Posted: Wed Dec 30, 2009 23:20 Post subject: [SOLVED] dying loading large ip tables (country block)
I'm trying to do country blocks.
First tried just allowing justUS for web traffic but that was a 700k file.
Now trying to just block spam ip's and some foreign countries that are higher on the malicious rating.
I have an asus wl-500g premium v2.
I'm using Firewall Builder with iptables and my dd-wrt has jffs enabled. I have the ip lists in a file and using an address table object. I have it set to process the list on compile(no luck with on run either).
It dies within Firewall Builder on the part saying activating firewall script and dies on the rule with the large list.
My router becomes unpingable.
Hoping to try and figure out how to allow or dissallow large iptables. Assuming using address tables within ip tables.
Figuring out a dynamic method would be bonus.
Hoping the community can help.
Also curious if dd-wrt has something on the roadmap for geoip or maybe PF. Is there somewhere on the wiki to see the roadmap for dd-wrt ?
UPDATE
170 ip ranges seems to work.
Just can't get 6000 working.
Last edited by kinchyle on Fri Jan 01, 2010 23:05; edited 1 time in total
Anyone know if it's possible to dynamically add to iptables. Like after they are generated to say at rule 3,iptables block this ip range ?
Something like this
http://starlane.gotdns.org/node/6
I had my cisco doing it but it with ACL and it didn't cause that much overhead. Especially since after it established it didn't have to go through the rule. but I lost all the settings on reboot because it would only fit in the RAM space....
I was thinking of setting a PF overload table rule that if the ip passed the "good" address table it copyied the ip to a "good table" which was the first "allow" rule.
I setup the ip tables to add the long list at run time. I waited the 30 so minutes for it to compile but for some reason the router is trying to do something when it's set to "run" and it dies.
It's dying here on rule 3 (but a longer list).
Maybe I just need to let it sit for a couple hours....
It was just odd when ssh died and I couldn't ping it.
Could this be possible that it turns off networking when building ip tables ?
sh /jffs/firewall//firewall.fw
(from firewall.fw)
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
#
#
$IPTABLES -N RULE_3
$IPTABLES -A INPUT -s 41.221.112.0/20 -j RULE_3
$IPTABLES -A INPUT -s 58.83.8.0/21 -j RULE_3
$IPTABLES -A INPUT -s 62.122.32.0/21 -j RULE_3
$IPTABLES -A INPUT -s 64.28.176.0/20 -j RULE_3
$IPTABLES -A INPUT -s 66.206.32.0/22 -j RULE_3
i think it has NOT the power for 6K of rules! do u know what it has to do to be able to filter each single packet/request?!
It would have to verify the ip falls within a netmask range upon a web connection. It would be only doing this this for tcp sessions so once the 3 way handshake took place and it would have an established session. It wouldn't need to check the ip anymore. If the session gets torn down from a keep alive then it would have to restablish(that were it would be nice to have PF overload rules for "known good" or you can keep a 10min value for keep alive on router and/or apache).
I think I have something working by compiling a generic list on the router. Then doing iptables-save to see what it is sending the kernel. I'm then seeing what the "ranges" look like for the rule. Then doing a search and replace for the larger list.
The restore file went to 2megs but I was able to do an iptables-restore on it and it only took about 10seconds.
I think this is the way to load large iptables.
Testing the ruleset and overhead...
I'll post on details if it's successful.
I think I have it working. Doesn't look like any overhead.
You need jffs enabled, you can find how to do this on the dd-wrt wiki.
# enable iptables-save (found on dd-wrt wiki)
cd /jffs/usr/bin
ln -s /usr/sbin/iptables ./iptables-save
# build your iptables with fwbuilder
I am just allowing US.
to summarize
rule 2 - allow inbound web for "quick ranges" Ex. I have like comcast and some of the major isp's.
rule 3 - allow inbound web US ranges (use a dummy address table set to "on compile")
rule 4 - deny and log inbound/outbound "known bad" Ex. http://www.spamhaus.org/drop/drop.lasso
rule 5 - deny and log all web traffic
Once you have this compiled and installed on your router, ssh to the router and run /jffs/usr/bin/iptables-save
This will give you the rules it used to send to the router kernel.
Pull these to a text editor and find where you had the dummy ip ranges for the US. Mine came right after the web allow for my internal network. Remove the dummy ranges and paste all the ones netmask ranges for the US. I used a netmask list generated from here.
http://www.countryipblocks.net/tag/netmask/
Here is what one of mine looks like
-A Cid4B3B491F15605.0 -s 3.0.0.0/255.0.0.0 -j ACCEPT
Save this as iptables-all_us and scp it to the router to /jffs/ . (my filesize was like 2megs).
SSH to the router and do
iptables-restore < /jffs/iptables-all_us
Should take about 10 seconds and everything will be good to go.
This looks like someone who documented well the use of fwbuilder and dd-wrt.
Has anyone else confirmed this works? (Before I go spend 6 hours of my life going down this rabbit hole, again?) _________________ Providing GIS training to the world at learningGIS.com