[LEDE-DEV] Adding firewall extensions for xt_geoip usage

[Philip Prindeville]

Jo and others:

Is there an easy way to extend firewall rules?  I’d like to add support to blocking on a per-country basis, possibly with qualified exceptions.

For instance, if I wanted to block all ISP’s from RU, but allow email from Kaspersky’s servers in Russia.

I’d like to do something like:

iptables -A zone_wan_forward -m geoip --src-cc RU -j geoip_RU_forward

ipset create geoip_RU_except_kaspersky_servers ipaddr
ipset add geoip_RU_except_kaspersky_server 81.176.69.118
ipset add geoip_RU_except_kaspersky_server 81.176.230.4
ipset add geoip_RU_except_kaspersky_server 91.103.66.246
ipset add geoip_RU_except_kaspersky_server 91.103.66.248

iptables -N geoip_RU_forward
iptables -A geoip_RU_forward -m set —match-set geoip_RU_except_kaspersky_servers test src -p tcp —-dpt 25 -j RETURN
iptables -A geoip_RU_forward -m limit 10/minute —limit-burst 5 -j NFLOG —-nflog-prefix “cc RU drop”
iptables -A geoip_RU_forward -j DROP

but come up with a notation for extending /etc/config/firewall to do this.

Maybe:


config rule
	option name	Block-RU
	option country	RU
	option src	wan
	list except	kaspersky_servers
	option log	1
	option log_limit 10/min
	option log_burst 5
	option log_prefix “cc RU drop"
	option target	drop

config rule
	option name	kaspersky_servers
	option proto	tcp
	option dest_port 25
	list src	81.176.69.118
	list src	81.176.230.4
	list src	91.103.66.246
	list src	91.103.66.248
	option target	ACCEPT


although that’s still a little hairy and having rules refer to each other would be new…

Anyone have any ideas about how to do this better?

I’m happy to try to code it and debug it if we can come up with an acceptable notation.

Eventually I’d like to also do something with blocking ISPs (hello OVH? Cloudflare?), but for now countries would be easier with off-the-shelf stuff from xtables-addons.

Thanks,

-Philip