In the meantime, a couple of users recommended the project on reddit and on pbxforum, and suddenly github statistics show much more stars, visitors and clones, so it looks like people appreciate it in its current capacity. Which makes me think again about making radical changes, and a transformation into a universal ip blocker is a fairly radical change. Still undecided how to proceed. Maybe I'll maintain geoip-shell as a geoip blocker exclusively and then fork a new and more universal project out of it.
hi, a few months ago I created a script which also blocks and authorizes the IPs we want, but I would like to transcribe it via luci as an ipk, if you are interested by my script tell me, thanks
Sure, post a link and I'll take a look at it. That said, I have no experience making a LuCi interface and ipk and that's something I'll have to figure out for geoip-shell eventually.
Just released v0.2.8 with some reliability and compatibility improvements.
1 Like
Improved the OpenWrt-specific README and added a section which describes in detail how geoip-shell implements persistence on OpenWrt.
https://github.com/friendly-bits/geoip-shell/blob/main/OpenWrt/README.md
There have been a few releases in the past 3 days which feature better installation experience, improved scripts initialization, some bug fixes and much code cleanup. Latest version (v0.2.9.2) should be pretty stable.
Just released v0.3.1 which allows to change more of the geoip blocking config after installation. I'm also looking into how to make an OpenWrt package for this project.
2 Likes
geoip-shell v0.3.2 is out, implementing some changes recommended by other OpenWrt devs. Now default data directory on OpenWrt is /tmp/geoip-shell-data and by default, ip lists backup is disabled by default. Both options can be changed when installing.
v0.3.4 impelements an additional measure to minimize writes to flash. before committing the config to storage, checks are now performed to make sure that it actually changed, and if not then no write occurs. Also the data directory path and the nobackup options are now changeable vie the apply action in the -manage script. And some more improvements and minor bug fixes.
All right, after some (a lot) of stumbles on the way, I finally have a working ipk for geoip-shell. I'll update the github repo first, then post it here.
2 Likes
Good job 
1 Like
All right, the ipk's are up in the Releases on Github (not yet in the OpenWrt official repository).
I tested both the regular (nftables) ipk on my VM and the -iptables ipk on my router. Both installation and uninstallation work fine for me. Ah yes, and usage.
Note that after installing via ipk, geoip-shell will be inactive until you configure it, which is done by running this command: geoip-shell configure. This will start interactive setup. For some additional options unavailable interactively, run geoip-shell -h. You can attach any combination of options to the geoip-shell configure command and the setup will process them and ask you additional questions if required.
I also updated the general readme and the OpenWrt-specific readme with some more details about installation and usage.
Please let me know if/when you try the ipk's, whether it works, doesn't work or if you find a bug.
P.s. the command to install an ipk is opkg install geoip-shell[...].ipk (you need to be in the same directory where the ipk is located).
1 Like
Yes man i Will try when Come black to m'y home
Do You have add block ip liké m'y script than You sended in message ?
1 Like
geoip-shell currently doesn't have custom ip lists functionality. It works at a resolution of a country and you can select connections from which countries to block (blacklist mode) or from which countries to allow (whitelist mode). I've been considering adding custom local ip lists but currently this is not implemented. I may still consider this more closely if more people ask for it. Currently geoip-shell allows to specify trusted ip's which bypass geoip blocking. Maybe this will be useful in your case.
1 Like
yes i'm very interested for that because i would like autorise only one ip like i you send thanks
Not sure what specifically you mean by "that"? Anyway, take into account that currently geoip-shell only blocks incoming connections, not outgoing ones. If you want to block outgoing connections, I can see what can be done about it.
1 Like
@Malakai didn't want to spam in the Banip thread. You are welcome to try geoip-shell and let me know how it goes. It does support configuring ports to block or allow (thanks to a feature request by another user which made me implement this).
In the meantime, I released v0.4.0.1 which fixes some bugs. If you are using v0.4, updating is highly recommended.
Will definitely have a look at your script as it seems to better meet my requirements than banip.
Unfortunately I will not be able to test it in the following days.
Will report back here after some testing.
Nevertheless, thank you for the effort put into this.
2 Likes
v0.4.1 fixes an additional bug involving iptables-based systems, and introduces additional 2 rules when geoip-shell is installed in whitelist mode and specific network interfaces are selected. One rule allows DHCPv6 router advertisement (from the upstream router), the other rule allows all traffic from the link-local (fe80::/8) prefix. Both rules should prevent possible issues involving communication with an upstream router.
I had some issues with my router not properly renewing ipv6 DHCP lease, these 2 rules seem to solve this. The DHCPv6 rule is basically a copy of the same rule which already comes by default on OpenWrt (it needs to be applied in geoip-shell as well because geoip-shell uses the prerouting netfilter hook), and the rule for the link-local prefix is designed mainly to allow ICMPv6 traffic but for link-local addresses, I don't see a need to specifically select the ICMP protocol, since link-local traffic is not routed anyway, so allowing it is harmless, while selecting specifically ICMP may needlessly tax the CPU a bit more.
Currently I don't see a need to add specific ipv4 rules for this scenario since I haven't had any issues with ipv4 connectivity, so for example geoip-shell currently does not create a rule to specifically accept ipv4 IGMP packets. If someone here thinks this is necessary or should be implemented as an option, we can discuss this.
Just a reminder, the ACCEPT verdicts in the firewall are not final, so while geoip-shell rules accept this traffic, other rules which are processed later may still filter some of it.
1 Like