That is not sensible, the underlying software stack is too different (it depends on fw4, rpcd, uci, procd and the other special parts of the OpenWrt ecosystem). While it should be possible to use the same concepts on any modern linux distribution, but the actual implementation (the whole glue code, the config parsing, the integration into the host networking daemons and firewall services) would need to be very different (it would already need to differ significantly for Fedora/ RedHat, Debian/ Ubuntu and OpenSuSE to be viable).
2 Likes
As i understand doing this, will allow IP pools from those countries, and ticking that on bottom "only list allowed" confirms that.
Then im ending with ```ERR_CONNECTION_REFUSED```` on 90 precent of pages on my VPN client, so whats wrong?
What did you try to achieve? Why did you activate the "allowlist only" option? Anyway, your config please...
@dibdot it seems the IPv6 List for becyber is not working anymore. Not sure if this is temporary or a permanent removal from the github.
The IPv6 list never existed and probably won't exist again, as the reference to it has been removed three weeks ago from the readme (https://github.com/duggytuxy/malicious_ip_addresses/commit/48d704c2b05cb1d184cb08b47f74947e2ada343a). Maybe you'll aks the list maintainer ...
1 Like
root@OpenWrt:~# cat /etc/config/banip
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''
list ban_logterm 'TLS Error: could not determine wrapping from \[AF_INET\]'
option ban_fetchcmd 'uclient-fetch'
option ban_protov4 '1'
list ban_ifv4 'wan'
option ban_protov6 '0'
list ban_ifv6 'wan_6'
list ban_dev 'pppoe-wan'
option ban_fetchretry '5'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_deduplicate '1'
option ban_nftpriority '-100'
option ban_icmplimit '10'
option ban_synlimit '10'
option ban_udplimit '100'
option ban_nftpolicy 'memory'
option ban_blocktype 'drop'
option ban_nftloglevel 'warn'
option ban_logprerouting '0'
option ban_loginput '0'
option ban_logforwardwan '0'
option ban_logforwardlan '0'
option ban_loglimit '100'
option ban_autoallowlist '1'
option ban_autoallowuplink 'subnet'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/gb-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/pl-aggregated.zone'
root@OpenWrt:~#
^^^^ thats current config, let me show you config which causing troubles.
root@OpenWrt:~# cat /etc/config/banip
config banip 'global'
option ban_enabled '1'
option ban_debug '0'
option ban_autodetect '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_logterm 'received a suspicious remote IP '\''.*'\'''
list ban_logterm 'TLS Error: could not determine wrapping from \[AF_INET\]'
option ban_fetchcmd 'uclient-fetch'
option ban_protov4 '1'
list ban_ifv4 'wan'
option ban_protov6 '0'
list ban_ifv6 'wan_6'
list ban_dev 'pppoe-wan'
option ban_fetchretry '5'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_deduplicate '1'
option ban_nftpriority '-100'
option ban_icmplimit '10'
option ban_synlimit '10'
option ban_udplimit '100'
option ban_nftpolicy 'memory'
option ban_blocktype 'drop'
option ban_nftloglevel 'warn'
option ban_logprerouting '0'
option ban_loginput '0'
option ban_logforwardwan '0'
option ban_logforwardlan '0'
option ban_loglimit '100'
option ban_autoallowlist '1'
option ban_autoallowuplink 'subnet'
option ban_autoblocklist '1'
option ban_allowlistonly '1' # this causing problems
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/gb-aggregated.zone'
list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/pl-aggregated.zone'
root@OpenWrt:~#
goal is, allow ONLY pool ipv4 from those 2 countries, all rest has to be rejected, is possible to do that?
yep, enable the "allowlist only" option again and limit the "local allowlist" to WAN-Input and WAN-Forward Chain, e.g.
... finally hit the restart button ...
1 Like
testing, seems to work now, and its not rejecting webpages anymore throught VPN, thanks for great tool
After upgrading to 1.0.0-5, when I go to Services -> banIP, I've this error:
I've searched in this thread but I did't found anything like. Someone have any ideas?
banip 1.0.0-5
luci-app-banip git-24.159.75535-7ca510f
Try clearing cache on the browser.
You might also be using an older base-files of LuCi which means you might need to flash to the latest release. Or just update the luci base-files
1 Like
banip 1.0.0-r5:
luci-app-banip's strings hard-coded in English:
With this editor you can upload your local custom feed file or fill up an initial one (a 1:1 copy of the version shipped with the package). The file is located at '/etc/banip/banip.custom.feeds'. Then you can edit this file, delete entries, add new ones or make a local backup. To go back to the maintainers version just clear the custom feed file.
The syslog output, pre-filtered for messages related to: banIP
The syslog output, pre-filtered for messages related to: banIP firewall logs
ICMP-Threshold in packets per second to prevent WAN-DoS attacks. To disable this safeguard set it to '0'.
SYN-Threshold in packets per second to prevent WAN-DoS attacks. To disable this safeguard set it to '0'.
UDP-Threshold in packets per second to prevent WAN-DoS attacks. To disable this safeguard set it to '0'.
Nope, all strings are available in Weblate (the syslog strings are part of luci-base).
They were added just 9 hours ago (after my previous post). 
Hi, is it possible to ban all IPs except for 3 or 4 specific ones? I want to restrict access to the entire internet except for youtube and youtube kids.
Thanks in advance.
check the online readme, esp. the "allowlist only" mode.
2 Likes
Thanks! It's really awesome!
I've set it up really quick too.
The only issue I'm having is that google.com sometimes works and sometimes doesn't (i've added it to the whitelist btw). Disney and Youtube kids don't have this issue.
It's not a big deal tho, I will keep reading and see if someone else had the same issue.
Thanks for your help!
It just stopped working all of the sudden. I did a factory reset just now to make sure there are no bad configurations. I downloaded banip, added the websites I need to allowlist and I get this:
Wed Jul 24 21:02:14 2024 user.info banIP-1.0.0-r5[22109]: start banIP download processes
Wed Jul 24 21:02:16 2024 user.info banIP-1.0.0-r5[22109]: can't initialize Set for feed 'allowlistv4' (rc: 1, log: /tmp/tmp.JJljkL/tmp.MKbHAM.allowlistv4.nft:3:203-215: Error: Could not resolve hostname: Name does not resolve add set inet banIP allowlistv4 { type ipv4_addr; flags interval; auto-merge; policy memory; elements={ 192.168.99.15/24, 149.154.175.59, 149.154.167.222, 149.154.164.250, 91.108.45.142, 170.51.240.238, 142.259.79.78, }; }
Wed Jul 24 21:02:20 2024 user.info banIP-1.0.0-r5[22109]: start banIP domain lookup
Wed Jul 24 21:02:20 2024 user.info banIP-1.0.0-r5[22109]: domain lookup finished in 0m 0s (blocklist, 0 domains, 0 IPs)
Wed Jul 24 21:02:28 2024 user.info banIP-1.0.0-r5[22109]: can't add lookup file to Set 'allowlistv4'
Wed Jul 24 21:02:28 2024 user.info banIP-1.0.0-r5[22109]: domain lookup finished in 0m 8s (allowlist, 61 domains, 308 IPs)
Wed Jul 24 21:02:28 2024 user.info banIP-1.0.0-r5[22109]: start detached banIP log service (/sbin/logread)
I can access all websites and nothing gets blocked for now.
Thanks in advance.
EDIT: If I remove all of the IPs and keep only the domains, everything works and I get no errors. Will keep testing.
EDIT2: Fixed. There was an IP that said ".259" which broke the whole thing. Now I will try to fix google.com and make youtube videos playable. All the other websites I threw in are working (had to use fiddler to get certain elements addresses so the site loads entirely fine).
EDIT3: Sometimes it stops working all of the sudden. Would it be possible to configure it so if banip stops working, then disconnect from the internet? Thanks.
I am trying to understand two behaviours I cant understand in banip.
My config file looks like this:
...
config 'global'
option ban_enabled '1'
option ban_debug '1'
option ban_autodetect '0'
option ban_triggerdelay '15'
list ban_trigger 'wan1'
list ban_trigger 'wan2'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
list ban_feed 'country'
list ban_feed 'doh'
list ban_feed 'webclient'
list ban_country 'cn'
list ban_country 'ru'
list ban_blockinput 'country'
list ban_blockforwardwan 'webclient'
list ban_blockforwardwan 'country'
list ban_blockforwardlan 'doh'
option ban_fetchcmd 'curl'
option ban_protov4 '1'
list ban_ifv4 'wan1'
list ban_ifv4 'wan2'
list ban_dev 'pppoe-wan1'
list ban_dev 'lan4'
option ban_loginput '1'
option ban_logforwardwan '1'
option ban_logforwardlan '0'
option ban_deduplicate '1'
option ban_nftexpiry '1h'
option ban_autoallowlist '0'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
...
- In the past I used to have also list ban_country 'us', which has been removed and the service restarted. The problem is that the set countryv4 has several IPs that are not in cn or ru ( according to https://www.ipdeny.com/ipblocks/ ) .
I tested from 2 us servers and both are blocked and their IPs range are there. - Even after adding those IPs to /etc/banip/banip.allowlist and restarting the service the IP is still dropped. Shouldn't the allowlist override the drops?
Wed Jul 24 20:53:48 2024 kern.warn kernel: [ 8766.924940] banIP/inp-wan/drop/countryv4: IN=lan4 OUT= MAC=xxxx SRC=140.82.xx.yy DST=zz.www.qqq.ww LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35642 DF PROTO=TCP SPT=52594 DPT=22 WINDOW=21900 RES=0x00 SYN URGP=0
Make a feed reload (/etc/init.d/banip reload) and check the Set content with the Survey function on the reporting tab afterwards.
That did not work. Apparently reload/restart the service only add new IPs to the set. To remove some IPs after removing some country from banlist I have to restart the router. So I think the IPs are cached someplace in /tmp.