Posted: Thu Dec 10, 2015 15:07 Post subject: Thanks!
Thanks everyone who worked on, tested, and improved this script! Working on an R7000.
(Side note, now I'll just have to find a file that blocks all those microsoft IP ranges that people like to block to minimize all the spying that windows 10 does. ) _________________ Netgear R7000 w/r31780M <KONG> build
Netgear R6700 (Un-opened with stock. My backup/emergency router if the R7000 takes a dump...)
2x Buffalo WHR-HP-GN 28493 (Used for 2.4 Ghz bridge when needed.)
Asus WL-500g Premium (1x v1 & 1x v2) (Still have, but retired for now.)
1x Linksys WRT54G v8 >>DD-WRT v24SP1 (The other routers needed something to point at and make fun of.)
Posted: Mon Dec 14, 2015 5:14 Post subject: Modified the main shell script a little...
To Badmoon & JAMESMTL:
I made a small modification to your main script file that allows a user to put a custom.zone file in the "zones" directory. That way a user can manually add custom ip ranges to a file, and have it processed and handled the same way as the online-hosted zone files.
If there is a "better" or "more efficient" way to do what I did, please feel free to laugh at me and make changes.
I'll paste the modified file below. Do you want to edit your original post, and include this modified version as well as the diagnostic shell file also, so users can choose to use just the hosted zone files, or use hosted as well as custom.zone, and can easily test the results?
**ALSO: I made a simple small shell file that runs all of the diagnostic commands that you have suggested people run, JAMESMTL. That will also be posted below. (It simplified my process of testing/diagnosing/verifying since it does the 5 or 6 commands back to back, and therefore all the info is clustered together.)
ipblock.sh (modified for custom.zone):
Code:
#!/bin/sh
#set -x
### Block all traffic from listed. Use ISO code ###
ISO="cn-aggregated tw-aggregated kp-aggregated ru-aggregated ir-aggregated"
CLOCAL="custom"
#Testing
#ISO="kr-aggregated"
### Set PATH ###
IPT=/usr/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
LOCKFILE=/tmp/ipblocklock.txt
setuplogging(){
#$IPT -X countrylogin
$IPT -N countrylogin
#$IPT -A countrylogin -j LOG --log-prefix "COUNTRY IN DROP "
$IPT -A countrylogin -j DROP
#$IPT -X countrylogout
$IPT -N countrylogout
#$IPT -A countrylogout -j LOG --log-prefix "COUNTRY OUT DROP "
$IPT -A countrylogout -j REJECT
}
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Mon Dec 14, 2015 17:23 Post subject:
@SSB
My scripts also make use of whitelists & blacklists so I agree with having the ability for a custom zone. As an example I have a serious distaste for the scans by shodan.io as they make it easy to identify all IPs running any given service such as dropbear etc. so I block IP ranges I know that host their census servers.
@Badmoon
It was a PITA when ipdeny allowed their domain to expire. Internally I have moved to parsing the individual raw RIR zone files and creating aggregated cidr blocks served by an SQL server via HTTP to my various routers. The issue I have with the ripe json query is that occasionally they include ipranges instead of cidr blocks see ru,ir,us zones as examples.
just upgraded my router to 28598, latest version
wget doesn't accept https from stat.ripe.net
I had to change it to http.
Anyone else? _________________ Netgear R9000 main router
RAX80 as AP
just upgraded my router to 28598, latest version
wget doesn't accept https from stat.ripe.net
I had to change it to http.
Anyone else?
I can confirm this behavior. I had to switch to http/port 80. I am running build 28000M. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
"Wget must be compiled with an external SSL library."
Do any of you think that opening a ticket and requesting wget being compiled with HTTPS support would go anywhere? I did notice on the RIPE site https://stat.ripe.net/docs/data_api this following text:
Code:
Note on SSL
Although it's still possible to use the RIPEstat Data API on a non-secure connection (ordinary HTTP) we strongly encourage using https. If there's a reason for you why you can't use HTTPS at all, please inform us since we will disable HTTP in the near future.
So it would appear that we will not be able to use just plain old HTTP forever...
"Wget must be compiled with an external SSL library."
Do any of you think that opening a ticket and requesting wget being compiled with HTTPS support would go anywhere? I did notice on the RIPE site https://stat.ripe.net/docs/data_api this following text:
Code:
Note on SSL
Although it's still possible to use the RIPEstat Data API on a non-secure connection (ordinary HTTP) we strongly encourage using https. If there's a reason for you why you can't use HTTPS at all, please inform us since we will disable HTTP in the near future.
So it would appear that we will not be able to use just plain old HTTP forever...
Thoughts?
I think it would be worthwhile to start a discussion on and/or create a ticket on TRAC to get SSL with WGET compiled in. More and more sites are switching to HTTPS. I've never been able to create an account on TRAC, though.
Anyone know how to do this? I've tried a few things among the following and always get the 77 error:
Code:
root@R7000:/opt/ipblock# curl --capath /opt/usr/bin --cacert ca-bundle.crt -o opt/ipblock/zones/test.zone.temp https://stat.ripe.net/data/country-resource-list/data.json?resource=cn
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (77) error setting certificate verify locations:
CAfile: ca-bundle.crt
CApath: /opt/usr/bin
I've Googled some, and have made some progress. I'll Google more as time permits. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sun Dec 27, 2015 23:15 Post subject:
for the purpose of simply getting ripe stats you can use the -k flag instead of setting capath / cacert. When I need cert verification I just make a copy of one of my linux openssl cert folders and set capath to a copy of that dir
for the purpose of simply getting ripe stats you can use the -k flag instead of setting capath / cacert. When I need cert verification I just make a copy of one of my linux openssl cert folders and set capath to a copy of that dir
OK, that worked--thank you.
For my learning, do you or anyone else know how to get the cacert directory, and file working with curl? Links would be great as well, or as a substitute. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Mon Dec 28, 2015 2:53 Post subject:
HalfBit wrote:
JAMESMTL wrote:
for the purpose of simply getting ripe stats you can use the -k flag instead of setting capath / cacert. When I need cert verification I just make a copy of one of my linux openssl cert folders and set capath to a copy of that dir
OK, that worked--thank you.
For my learning, do you or anyone else know how to get the cacert directory, and file working with curl? Links would be great as well, or as a substitute.