Thanks again guys.
Both James and HalfBit for the support and badmoon for the script work. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Sorry I've been out of pocket as of late. I'm glad everything is working for you. Again, thanks to James for all of the help. It runs great on my setup. I've updated the original post with the /bin/sh. Sorry for missing that. If there is anything else that needs to be updated, please let me know.
## edit
Nevermind, I see thats exactly what you did.
Thank you James
## end edit
James,
it occurred to me to ask this.
Since I WANT all my outbound traffic to go out & we discussed remarking the 2 lines you described from the .sh file; would it be more wise to just remove something from the startup FW list or perhaps both what you described and something from the FW commands?
Here is what my FW rules are.
iptables -nL FORWARD | grep -q YAMON && INSERTPOS=$(iptables -nL FORWARD --line-numbers | grep YAMON | awk '{ print $1 + 1 }') || INSERTPOS=1
ACCEPTTYPE=$(iptables -nL FORWARD | grep ESTABLISHED | awk '{print $1}')
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -I FORWARD $INSERTPOS -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -N countrydropin
iptables -N countrydropout
iptables -I INPUT 2 -i vlan2 -j countrydropin
iptables -I FORWARD 2 -i vlan2 -j countrydropin
iptables -I FORWARD 3 -o vlan2 -j countrydropout
sh /opt/ipblock/ipblock.sh &
JAMESMTL wrote:
comment out
iptables-restore -n < $oBL
iptables -I FORWARD 3 -o vlan2 -j countrydropout
that should do it
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sun Apr 19, 2015 0:16 Post subject:
The second command I listed to comment out is not in the script but is part of the FW commands. Simply commenting out or deleting that line will stop the outbound block.
The first line I mentioned will prevent loading rules into the outbound chain and using memory needlessly. There are a number of other lines which could be removed or commented out but honestly I'm trying to have a minimal impact on what Badmoon has published.
slidermike wrote:
James,
it occurred to me to ask this.
Since I WANT all my outbound traffic to go out & we discussed remarking the 2 lines you described from the .sh file; would it be more wise to just remove something from the startup FW list or perhaps both what you described and something from the FW commands?
Here is what my FW rules are.
iptables -nL FORWARD | grep -q YAMON && INSERTPOS=$(iptables -nL FORWARD --line-numbers | grep YAMON | awk '{ print $1 + 1 }') || INSERTPOS=1
ACCEPTTYPE=$(iptables -nL FORWARD | grep ESTABLISHED | awk '{print $1}')
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -I FORWARD $INSERTPOS -m state --state RELATED,ESTABLISHED -j $ACCEPTTYPE
iptables -N countrydropin
iptables -N countrydropout
iptables -I INPUT 2 -i vlan2 -j countrydropin
iptables -I FORWARD 2 -i vlan2 -j countrydropin
iptables -I FORWARD 3 -o vlan2 -j countrydropout
sh /opt/ipblock/ipblock.sh &
Just a note to anyone running a Synology NAS (such as I am).
By using the default country code list, you will be blocking Taiwan which is where the NAS calls back for things such as firmware updates, DDNS, application updates.
Rather than mess with specific IP/names in the region I merely took Taiwan out of the block list.
Like this:
edit (via WinSCP) the /opt/ipblock/ipblock.sh & changed it to this-
ISO="cn-aggregated kp-aggregated kr-aggregated ru-aggregated ir-aggregated"
You will notice I took out the
tw-aggregated
portion which is for Taiwan.
Then ran the script from the command line (telnet) like this:
/opt/ipblock/ipblock.sh
it updated the FW rules & my NAS was restored to speaking with the Taiwan masters.
_________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Does this script prevent finding players from the excluded countries in multiplayer game search? If yes, can someone tell me what prerequisites should be met besides the script?
Just a note to anyone running a Synology NAS (such as I am).
By using the default country code list, you will be blocking Taiwan which is where the NAS calls back for things such as firmware updates, DDNS, application updates.
Rather than mess with specific IP/names in the region I merely took Taiwan out of the block list.
Like this:
edit (via WinSCP) the /opt/ipblock/ipblock.sh & changed it to this-
ISO="cn-aggregated kp-aggregated kr-aggregated ru-aggregated ir-aggregated"
You will notice I took out the
tw-aggregated
portion which is for Taiwan.
Then ran the script from the command line (telnet) like this:
/opt/ipblock/ipblock.sh
it updated the FW rules & my NAS was restored to speaking with the Taiwan masters.
I know you didn't want to find the specific IPs, but I would be interested in turning on logging, running the script, trying to update the NAS to trigger the specific IPs, and then adding a couple of delete lines in the script to remove those IPs and thus keeping the rest of the blocks.
On that note too, I should go check my NAS. It's a Lenovo brand so I don't know where it would be trying to connect. I don't think I have any issues as my countrydropout rule has not been triggered since I've been checking. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Apr 21, 2015 2:57 Post subject:
If you had disabled outgoing blocking, your nas shouldn't have issues calling home even if it's in tw. Are you sure it was a call out and not an incoming via port forward.?
James, I did the changes we talked about to stop outgoing blocks but it didn't seem to do the job.
I am not 100% sure the DDNS isn't a push from Taiwan also but I am sure I can initiate the processes from my NAS as well.
I have 3 "features" that I can initiate from my NAS that were not working with country blocking (and Taiwan included).
#1 DDNS - (Synology has its own which I use)
I was timing out when manually updating from the NAS.
#2 Firmware update - I click the "check now" button & it times out after a while.
#3 Application update - I click the "check now" button & it times out after a while.
Once I took Taiwan out of the country block equation all 3 features were restored. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
I have a synology at home too and will try the update when I get back in a few days. I did do a manual update with no issues so I must have pulled the update from the website. I seldom use the autoupdate feature. I am amazed that your ddns provider initiates the update. That process usally starts with your system checking in. Scary...
slidermike wrote:
Guys,
thanks for the support.
James, I did the changes we talked about to stop outgoing blocks but it didn't seem to do the job.
I am not 100% sure the DDNS isn't a push from Taiwan also but I am sure I can initiate the processes from my NAS as well.
I have 3 "features" that I can initiate from my NAS that were not working with country blocking (and Taiwan included).
#1 DDNS - (Synology has its own which I use)
I was timing out when manually updating from the NAS.
#2 Firmware update - I click the "check now" button & it times out after a while.
#3 Application update - I click the "check now" button & it times out after a while.
Once I took Taiwan out of the country block equation all 3 features were restored.
badmoon,
I don't know if Synology initiates the DDNS update.
I had initially assumed it did because James was kind enough to assist me in disabling the outbound country block.
When my DS1512+ couldn't reach "home" for the updates/DDNS I began to believe I had not correctly disabled the outbound country block.
My nas alerted me that it had lost contact with Taiwan (home) while running the country block FW script.
I have since received a response from Syno support about the ports used by the DS to communicate to "home".
They did not imply they reached out to the DS.
Here is what they said should be open for complete access home.
Most traffic will be from 209.221.132.14 and 74.93.160.185 and you will want your ISP to allow 53, 80, 5000, and 5001. _________________ Router currently owned:
Netgear R7800 - Router
Netgear R7000 - AP mode
Hmm, odd indeed. I'll take a look when I get home. I'm a security guy and generally do not even allow my NAS to leave my network (natually paranoid.) I let my router handled the DDNS which might be something you might want to look at. Those ports that you provided are basically all of the ports used to access the synology device.
slidermike wrote:
badmoon,
I don't know if Synology initiates the DDNS update.
I had initially assumed it did because James was kind enough to assist me in disabling the outbound country block.
When my DS1512+ couldn't reach "home" for the updates/DDNS I began to believe I had not correctly disabled the outbound country block.
My nas alerted me that it had lost contact with Taiwan (home) while running the country block FW script.
I have since received a response from Syno support about the ports used by the DS to communicate to "home".
They did not imply they reached out to the DS.
Here is what they said should be open for complete access home.
Most traffic will be from 209.221.132.14 and 74.93.160.185 and you will want your ISP to allow 53, 80, 5000, and 5001.
So, being a security guy, I've been excited to see how many hits I'm getting from the countries I've blocked. I've used the following commands from JAMESMTL to get the hit counts:
Then my next question became, from which countries are these top hitters? This command will tell you which zone file the IP is located just in case anyone else is interested in knowing:
Code:
grep -Hn x.x.x.x/x /opt/ipblock/zones/*.zone
The -H gives you the file name, the -n gives you the line number. The output is: