[LEDE-DEV] Adding firewall extensions for xt_geoip usage
Arjen de Korte
arjen+lede at de-korte.org
Sat Dec 9 00:33:09 PST 2017
Citeren Philip Prindeville <philipp_subx at redfish-solutions.com>:
> Jo and others:
>
> Is there an easy way to extend firewall rules? I’d like to add
> support to blocking on a per-country basis, possibly with qualified
> exceptions.
Take a look at /etc/firewall.user. Most stuff you want to add fits
nicely in there. The comments in that file make the use pretty self
explanatory.
> For instance, if I wanted to block all ISP’s from RU, but allow
> email from Kaspersky’s servers in Russia.
>
> I’d like to do something like:
>
> iptables -A zone_wan_forward -m geoip --src-cc RU -j geoip_RU_forward
>
> ipset create geoip_RU_except_kaspersky_servers ipaddr
> ipset add geoip_RU_except_kaspersky_server 81.176.69.118
> ipset add geoip_RU_except_kaspersky_server 81.176.230.4
> ipset add geoip_RU_except_kaspersky_server 91.103.66.246
> ipset add geoip_RU_except_kaspersky_server 91.103.66.248
>
> iptables -N geoip_RU_forward
> iptables -A geoip_RU_forward -m set —match-set
> geoip_RU_except_kaspersky_servers test src -p tcp —-dpt 25 -j RETURN
> iptables -A geoip_RU_forward -m limit 10/minute —limit-burst 5 -j
> NFLOG —-nflog-prefix “cc RU drop”
> iptables -A geoip_RU_forward -j DROP
>
> but come up with a notation for extending /etc/config/firewall to do this.
>
> Maybe:
>
>
> config rule
> option name Block-RU
> option country RU
> option src wan
> list except kaspersky_servers
> option log 1
> option log_limit 10/min
> option log_burst 5
> option log_prefix “cc RU drop"
> option target drop
>
> config rule
> option name kaspersky_servers
> option proto tcp
> option dest_port 25
> list src 81.176.69.118
> list src 81.176.230.4
> list src 91.103.66.246
> list src 91.103.66.248
> option target ACCEPT
>
>
> although that’s still a little hairy and having rules refer to each
> other would be new…
>
> Anyone have any ideas about how to do this better?
>
> I’m happy to try to code it and debug it if we can come up with an
> acceptable notation.
>
> Eventually I’d like to also do something with blocking ISPs (hello
> OVH? Cloudflare?), but for now countries would be easier with
> off-the-shelf stuff from xtables-addons.
>
> Thanks,
>
> -Philip
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
More information about the Lede-dev
mailing list