Author
Message
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Fri Apr 17, 2015 15:39 Post subject:
Guys,
I finally got the usb drive to mount; added UUID to /opts; created the .sh file & placed it in the appropriate folder.
I was having minor issues (the usb was 1) with the newest BS firmware so I reverted back to the latest Kong firmware. Fixed all those issues I was having.
Anyway, I put the file in place, added the FW rules as indicated. (rebooted of course)
Now how do I know if its working?
Generally I have logging disabled though for testing I could enable it if needed.
Thank you
Mike
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
Sponsor
HalfBit DD-WRT Guru Joined: 04 Sep 2009 Posts: 776 Location: AR, USA
Posted: Sat Apr 18, 2015 2:29 Post subject:
Mike,
The following commands posted by JAMESMTL have shown me that the rules are working:
iptables -vnL INPUT
iptables -vnL FORWARD
iptables -vnL countrydropin | tail -n 5
iptables -vnL countrydropout | tail -n 5
iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
iptables -vnL countrydropout | awk '{ if ($1 > 0) print $0 }'
_________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 2:59 Post subject:
HB,
thank you for the commands.
So I ran each of the commands you listed and I have results but I don't see any hits.
I don't know if I should see hits unless I am trying to access (or be accessed by)one of the blocked country codes.
Here are the outputs of each command as listed.
root@R7000:~# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24754 2950K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
204K 14M countrydropin 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/ 0
144 47232 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 DROP udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
130 6760 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:443
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:222
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.1 tcp dpt:23
66 6670 DROP icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
12 744 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
79053 8615K ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
204K 14M DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@R7000:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 137 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.7 udp dpt:61250
0 0 ACCEPT 47 -- * vlan2 192.168.1.0/24 0.0.0.0/0
33M 47G countrydropin 0 -- vlan2 * 0.0.0.0/0 0.0.0.0/0
19M 2054M countrydropout 0 -- * vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
52M 49G lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
52M 49G ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:8800
2381 124K ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpts:5009:5010
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:5050
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:5050
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:1194
73 4036 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:22
15 788 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpts:9007:9008
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpts:9007:9008
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:9091
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4243
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4243
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:4672
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:4672
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.88 tcp spt:8443
0 0 DROP tcp -- * * 0.0.0.0/0 192.168.1.1 tcp spt:443
2 88 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.19 tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 udp dpt:21
0 0 TRIGGER 0 -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
243K 16M trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
241K 16M ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1743 89610 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@R7000:~# iptables -vnL countrydropin | tail -n 5
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropout | tail -n 5
Chain countrydropout (1 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
Chain countrydropin (2 references)
pkts bytes target prot opt in out source destination
root@R7000:~# iptables -vnL countrydropout | awk '{ if ($1 > 0) print $0 }'
Chain countrydropout (1 references)
pkts bytes target prot opt in out source destination
root@R7000:~#
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
JAMESMTL DD-WRT Guru Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Apr 18, 2015 3:06 Post subject:
Your chains countrydropin and countrydropout have not been populated with any rules, therefore no hits possible.
Attach the script u used so we can see why
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 3:13 Post subject:
Thanks James.
I used notepad++.
Created a new file.
Pasted badmoons first post script.
saved it as a unix script .sh file
moved it to the opt/ipblock folder.
Added the firewall rules and rebooted.
Maybe the auto update cron job needs to run first?
I did not add that to the cron until after the router reboot.
It wont allow me to upload it as a .sh so I have to rename the file.
Description:
Download
Filename:
ipblock.txt
Filesize:
1.61 KB
Downloaded:
508 Time(s)
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
JAMESMTL DD-WRT Guru Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Apr 18, 2015 3:17 Post subject:
Out of curiosity did you make the script executable?
Did you try to manually run script? Was there an error?
I'll try and look at what you sent a little later on
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 3:20 Post subject:
when I created the file I did set the attributes the same as the other .sh files I have for config backup so yes I believe the file is set to executable.
No I have not tried running it manually.
I assumed it would fire on reboot.
I copied badmoons post exactly.
Now if I was supposed to modify some lines that could be worth checking.
I will go look at his first post again.
I will also see if I can run it manually from ssh.
**update**
from ssh I ran this.
/opt/ipblock/ipblock.sh
it resulted in an error.
-sh: /opt/ipblock/ipblock.sh: not found
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
JAMESMTL DD-WRT Guru Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Apr 18, 2015 3:26 Post subject:
Ha please try and run from ssh as that can speed up the debug process.
Back to top
HalfBit DD-WRT Guru Joined: 04 Sep 2009 Posts: 776 Location: AR, USA
Posted: Sat Apr 18, 2015 3:27 Post subject:
I run my script by running "sh /opt/ipblock/ipblock.sh" on the CLI.
Try that then run the commands from earlier. The tail commands should give you something at that point.
_________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 3:33 Post subject:
I get an error trying to run from ssh.
root@R7000:~# sh /opt/ipblock/ipblock.sh
sh: can't open '/opt/ipblock/ipblock.sh'
clearly I have done something wrong.
Here is an image using winscp showing where I have the file.
Description:
Filesize:
51.58 KB
Viewed:
7293 Time(s)
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
JAMESMTL DD-WRT Guru Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Apr 18, 2015 3:37 Post subject:
I suspect you didn't mount opt
What does
ls -l /opt
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 3:38 Post subject:
root@R7000:~# ls -l /opt
drwxr-xr-x 3 root root 25 Mar 22 18:24 lib
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
HalfBit DD-WRT Guru Joined: 04 Sep 2009 Posts: 776 Location: AR, USA
Posted: Sat Apr 18, 2015 3:39 Post subject:
My file is not an executable:
-rw-r--r-- 1 0 0 2186 Apr 17 21:41 ipblock.sh
Mike, I think you are getting that error because it is not the right path for the file.
Can you find it in the CLI, run "pwd" and copy that directory with the ipblock.sh file name at the end?
Alternatively you can confirm that the partition is mounted to /opt in the Services>USB tab on the webIF. For example, my USB drive has the following on that tab:
--- /dev/sda1
Block device, size 7.455 GiB (8004288512 bytes)
Ext2 file system
Volume name "Space"
UUID 1C07AF6D-4201-BB96-1BBC-FCC402F7C156 (NCS)
Volume size 7.455 GiB (8004288512 bytes, 7816688 blocks of 1 KiB)
/dev/sda1 mounted to /opt
_________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Back to top
slidermike DD-WRT Guru Joined: 11 Nov 2013 Posts: 1487 Location: USA
Posted: Sat Apr 18, 2015 3:45 Post subject:
Its on a usb thumb drive I use for my backup scripts.
root@R7000:/tmp/mnt/sda1/opt# cd /mnt/sda1/opt/ipblock
root@R7000:/tmp/mnt/sda1/opt/ipblock# ls
ipblock.sh
root@R7000:/tmp/mnt/sda1/opt/ipblock# pwd
/mnt/sda1/opt/ipblock
root@R7000:/tmp/mnt/sda1/opt/ipblock#
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
Back to top
HalfBit DD-WRT Guru Joined: 04 Sep 2009 Posts: 776 Location: AR, USA
Back to top