Posted: Sun Nov 15, 2015 20:32 Post subject: Attempting to create ipTable entries on router startup...
Hey all, I am one of those people who is becoming increasingly resentful of how much Microsoft snoops on us, so I got it into my head to attempt to block all the IPs I could find where their invasive telemetry updates they are shoving down everyone's throats sends all this information.
I figured, if I can block all that outgoing traffic by just dropping the packets, they shouldn't actually get any of it. That being said, here's a script I whipped together and added to my startup on my Netgear R7000 running DD-WRT v24-sp2 (02/16/15) kongac - build 26285M.. Alas, it doesn't seem to do anything unless I telnet to the router itself and manually run these commands. Can anyone tell me what I am doing wrong?
FYI : I also found a smattering of IPV6 type addresses, but I can't seem to get ip6tables to work on blocking those... I've left them out for now. _________________ Currently owned routers:
Router Model: Netgear R7000 Nighthawk
Current Firmware: DD-WRT v3.0-r33655M kongac (11/03/17)
Ok part of my problem I guess is putting them in startup instead of firewall. I put them there and changed logdrop to DROP but it still doesn't seem to be dropping them - is there any way I can tell for sure? _________________ Currently owned routers:
Router Model: Netgear R7000 Nighthawk
Current Firmware: DD-WRT v3.0-r33655M kongac (11/03/17)
Thank you for your response. I tweaked it a bit and changed FORWARD to OUTPUT so now it should only be dropping outgoing packets. So far I have tried 2 of the IPs on the list and I see packets being dropped. It's working! (happy dance)
I will be researching more efficient ways to do it as well as your suggestion of ipset, but for now, I am happy. I also changed logdrop to DROP. And instead of the range code, I picked out each IP and made a separate entry for it. For your banned script, I am guessing I could just replace that list of IP addresses in the BANNED_DST = "...." with the list I found? Incoming is fine, it's just outgoing that I don't want. _________________ Currently owned routers:
Router Model: Netgear R7000 Nighthawk
Current Firmware: DD-WRT v3.0-r33655M kongac (11/03/17)
Oh drat. I guess it's back to the drawing board for me then. Thanks for the input! FYI I tried saving that script as custom and executing it, then running the verbose list command:
iptables -vnL banned
I see the list of IPs, but no outgoing packets are actually getting dropped. _________________ Currently owned routers:
Router Model: Netgear R7000 Nighthawk
Current Firmware: DD-WRT v3.0-r33655M kongac (11/03/17)