Jo and others:
Is there an easy way to extend firewall rules? I’d like to add support to
blocking on a per-country basis, possibly with qualified exceptions.
For instance, if I wanted to block all ISP’s from RU, but allow email from
Kaspersky’s servers in Russia.
I’d like to do something like:
iptables -A zone_wan_forward -m geoip --src-cc RU -j geoip_RU_forward
ipset create geoip_RU_except_kaspersky_servers ipaddr
ipset add geoip_RU_except_kaspersky_server 81.176.69.118
ipset add geoip_RU_except_kaspersky_server 81.176.230.4
ipset add geoip_RU_except_kaspersky_server 91.103.66.246
ipset add geoip_RU_except_kaspersky_server 91.103.66.248
iptables -N geoip_RU_forward
iptables -A geoip_RU_forward -m set —match-set
geoip_RU_except_kaspersky_servers test src -p tcp —-dpt 25 -j RETURN
iptables -A geoip_RU_forward -m limit 10/minute —limit-burst 5 -j NFLOG
—-nflog-prefix “cc RU drop”
iptables -A geoip_RU_forward -j DROP
but come up with a notation for extending /etc/config/firewall to do this.
Maybe:
config rule
option name Block-RU
option country RU
option src wan
list except kaspersky_servers
option log 1
option log_limit 10/min
option log_burst 5
option log_prefix “cc RU drop"
option target drop
config rule
option name kaspersky_servers
option proto tcp
option dest_port 25
list src 81.176.69.118
list src 81.176.230.4
list src 91.103.66.246
list src 91.103.66.248
option target ACCEPT
although that’s still a little hairy and having rules refer to each other would
be new…
Anyone have any ideas about how to do this better?
I’m happy to try to code it and debug it if we can come up with an acceptable
notation.
Eventually I’d like to also do something with blocking ISPs (hello OVH?
Cloudflare?), but for now countries would be easier with off-the-shelf stuff
from xtables-addons.
Thanks,
-Philip
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
