banIP support thread

RuralRoots · 2022-11-05T11:08:19.194Z

banIP support thread Community Builds, Projects & Packages

Sorry gents, banIP is marked as broken for now - there will be no solution ready for 22.03. The migration is currently too time consuming for me. I use a CLI only prototype on my router, but it's far from being ready for prime time.

abysso2 · 2022-11-06T22:56:04.597Z

I think, that @dibdot mentions 22.03.0 here and not 22.03 in general, but i am not sure and that is the reason for my question. @dibot: are you still reading here? Will there be a solution till EOL of 21.02 in april 2023 or is banip dead? In that case i would update to 22.03.2 ...

dibdot · 2022-11-10T23:53:32.285Z

I'm still working on a nft test version - expect the first CLI test version by the end of the year. It's a complete rewrite, therefore I do not plan to backport the forthcoming nft version to stable 22.03.

AcidSlide · 2022-11-11T23:52:16.709Z

That is really really good to hear. We are looking forward to it.

professor_jonny · 2022-11-15T18:21:56.477Z

I have my router setup with using dual dnsmasq instances can banIP be configured to operate on only a single interface as it seems to be system wide?

I'm hoping to use it to ban the static addresses of the likes of specific apps like snapchat, facebook, ticktock etc... from my kids when they should be doing homework or as such.

dibdot · 2022-11-19T21:30:07.949Z

Hi,
in the first post of this thread I referenced the initial nft test version of banIP!
A big warning: This is WIP, unfinished and (most probably) full of bugs!

nft concept:

banIP uses it's own namespace, nft table banIP (not fw4!)
for incoming blocking it uses the inet ingress hook (first hook right after the network adapter )
for outgoing blocking it uses the inet forward hook
banIP supports IMHO the best feature of nft - atomic rule loading per set
the log parsing service was completely rewritten: logterms can be freely selected via regex and the adhoc blocking of suspicious IPs are made in "realtime"
the ruleset can always be checked with nft -t list table inet banIP

Example run (Turris Omnia with latest OpenWrt master):

Sat Nov 19 21:03:41 2022 user.info banIP-0.8.0pre0-1[6119]: start banIP processing (init)
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_mkdir  ::: used directory: /tmp
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_tmp    ::: tmp_base: /tmp, tmp_dir: /tmp/tmp.AnCnjl
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_cpu    ::: cpu_cores: 2
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_fetch  ::: fetch_cmd: /usr/bin/curl, fetch_parm:  --connect-timeout 20 --fail --silent --show-error --location -o
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_getif  ::: auto_detect: 1, interface(s)(4/6): wan/wan6, protocols (4/6): 1/1
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_getdev ::: device(s): eth2
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_getsub ::: auto_allowlist: 1, subnet(s):  91.67.204.171/24 2a02:810c:0:80:e442:4b0c:845d:1d43/128
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_mkfile ::: used file: /etc/banip/banip.blocklist
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_mkfile ::: used file: /etc/banip/banip.allowlist
Sat Nov 19 21:03:41 2022 user.info banIP-0.8.0pre0-1[6119]: banIP nft namespace initialized
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: allowlistv4, rc: 0, count_dl: 3, count_set: 2, time: 0, log: -
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: allowlistv6, rc: 0, count_dl: 1, count_set: 1, time: 0, log: -
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: blocklistv6, rc: 0, count_dl: 3, count_set: 3, time: 0, log: -
Sat Nov 19 21:03:41 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: blocklistv4, rc: 0, count_dl: 238, count_set: 227, time: 0, log: -
Sat Nov 19 21:03:42 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: dohv4, rc: 0, count_dl: 440, count_set: 370, time: 1, log: -
Sat Nov 19 21:03:42 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: dohv6, rc: 0, count_dl: 306, count_set: 264, time: 1, log: -
Sat Nov 19 21:03:42 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: deblv6, rc: 0, count_dl: 39, count_set: 39, time: 0, log: -
Sat Nov 19 21:03:43 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: bogonv4, rc: 0, count_dl: 1208, count_set: 1103, time: 1, log: -
Sat Nov 19 21:03:44 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: deblv4, rc: 0, count_dl: 20542, count_set: 12366, time: 2, log: -
Sat Nov 19 21:03:54 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: bogonv6, rc: 0, count_dl: 136382, count_set: 31930, time: 12, log: -
Sat Nov 19 21:03:55 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: asnv4, rc: 0, count_dl: 141, count_set: 17, time: 1, log: -
Sat Nov 19 21:03:55 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: asnv6, rc: 0, count_dl: 255, count_set: 2, time: 1, log: -
Sat Nov 19 21:03:56 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: countryv6, rc: 0, count_dl: 4908, count_set: 4898, time: 2, log: -
Sat Nov 19 21:03:56 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: countryv4, rc: 0, count_dl: 14390, count_set: 11751, time: 2, log: -
Sat Nov 19 21:04:11 2022 user.debug banIP-0.8.0pre0-1[6119]: f_down   ::: name: uceprotect1v4, rc: 0, count_dl: 135222, count_set: 125755, time: 15, log: -
Sat Nov 19 21:04:11 2022 user.debug banIP-0.8.0pre0-1[6119]: f_rmset  ::: sets: -, rc: -, log: -
Sat Nov 19 21:04:11 2022 user.debug banIP-0.8.0pre0-1[6119]: f_rmdir  ::: deleted directory: /tmp/tmp.AnCnjl
Sat Nov 19 21:04:11 2022 user.info banIP-0.8.0pre0-1[6119]: starting banIP log service

If you like to test this early bird please remove all configs & directories of old banIP installations beforehand. A commented config file will be provided - that's the current "documentation" ...

Another big warning: Please don't use this on a production like router and don't use it on weak devices with less than 256 MByte RAM ... nft requires significantly more RAM.

init start/restart/reload and stop of the banIPservice should work - nothing more ... nevertheless it's a beginning.

Have fun!

AcidSlide · 2022-11-19T22:45:02.139Z

Wow looking good on the progress @dibdot .. might start playing around with this in my network sandbox by December.. hopefully by then, more progress has been made

Keep up the great work!

dibdot · 2022-11-20T07:22:04.913Z

Just a small update with overnight statistics ... two new IPs have tried to connect to my ssh honeypot ...

root@blackhole:~# logread -e "banIP-"
Sun Nov 20 03:52:18 2022 user.info banIP-0.8.0pre0-1[6119]: suspicious IP found '151.63.77.220'
Sun Nov 20 03:52:18 2022 user.info banIP-0.8.0pre0-1[6119]: add IP '151.63.77.220 (timeout 2h)' to set 'blocklistv4'
Sun Nov 20 03:52:22 2022 user.info banIP-0.8.0pre0-1[6119]: add IP '151.63.77.220' to local blocklist
Sun Nov 20 03:52:22 2022 user.info banIP-0.8.0pre0-1[6119]: suspicious IP found '151.63.77.220'
Sun Nov 20 03:52:22 2022 user.info banIP-0.8.0pre0-1[6119]: add IP '151.63.77.220 (timeout 2h)' to set 'blocklistv4'
Sun Nov 20 04:11:30 2022 user.info banIP-0.8.0pre0-1[6119]: suspicious IP found '103.117.194.219'
Sun Nov 20 04:11:30 2022 user.info banIP-0.8.0pre0-1[6119]: add IP '103.117.194.219 (timeout 2h)' to set 'blocklistv4'
Sun Nov 20 04:11:34 2022 user.info banIP-0.8.0pre0-1[6119]: add IP '103.117.194.219' to local blocklist

As you can see, you can now define an optional timeout for the first entry in the local nftables blocklist set (supported are timings in hours, minutes or seconds). In this example I updated the local blocklist file as well, that means with the next reload both IPs will be blocked unlimited.

Said that, nftables firewall logging is in place as well, it's optional available/configurable for both chains (wan-ingress, lan-forward) - see the config example for details.

anon72830772 · 2022-11-20T16:10:52.250Z

dibdot:

... and don't use it on weak devices with less than 256 MByte RAM

Noooo! Say it isn't so.
All the D-Links (DIR-878, 882 ...) no run, no more.

dibdot · 2022-11-20T18:13:43.658Z

At least this needs a lot of testing and nft improvements,. It seems to me, that counter - from a memory perspective - are currently critical. Counter on element level with the current nft version are a no go (OOM with sets > 30K), even on a Turris Omnia with 2GB. banIp has currently only counters on set level...try it, but you've be warned...

Beniamin · 2022-11-20T20:19:58.675Z

This is a good thing. People need to move to 512mb-1Gb ram routers. They are cheap and plentiful. $35 to $50 for SBC or dual port. (Use your existing router as an access point)

anon72830772 · 2022-11-21T08:50:06.856Z

Unfortunately, routers making use of MT7621/MT7615 are absolutely horrendous for WiFi.

Bartvz · 2022-11-21T22:16:52.253Z

I have the complete opposite experience.

amteza · 2022-11-22T00:59:53.460Z

I want to share it's working pretty fine here in an RPi4 running OpenWrt 22.03.2. The only thing I had to patch myself was adding MAC rules from an nft set.

set allowmaclist {
	type ether_addr
	policy memory
	elements = { 18:b4:30:bf:63:54,
			     48:d6:d5:88:88:a5,
			     54:e0:19:1a:91:bf,
			     54:e0:19:63:d7:13,
			     54:e0:19:63:d7:37,
			     a4:77:33:bf:30:0d,
			     dc:e5:5b:3d:6d:ed,
			     f0:99:19:ef:03:ee
	}
}

chain lan-forward {
	type filter hook forward priority raw; policy accept;
+	ether saddr @allowmaclist oifname "eth1" ct state new counter accept
	ip6 daddr @allowlistv6 oifname "eth1" ct state new counter accept
	ip daddr @allowlistv4 oifname "eth1" ct state new counter accept
	ip6 daddr @blocklistv6 oifname "eth1" ct state new counter reject with icmpv6 admin-prohibited
	ip daddr @blocklistv4 oifname "eth1" ct state new counter reject with icmp admin-prohibited
	ip6 daddr @dohv6 oifname "eth1" ct state new counter reject with icmpv6 admin-prohibited
	ip daddr @dohv4 oifname "eth1" ct state new counter reject with icmp admin-prohibited
}

dibdot · 2022-11-22T05:29:27.044Z

Many thanks for your feedback!
The maclist, the other sources and backup/restore are planned for pre1.

amteza · 2022-11-22T06:45:09.425Z

Thanks heaps for your work @dibdot, no rush. The good thing about nftables is how easy is to export a rule set once to your liking, tweak it and reimport it. You've got us covered for a little while now.

jumpsmm7 · 2022-11-23T02:42:33.877Z

Great work! The nft list ruleset could be cleaner if the ipsets could be stored and sourced from an external file, but it seems to work fine. I converted my custom blocklists over and woah nft list ruleset is long.

In fact, nft -t list table inet banIP or nft -t list ruleset are much shorter and readable.

jumpsmm7 · 2022-11-23T03:19:07.102Z

I noticed this as well when I moved my mac addresses over. where did you place your modifications?

amteza · 2022-11-23T04:09:03.624Z

I just added the above rule and my set into my exported rules file. So, 1) I used BanIP to create the initial ruleset, 2) exported the ruleset, 3) added the set and new rule, 4) stopped BanIP, and 5) loaded my rule set.

It's a bit more complex as I have an script to do the work using patch in my crontab, but sure you get the idea.

jumpsmm7 · 2022-11-23T06:31:32.105Z

I am currently noticing an odd behavior, the test banip doesnt start up after reboot.