Blocking Regions/Countries Help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
RCShadows
DD-WRT User


Joined: 17 Aug 2008
Posts: 435

PostPosted: Sun Nov 01, 2009 16:27    Post subject: Blocking Regions/Countries Help Reply with quote
I have been getting undesirable traffic from specific countries around the globe so I searched around for a way to block these unwanted requests.

I found this but I certianly do not know how to implement it in DD-WRT...

http://www.bsdtips.org/mediawiki/index.php/Blocking_whole_countries

...can someone help to clearify how this would be done in DD-WRT?

My thanks in advance.
Sponsor
smileboot
DD-WRT User


Joined: 30 Jan 2009
Posts: 118

PostPosted: Sun Nov 01, 2009 19:16    Post subject: Reply with quote
I would also like to know how to do this. Im sure we could manually add whole IP ranges to the firewall. But that would HIGHLY involved and complicated. So an easy way would fantastic.
_________________
Linksys WRT610n v1 - DD-WRT K26 v24-sp2 (03/24/10) mini-usb
(SVN revision 14144)
Linksys WRT350n(with WPC600N) - DD-WRT v24-sp2 (01/02/10) mini-usb-ftp (SVN revision 13577M NEWD Eko)
RCShadows
DD-WRT User


Joined: 17 Aug 2008
Posts: 435

PostPosted: Sun Nov 01, 2009 22:56    Post subject: Reply with quote
smileboot wrote:
I would also like to know how to do this. Im sure we could manually add whole IP ranges to the firewall. But that would HIGHLY involved and complicated. So an easy way would fantastic.


I agree and that's why I asked. There seems to be ways though. I need Frater to chime in, he is the code geek on this stuff lol.

I just found this but again, I need to know how to do it in DD-WRT...

http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

Help?
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Nov 02, 2009 6:22    Post subject: Reply with quote
I just took a look at that script and it should be no problem. It will need a complete rewrite. DD-WRT loads the iptables from scratch every time so they need to get inserted into rc_firewall. I will do this with a link to save nvram.

It will be similar to the pixelserv script.

Today I will get my Asus RTN16 and my new mediaplayer (ACryan Playon!HD) so it may take a few days.....

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
RCShadows
DD-WRT User


Joined: 17 Aug 2008
Posts: 435

PostPosted: Mon Nov 02, 2009 6:27    Post subject: Reply with quote
Well, anything you can post as far as scripts and maybe a "how-to" as I'm fairly ignorant with this stuff so far.

Thanks Frater, I'll see what you come up with.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Nov 02, 2009 18:00    Post subject: Reply with quote
I did start on it this morning and I was already able to run a script, but I'm afraid it's not the way to go.

For China alone it will have 1646 rules and I think that it will slowdown your router significantly.
I would like to do some more research to see if we can't have a more intelligent approach to the problem. I assume you not only want to block China, but the whole of South East Asia.....

I'm currently playing with my new toy (The mediaplayer)

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Nov 02, 2009 19:55    Post subject: Reply with quote
I will see if I can improve the script to make it less "brute force".
As it is now it will just load all those rules into iptables....


Code:
wget -O /opt/etc/init.d/S95countryblock http://wd.mirmana.com/S95countryblock


Have fun...

You can add countries yourself (It's now China and Afghanistan)

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3742
Location: I'm the one on the plate.

PostPosted: Mon Nov 02, 2009 20:50    Post subject: Reply with quote
frater wrote:
For China alone it will have 1646 rules..

I've been blocking non-domestic e-mail using IP ranges in a mail server I admin. If you go by the primary zones such as APNIC, RIPE, LACNIC, Etc, then you can get it down to about 250 total rules. The reason is that there are large contiguous blocks of addresses that cover multiple countries. I'll dig up the specifics and find the websites I used to get the data bases.

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.


Last edited by GeeTek on Mon Nov 02, 2009 20:51; edited 1 time in total
RCShadows
DD-WRT User


Joined: 17 Aug 2008
Posts: 435

PostPosted: Mon Nov 02, 2009 20:50    Post subject: Reply with quote
frater wrote:
I will see if I can improve the script to make it less "brute force".
As it is now it will just load all those rules into iptables....


Code:
wget -O /opt/etc/init.d/S95countryblock http://wd.mirmana.com/S95countryblock


Have fun...

You can add countries yourself (It's now China and Afghanistan)


Thanks Frater...I want to block India too to see what effect it has on browsing.

I tried to resolve "http://wd.mirmana.com/S95countryblock" and got nothing. I changed it to "http://www.mirmana.com/S95countryblock" and still got nothing.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Nov 02, 2009 22:34    Post subject: Reply with quote
RCShadows wrote:
I tried to resolve "http://wd.mirmana.com/S95countryblock" and got nothing. I changed it to "http://www.mirmana.com/S95countryblock" and still got nothing.


Are you in China?
You are not allowed to use your browser.
Use wget...

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
RCShadows
DD-WRT User


Joined: 17 Aug 2008
Posts: 435

PostPosted: Mon Nov 02, 2009 22:53    Post subject: Reply with quote
frater wrote:
RCShadows wrote:
I tried to resolve "http://wd.mirmana.com/S95countryblock" and got nothing. I changed it to "http://www.mirmana.com/S95countryblock" and still got nothing.


Are you in China?
You are not allowed to use your browser.
Use wget...


Nope, in the States. Thanks again....I'll get it working Confused
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon Nov 02, 2009 23:18    Post subject: Reply with quote
I did several tests and am able to download stuff from abroad. I even downloaded the script just now from the States....

Here's an alternative:

http://pastebin.com/m24cb1f35

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Tue Nov 03, 2009 18:43    Post subject: Reply with quote
I created a complete new script which significantly brings down the amount of rules needed....

I'm blocking big /8 /7 and /6 networks to which I will make an exception...

It's an original idea of mine which doesn't mean nobody thought of it before.... ;-)

Code:
wget -O /opt/etc/init.d/S95blockasia http://wd.mirmana.com/S95blockasia


The example will block Asia but whitelists Japan. It will add all subnets from China and will block Afghanistan...

If whitelisting of Japan would have been left out, the amount of rules would only be 136

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Wed Nov 04, 2009 0:46    Post subject: Reply with quote
frater wrote:
It's an original idea of mine which doesn't mean nobody thought of it before.... Wink

Only if we were *all* a gifted scripter as yourself frater. Wink

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Wed Nov 04, 2009 7:21    Post subject: Reply with quote
crashfly wrote:
frater wrote:
It's an original idea of mine which doesn't mean nobody thought of it before.... Wink

Only if we were *all* a gifted scripter as yourself frater. Wink

But nobody's downloading it?

Well, that might be even better as I enhanced it using a little C program I found on the net to aggregate adjacent subnets to 1 subnet....

Code:
wget -O /opt/sbin/aggregate http://wd.mirmana.com/aggregate
chmod +x /opt/sbin/aggregate
wget -O /opt/etc/init.d/S95asiablock http://wd.mirmana.com/S95asiablock



You can NOT get it with safari, firefox, IE... You'll need to use wget.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)


Last edited by frater on Thu Nov 05, 2009 4:41; edited 1 time in total
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum