[techiegeekster]

Hey all, I am one of those people who is becoming increasingly resentful of how much Microsoft snoops on us, so I got it into my head to attempt to block all the IPs I could find where their invasive telemetry updates they are shoving down everyone's throats sends all this information.

I figured, if I can block all that outgoing traffic by just dropping the packets, they shouldn't actually get any of it. That being said, here's a script I whipped together and added to my startup on my Netgear R7000 running DD-WRT v24-sp2 (02/16/15) kongac - build 26285M.. Alas, it doesn't seem to do anything unless I telnet to the router itself and manually run these commands. Can anyone tell me what I am doing wrong?

Thanks!

iptables -I FORWARD -d 134.170.185.46 -j logdrop
iptables -I FORWARD -d 134.170.188.221 -j logdrop
iptables -I FORWARD -d 204.79.197.203 -j logdrop
iptables -I FORWARD -d 23.203.18.96 -j logdrop
iptables -I FORWARD -d 157.56.148.19 -j logdrop
iptables -I FORWARD -d 168.62.43.8 -j logdrop
iptables -I FORWARD -d 23.203.28.174 -j logdrop
iptables -I FORWARD -d 104.91.205.87 -j logdrop
iptables -I FORWARD -d 65.55.50.189 -j logdrop
iptables -I FORWARD -d 134.170.58.222 -j logdrop
iptables -I FORWARD -d 23.203.28.46 -j logdrop
iptables -I FORWARD -d 64.4.6.100 -j logdrop
iptables -I FORWARD -d 65.55.39.10 -j logdrop
iptables -I FORWARD -m iprange --src-range 65.0.0.1-65.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 70.0.0.1-70.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 94.0.0.1-94.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 111.0.0.1-111.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 132.0.0.1-132.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 157.0.0.1-157.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 207.0.0.1-207.0.0.8 -j logdrop
iptables -I FORWARD -m iprange --src-range 213.0.0.1-213.0.0.8 -j logdrop
iptables -I FORWARD -d 65.55.50.190 -j logdrop
iptables -I FORWARD -d 191.232.80.55 -j logdrop
iptables -I FORWARD -d 65.55.252.63 -j logdrop
iptables -I FORWARD -d 204.79.197.200 -j logdrop
iptables -I FORWARD -d 65.52.100.91 -j logdrop
iptables -I FORWARD -d 64.4.54.254 -j logdrop
iptables -I FORWARD -d 191.232.139.254 -j logdrop
iptables -I FORWARD -d 64.4.54.32 -j logdrop
iptables -I FORWARD -d 65.55.252.92 -j logdrop
iptables -I FORWARD -d 65.55.252.93 -j logdrop
iptables -I FORWARD -d 65.52.100.7 -j logdrop
iptables -I FORWARD -d 93.184.215.200 -j logdrop
iptables -I FORWARD -d 104.88.67.56 -j logdrop
iptables -I FORWARD -d 168.62.187.13 -j logdrop
iptables -I FORWARD -d 131.253.40.37 -j logdrop
iptables -I FORWARD -d 134.170.115.60 -j logdrop

FYI : I also found a smattering of IPV6 type addresses, but I can't seem to get ip6tables to work on blocking those... I've left them out for now.

[techiegeekster]

Ok part of my problem I guess is putting them in startup instead of firewall. I put them there and changed logdrop to DROP but it still doesn't seem to be dropping them - is there any way I can tell for sure?

[techiegeekster]

Thank you for your response. I tweaked it a bit and changed FORWARD to OUTPUT so now it should only be dropping outgoing packets. So far I have tried 2 of the IPs on the list and I see packets being dropped. It's working! (happy dance)

I will be researching more efficient ways to do it as well as your suggestion of ipset, but for now, I am happy. I also changed logdrop to DROP. And instead of the range code, I picked out each IP and made a separate entry for it. For your banned script, I am guessing I could just replace that list of IP addresses in the BANNED_DST = "...." with the list I found? Incoming is fine, it's just outgoing that I don't want.

[techiegeekster]

Oh drat. I guess it's back to the drawing board for me then. Thanks for the input! FYI I tried saving that script as custom and executing it, then running the verbose list command:
iptables -vnL banned

I see the list of IPs, but no outgoing packets are actually getting dropped.