[SOLVED] dying loading large ip tables (country block)

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
kinchyle
DD-WRT Novice


Joined: 30 Dec 2009
Posts: 5

PostPosted: Wed Dec 30, 2009 23:20    Post subject: [SOLVED] dying loading large ip tables (country block) Reply with quote
I'm trying to do country blocks.
First tried just allowing justUS for web traffic but that was a 700k file.
Now trying to just block spam ip's and some foreign countries that are higher on the malicious rating.

I have an asus wl-500g premium v2.
I'm using Firewall Builder with iptables and my dd-wrt has jffs enabled. I have the ip lists in a file and using an address table object. I have it set to process the list on compile(no luck with on run either).

It dies within Firewall Builder on the part saying activating firewall script and dies on the rule with the large list.
My router becomes unpingable.

Hoping to try and figure out how to allow or dissallow large iptables. Assuming using address tables within ip tables.

Figuring out a dynamic method would be bonus.
Hoping the community can help.

Also curious if dd-wrt has something on the roadmap for geoip or maybe PF. Is there somewhere on the wiki to see the roadmap for dd-wrt ?


UPDATE
170 ip ranges seems to work.
Just can't get 6000 working.


Last edited by kinchyle on Fri Jan 01, 2010 23:05; edited 1 time in total
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Thu Dec 31, 2009 11:38    Post subject: Reply with quote
sorry but what do u exepct out of this hw?!
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
kinchyle
DD-WRT Novice


Joined: 30 Dec 2009
Posts: 5

PostPosted: Fri Jan 01, 2010 18:12    Post subject: Reply with quote
It has the power and the space. I was thinking I'm doing something wrong or missing something. I'm new to DD-WRT.

I would think it could be possible.
Maybe including the free geoip.
http://www.debian-administration.org/articles/518
Article on "higher threat" countries if the traffic isn't needed (in or out)
http://us.mcafee.com/en-us/local/docs/Mapping_Mal_Web.pdf?cid=45044

Anyone know if it's possible to dynamically add to iptables. Like after they are generated to say at rule 3,iptables block this ip range ?
Something like this
http://starlane.gotdns.org/node/6

I had my cisco doing it but it with ACL and it didn't cause that much overhead. Especially since after it established it didn't have to go through the rule. but I lost all the settings on reboot because it would only fit in the RAM space....

I was thinking of setting a PF overload table rule that if the ip passed the "good" address table it copyied the ip to a "good table" which was the first "allow" rule.

I setup the ip tables to add the long list at run time. I waited the 30 so minutes for it to compile but for some reason the router is trying to do something when it's set to "run" and it dies.

It's dying here on rule 3 (but a longer list).
Maybe I just need to let it sit for a couple hours....
It was just odd when ssh died and I couldn't ping it.
Could this be possible that it turns off networking when building ip tables ?

sh /jffs/firewall//firewall.fw

(from firewall.fw)

# Rule 3 (global)
#
echo "Rule 3 (global)"
#
#
#
$IPTABLES -N RULE_3
$IPTABLES -A INPUT -s 41.221.112.0/20 -j RULE_3
$IPTABLES -A INPUT -s 58.83.8.0/21 -j RULE_3
$IPTABLES -A INPUT -s 62.122.32.0/21 -j RULE_3
$IPTABLES -A INPUT -s 64.28.176.0/20 -j RULE_3
$IPTABLES -A INPUT -s 66.206.32.0/22 -j RULE_3

UPDATE
Maybe this is my problem.
http://www.faqs.org/docs/iptables/saveandrestore.html
I need to use iptables-save iptables-restore.
Sounds like processing through the sh has some overhead line by line.

Looks like iptables-save isn't there so I'll try this
http://www.dd-wrt.com/wiki/index.php/Firewall_Builder#DD-WRT_V24_.26_iptables-save
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Fri Jan 01, 2010 18:48    Post subject: Reply with quote
no

i think it has NOT the power for 6K of rules! do u know what it has to do to be able to filter each single packet/request?!

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
kinchyle
DD-WRT Novice


Joined: 30 Dec 2009
Posts: 5

PostPosted: Fri Jan 01, 2010 21:44    Post subject: Reply with quote
Sash wrote:
no

i think it has NOT the power for 6K of rules! do u know what it has to do to be able to filter each single packet/request?!


It would have to verify the ip falls within a netmask range upon a web connection. It would be only doing this this for tcp sessions so once the 3 way handshake took place and it would have an established session. It wouldn't need to check the ip anymore. If the session gets torn down from a keep alive then it would have to restablish(that were it would be nice to have PF overload rules for "known good" or you can keep a 10min value for keep alive on router and/or apache).

I think I have something working by compiling a generic list on the router. Then doing iptables-save to see what it is sending the kernel. I'm then seeing what the "ranges" look like for the rule. Then doing a search and replace for the larger list.
The restore file went to 2megs but I was able to do an iptables-restore on it and it only took about 10seconds.

I think this is the way to load large iptables.
Testing the ruleset and overhead...
I'll post on details if it's successful.
kinchyle
DD-WRT Novice


Joined: 30 Dec 2009
Posts: 5

PostPosted: Fri Jan 01, 2010 23:05    Post subject: Reply with quote
I think I have it working. Doesn't look like any overhead.

You need jffs enabled, you can find how to do this on the dd-wrt wiki.

# enable iptables-save (found on dd-wrt wiki)
cd /jffs/usr/bin
ln -s /usr/sbin/iptables ./iptables-save

# build your iptables with fwbuilder
I am just allowing US.
to summarize
rule 2 - allow inbound web for "quick ranges" Ex. I have like comcast and some of the major isp's.
rule 3 - allow inbound web US ranges (use a dummy address table set to "on compile")
rule 4 - deny and log inbound/outbound "known bad" Ex. http://www.spamhaus.org/drop/drop.lasso
rule 5 - deny and log all web traffic


Once you have this compiled and installed on your router, ssh to the router and run /jffs/usr/bin/iptables-save

This will give you the rules it used to send to the router kernel.
Pull these to a text editor and find where you had the dummy ip ranges for the US. Mine came right after the web allow for my internal network. Remove the dummy ranges and paste all the ones netmask ranges for the US. I used a netmask list generated from here.
http://www.countryipblocks.net/tag/netmask/
Here is what one of mine looks like
-A Cid4B3B491F15605.0 -s 3.0.0.0/255.0.0.0 -j ACCEPT

Save this as iptables-all_us and scp it to the router to /jffs/ . (my filesize was like 2megs).

SSH to the router and do
iptables-restore < /jffs/iptables-all_us

Should take about 10 seconds and everything will be good to go.

To get it saving on reboot

mkdir /jffs/etc/config/

vi /jffs/etc/config/jffs.wanup
#!/bin/sh
# http://www.dd-wrt.com/wiki/index.php/Startup_Scripts
# http://www.dd-wrt.com/wiki/index.php/Script_Execution
#
/usr/sbin/iptables-restore < /jffs/iptables-us_allow.txt

# chmod 700 /jffs/etc/config/jffs.wanup
grandma_dog
DD-WRT Novice


Joined: 21 Jun 2012
Posts: 3

PostPosted: Thu Jun 21, 2012 7:31    Post subject: Reply with quote
This looks like someone who documented well the use of fwbuilder and dd-wrt.

Has anyone else confirmed this works? (Before I go spend 6 hours of my life going down this rabbit hole, again?)

_________________
Providing GIS training to the world at learningGIS.com
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum