Country Blocking

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next
Author Message
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sat Apr 18, 2015 5:15    Post subject: Reply with quote
comment out

iptables-restore -n < $oBL

iptables -I FORWARD 3 -o vlan2 -j countrydropout

that should do it
Sponsor
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Sat Apr 18, 2015 5:16    Post subject: Reply with quote
Thanks again guys.
Both James and HalfBit for the support and badmoon for the script work.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
badmoon
DD-WRT Novice


Joined: 22 Jul 2014
Posts: 41

PostPosted: Sat Apr 18, 2015 15:22    Post subject: Reply with quote
Hi,

Sorry I've been out of pocket as of late. I'm glad everything is working for you. Again, thanks to James for all of the help. It runs great on my setup. I've updated the original post with the /bin/sh. Sorry for missing that. If there is anything else that needs to be updated, please let me know.

Thanks,
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Sun Apr 19, 2015 0:02    Post subject: Reply with quote
## edit
Nevermind, I see thats exactly what you did.
Thank you James
## end edit
James,
it occurred to me to ask this.
Since I WANT all my outbound traffic to go out & we discussed remarking the 2 lines you described from the .sh file; would it be more wise to just remove something from the startup FW list or perhaps both what you described and something from the FW commands?
Here is what my FW rules are.
iptables -nL FORWARD | grep -q YAMON && INSERTPOS=$(iptables -nL FORWARD --line-numbers | grep YAMON | awk '{ print $1 + 1 }') || INSERTPOS=1
ACCEPTTYPE=$(iptables -nL FORWARD | grep ESTABLISHED | awk '{print $1}')
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -I FORWARD $INSERTPOS -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -N countrydropin
iptables -N countrydropout
iptables -I INPUT 2 -i vlan2 -j countrydropin
iptables -I FORWARD 2 -i vlan2 -j countrydropin
iptables -I FORWARD 3 -o vlan2 -j countrydropout
sh /opt/ipblock/ipblock.sh &
JAMESMTL wrote:
comment out

iptables-restore -n < $oBL

iptables -I FORWARD 3 -o vlan2 -j countrydropout

that should do it

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sun Apr 19, 2015 0:16    Post subject: Reply with quote
The second command I listed to comment out is not in the script but is part of the FW commands. Simply commenting out or deleting that line will stop the outbound block.

The first line I mentioned will prevent loading rules into the outbound chain and using memory needlessly. There are a number of other lines which could be removed or commented out but honestly I'm trying to have a minimal impact on what Badmoon has published.


slidermike wrote:
James,
it occurred to me to ask this.
Since I WANT all my outbound traffic to go out & we discussed remarking the 2 lines you described from the .sh file; would it be more wise to just remove something from the startup FW list or perhaps both what you described and something from the FW commands?
Here is what my FW rules are.
iptables -nL FORWARD | grep -q YAMON && INSERTPOS=$(iptables -nL FORWARD --line-numbers | grep YAMON | awk '{ print $1 + 1 }') || INSERTPOS=1
ACCEPTTYPE=$(iptables -nL FORWARD | grep ESTABLISHED | awk '{print $1}')
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -I FORWARD $INSERTPOS -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -N countrydropin
iptables -N countrydropout
iptables -I INPUT 2 -i vlan2 -j countrydropin
iptables -I FORWARD 2 -i vlan2 -j countrydropin
iptables -I FORWARD 3 -o vlan2 -j countrydropout
sh /opt/ipblock/ipblock.sh &
JAMESMTL wrote:
comment out

iptables-restore -n < $oBL

iptables -I FORWARD 3 -o vlan2 -j countrydropout

that should do it
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Mon Apr 20, 2015 17:29    Post subject: Reply with quote
Just a note to anyone running a Synology NAS (such as I am).
By using the default country code list, you will be blocking Taiwan which is where the NAS calls back for things such as firmware updates, DDNS, application updates.

Rather than mess with specific IP/names in the region I merely took Taiwan out of the block list.
Like this:
edit (via WinSCP) the /opt/ipblock/ipblock.sh & changed it to this-
ISO="cn-aggregated kp-aggregated kr-aggregated ru-aggregated ir-aggregated"

You will notice I took out the
tw-aggregated
portion which is for Taiwan.
Then ran the script from the command line (telnet) like this:
/opt/ipblock/ipblock.sh
it updated the FW rules & my NAS was restored to speaking with the Taiwan masters.
Smile

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
eeeasy
DD-WRT Novice


Joined: 04 Mar 2015
Posts: 12

PostPosted: Mon Apr 20, 2015 23:30    Post subject: Reply with quote
Does this script prevent finding players from the excluded countries in multiplayer game search? If yes, can someone tell me what prerequisites should be met besides the script?

Thanks
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Tue Apr 21, 2015 2:16    Post subject: Reply with quote
slidermike wrote:
Just a note to anyone running a Synology NAS (such as I am).
By using the default country code list, you will be blocking Taiwan which is where the NAS calls back for things such as firmware updates, DDNS, application updates.

Rather than mess with specific IP/names in the region I merely took Taiwan out of the block list.
Like this:
edit (via WinSCP) the /opt/ipblock/ipblock.sh & changed it to this-
ISO="cn-aggregated kp-aggregated kr-aggregated ru-aggregated ir-aggregated"

You will notice I took out the
tw-aggregated
portion which is for Taiwan.
Then ran the script from the command line (telnet) like this:
/opt/ipblock/ipblock.sh
it updated the FW rules & my NAS was restored to speaking with the Taiwan masters.
Smile

I know you didn't want to find the specific IPs, but I would be interested in turning on logging, running the script, trying to update the NAS to trigger the specific IPs, and then adding a couple of delete lines in the script to remove those IPs and thus keeping the rest of the blocks.

On that note too, I should go check my NAS. It's a Lenovo brand so I don't know where it would be trying to connect. I don't think I have any issues as my countrydropout rule has not been triggered since I've been checking.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Apr 21, 2015 2:57    Post subject: Reply with quote
If you had disabled outgoing blocking, your nas shouldn't have issues calling home even if it's in tw. Are you sure it was a call out and not an incoming via port forward.?
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Tue Apr 21, 2015 13:02    Post subject: Reply with quote
Guys,
thanks for the support.

James, I did the changes we talked about to stop outgoing blocks but it didn't seem to do the job.

I am not 100% sure the DDNS isn't a push from Taiwan also but I am sure I can initiate the processes from my NAS as well.

I have 3 "features" that I can initiate from my NAS that were not working with country blocking (and Taiwan included).

#1 DDNS - (Synology has its own which I use)
I was timing out when manually updating from the NAS.

#2 Firmware update - I click the "check now" button & it times out after a while.

#3 Application update - I click the "check now" button & it times out after a while.

Once I took Taiwan out of the country block equation all 3 features were restored.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
badmoon
DD-WRT Novice


Joined: 22 Jul 2014
Posts: 41

PostPosted: Thu Apr 23, 2015 6:06    Post subject: Reply with quote
I have a synology at home too and will try the update when I get back in a few days. I did do a manual update with no issues so I must have pulled the update from the website. I seldom use the autoupdate feature. I am amazed that your ddns provider initiates the update. That process usally starts with your system checking in. Scary...


slidermike wrote:
Guys,
thanks for the support.

James, I did the changes we talked about to stop outgoing blocks but it didn't seem to do the job.

I am not 100% sure the DDNS isn't a push from Taiwan also but I am sure I can initiate the processes from my NAS as well.

I have 3 "features" that I can initiate from my NAS that were not working with country blocking (and Taiwan included).

#1 DDNS - (Synology has its own which I use)
I was timing out when manually updating from the NAS.

#2 Firmware update - I click the "check now" button & it times out after a while.

#3 Application update - I click the "check now" button & it times out after a while.

Once I took Taiwan out of the country block equation all 3 features were restored.
slidermike
DD-WRT Guru


Joined: 11 Nov 2013
Posts: 1487
Location: USA

PostPosted: Thu Apr 23, 2015 12:44    Post subject: Reply with quote
badmoon,
I don't know if Synology initiates the DDNS update.

I had initially assumed it did because James was kind enough to assist me in disabling the outbound country block.

When my DS1512+ couldn't reach "home" for the updates/DDNS I began to believe I had not correctly disabled the outbound country block.

My nas alerted me that it had lost contact with Taiwan (home) while running the country block FW script.

I have since received a response from Syno support about the ports used by the DS to communicate to "home".
They did not imply they reached out to the DS.

Here is what they said should be open for complete access home.

Most traffic will be from 209.221.132.14 and 74.93.160.185 and you will want your ISP to allow 53, 80, 5000, and 5001.

_________________
Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode

R7000 specific Tips/Tricks.
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264152
badmoon
DD-WRT Novice


Joined: 22 Jul 2014
Posts: 41

PostPosted: Thu Apr 23, 2015 17:16    Post subject: Reply with quote
Hmm, odd indeed. I'll take a look when I get home. I'm a security guy and generally do not even allow my NAS to leave my network (natually paranoid.) I let my router handled the DDNS which might be something you might want to look at. Those ports that you provided are basically all of the ports used to access the synology device.


slidermike wrote:
badmoon,
I don't know if Synology initiates the DDNS update.

I had initially assumed it did because James was kind enough to assist me in disabling the outbound country block.

When my DS1512+ couldn't reach "home" for the updates/DDNS I began to believe I had not correctly disabled the outbound country block.

My nas alerted me that it had lost contact with Taiwan (home) while running the country block FW script.

I have since received a response from Syno support about the ports used by the DS to communicate to "home".
They did not imply they reached out to the DS.

Here is what they said should be open for complete access home.

Most traffic will be from 209.221.132.14 and 74.93.160.185 and you will want your ISP to allow 53, 80, 5000, and 5001.
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Fri Apr 24, 2015 0:11    Post subject: Reply with quote
badmoon wrote:
I'm a security guy and generally do not even allow my NAS to leave my network (natually paranoid.)

Hey, me too! Now I know why you made this script. Smile

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Fri Apr 24, 2015 1:21    Post subject: Reply with quote
So, being a security guy, I've been excited to see how many hits I'm getting from the countries I've blocked. I've used the following commands from JAMESMTL to get the hit counts:
Code:
iptables -vnL countrydropin | awk '{ if ($1 > 0) print $0 }'
iptables -vnL countrydropout | awk '{ if ($1 > 0) print $0 }'

Then my next question became, from which countries are these top hitters? This command will tell you which zone file the IP is located just in case anyone else is interested in knowing:
Code:
grep -Hn x.x.x.x/x /opt/ipblock/zones/*.zone

The -H gives you the file name, the -n gives you the line number. The output is:
Code:
Filename:Line#:x.x.x.x/x

root@R7000:~# grep -Hn 61.128.0.0 /opt/ipblock/zones/*.zone
/opt/ipblock/zones/cn-aggregated.zone:615:61.128.0.0/10

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next Display posts from previous:    Page 6 of 10
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum