Re: [LEDE-DEV] Adding firewall extensions for xt_geoip usage

[Arjen de Korte]

Citeren Philip Prindeville <philipp_s...@redfish-solutions.com>:
Jo and others:

Is there an easy way to extend firewall rules?  I’d like to add  
support to blocking on a per-country basis, possibly with qualified  
exceptions.

Take a look at /etc/firewall.user. Most stuff you want to add fits  
nicely in there. The comments in that file make the use pretty self  
explanatory.

For instance, if I wanted to block all ISP’s from RU, but allow  
email from Kaspersky’s servers in Russia.

I’d like to do something like:

iptables -A zone_wan_forward -m geoip --src-cc RU -j geoip_RU_forward

ipset create geoip_RU_except_kaspersky_servers ipaddr
ipset add geoip_RU_except_kaspersky_server 81.176.69.118
ipset add geoip_RU_except_kaspersky_server 81.176.230.4
ipset add geoip_RU_except_kaspersky_server 91.103.66.246
ipset add geoip_RU_except_kaspersky_server 91.103.66.248

iptables -N geoip_RU_forward
iptables -A geoip_RU_forward -m set —match-set  
geoip_RU_except_kaspersky_servers test src -p tcp —-dpt 25 -j RETURN
iptables -A geoip_RU_forward -m limit 10/minute —limit-burst 5 -j  
NFLOG —-nflog-prefix “cc RU drop”
iptables -A geoip_RU_forward -j DROP

but come up with a notation for extending /etc/config/firewall to do this.

Maybe:


config rule
        option name     Block-RU
        option country  RU
        option src      wan
        list except     kaspersky_servers
        option log      1
        option log_limit 10/min
        option log_burst 5
        option log_prefix “cc RU drop"
        option target   drop

config rule
        option name     kaspersky_servers
        option proto    tcp
        option dest_port 25
        list src        81.176.69.118
        list src        81.176.230.4
        list src        91.103.66.246
        list src        91.103.66.248
        option target   ACCEPT


although that’s still a little hairy and having rules refer to each  
other would be new…

Anyone have any ideas about how to do this better?

I’m happy to try to code it and debug it if we can come up with an  
acceptable notation.

Eventually I’d like to also do something with blocking ISPs (hello  
OVH? Cloudflare?), but for now countries would be easier with  
off-the-shelf stuff from xtables-addons.

Thanks,

-Philip


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev




_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev