 5
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropout | tail -n 5
Chain countrydropout (1 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropout | awk '{ if ($1 > 0) print $0 }'
Chain countrydropout (1 references)
pkts bytes target prot opt in out source destination
root@R7000:~#

[JAMESMTL]

Your chains countrydropin and countrydropout have not been populated with any rules, therefore no hits possible.

Attach the script u used so we can see why

[slidermike]

Thanks James.
I used notepad++.
Created a new file.
Pasted badmoons first post script.
saved it as a unix script .sh file
moved it to the opt/ipblock folder.
Added the firewall rules and rebooted.

Maybe the auto update cron job needs to run first?
I did not add that to the cron until after the router reboot.

It wont allow me to upload it as a .sh so I have to rename the file.

[JAMESMTL]

Out of curiosity did you make the script executable?

Did you try to manually run script? Was there an error?

I'll try and look at what you sent a little later on

[slidermike]

when I created the file I did set the attributes the same as the other .sh files I have for config backup so yes I believe the file is set to executable.

No I have not tried running it manually.
I assumed it would fire on reboot.

I copied badmoons post exactly.
Now if I was supposed to modify some lines that could be worth checking.

I will go look at his first post again.
I will also see if I can run it manually from ssh.

**update**
from ssh I ran this.
/opt/ipblock/ipblock.sh
it resulted in an error.
-sh: /opt/ipblock/ipblock.sh: not found

[JAMESMTL]

Ha please try and run from ssh as that can speed up the debug process.

[HalfBit]

I run my script by running "sh /opt/ipblock/ipblock.sh" on the CLI.

Try that then run the commands from earlier. The tail commands should give you something at that point.

[slidermike]

I get an error trying to run from ssh.
root@R7000:~# sh /opt/ipblock/ipblock.sh
sh: can't open '/opt/ipblock/ipblock.sh'

clearly I have done something wrong.
Here is an image using winscp showing where I have the file.

[JAMESMTL]

I suspect you didn't mount opt

What does

ls -l /opt

[slidermike]

root@R7000:~# ls -l /opt
drwxr-xr-x 3 root root 25 Mar 22 18:24 lib

[HalfBit]

My file is not an executable:

-rw-r--r-- 1 0 0 2186 Apr 17 21:41 ipblock.sh

Mike, I think you are getting that error because it is not the right path for the file.

Can you find it in the CLI, run "pwd" and copy that directory with the ipblock.sh file name at the end?

Alternatively you can confirm that the partition is mounted to /opt in the Services>USB tab on the webIF. For example, my USB drive has the following on that tab:

--- /dev/sda1
Block device, size 7.455 GiB (8004288512 bytes)
Ext2 file system
Volume name "Space"
UUID 1C07AF6D-4201-BB96-1BBC-FCC402F7C156 (NCS)
Volume size 7.455 GiB (8004288512 bytes, 7816688 blocks of 1 KiB)
/dev/sda1 mounted to /opt

[slidermike]

Its on a usb thumb drive I use for my backup scripts.

root@R7000:/tmp/mnt/sda1/opt# cd /mnt/sda1/opt/ipblock
root@R7000:/tmp/mnt/sda1/opt/ipblock# ls
ipblock.sh
root@R7000:/tmp/mnt/sda1/opt/ipblock# pwd
/mnt/sda1/opt/ipblock
root@R7000:/tmp/mnt/sda1/opt/ipblock#

[HalfBit]

Try running "sh /tmp/mnt/sda1/opt/ipblock/ipblock.sh"