347

@PaulRowland, that's a good testing suggestion. I would not expect to see LAN device hits if the phone's Wi-Fi is on the same LAN as the devices you're accessing, as that traffic should be processed by the switch in the router.

I'd expect the WAN test to work, though. Slightly modified variant:

  • Install a port scanner on your phone.
  • Turn Wi-Fi on the phone off.
  • Get your phone internet ip address (whatsmyip) - be careful the ip can change quickly.
  • Put the phone ip address in the /etc/banip/banip.blacklist file on openwrt router.
  • Reload banip (/etc/init.d/banip reload).
  • Get the internet ip address of the router by running logread|grep "lease of" on the router or by accessing whatsmyip from browser on a LAN client.
  • Use the port scanner on the phone to scan the router ip address.

@DermotMcDonnell, if this isn't working please post the output of:

iptables -vL

Thanks,

  • Richard.
348

Just to add my lazy variant test setup ...:wink:

  • Open ssh on standard port 22 (all my ssh accounts are "certificate only" protected)
  • wait a short time and after a couple of minutes/hours you'll get frequent global "testers"

Of course this cannot be planned, so the other described variants are certainly better

349

That's awesome! :rofl:

350

Hi Richard,

I am stumped tbh. I really appreciate your time!

root@OpenWrt:~# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  259 24716 ACCEPT     all  --  lo     any     anywhere             anywhere             /* !fw3 */
14622 8548K input_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom input rule chain */
13952 8505K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
  381 19812 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
  670 42501 zone_lan_input  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_input  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
50303   49M forwarding_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
49831   49M ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
  472  133K zone_lan_forward  all  --  br-lan any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
    0     0 reject     all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  259 24716 ACCEPT     all  --  any    lo      anywhere             anywhere             /* !fw3 */
11762 3292K output_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom output rule chain */
11138 3247K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
    2   670 zone_lan_output  all  --  any    br-lan  anywhere             anywhere             /* !fw3 */
  622 43736 zone_wan_output  all  --  any    wwan0   anywhere             anywhere             /* !fw3 */

Chain banIP (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set whitelist dst
    0     0 RETURN     all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set whitelist src
    3  1022 RETURN     udp  --  any    any     anywhere             anywhere             udp spts:bootps:bootpc dpts:bootps:bootpc
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set bogon src
    5   300 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set bogon dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set blacklist src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set blacklist dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set tor src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set tor dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set threat src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set threat dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set debl src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set debl dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set myip src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set myip dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set yoyo src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set yoyo dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set sslbl src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set sslbl dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set feodo src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set feodo dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set iblocklist src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set iblocklist dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set firehol1 src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set firehol1 dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set firehol2 src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set firehol2 dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set firehol3 src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set firehol3 dst
    0     0 banIP_log_src  all  --  wwan0  any     anywhere             anywhere             ctstate NEW match-set firehol4 src
    0     0 banIP_log_dst  all  --  any    wwan0   anywhere             anywhere             ctstate NEW match-set firehol4 dst

Chain banIP_log_dst (14 references)
 pkts bytes target     prot opt in     out     source               destination
   35  1980 LOG        all  --  any    any     anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning prefix "REJECT(dst banIP) "
   35  1980 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain banIP_log_src (14 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warning prefix "DROP(src banIP) "
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
   99 19798 banIP      all  --  any    any     anywhere             anywhere

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 banIP      all  --  any    any     anywhere             anywhere

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
   95  5821 banIP      all  --  any    any     anywhere             anywhere

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 banIP      all  --  any    any     anywhere             anywhere

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination
  381 19812 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    2   670 ACCEPT     all  --  any    br-lan  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
  472  133K forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
  437  131K zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  670 42501 input_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
  670 42501 zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   670 output_lan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom lan output rule chain */
    2   670 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  670 42501 ACCEPT     all  --  br-lan any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   14   852 DROP       all  --  any    wwan0   anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
 1045  174K ACCEPT     all  --  any    wwan0   anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  any    wwan0   anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  any    any     anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  any    any     anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 input_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
    0     0 ACCEPT     igmp --  any    any     anywhere             anywhere             /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  622 43736 output_wan_rule  all  --  any    any     anywhere             anywhere             /* !fw3: Custom wan output rule chain */
  622 43736 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
351

There were no hits on the wan interface. Are you sure that you connected from outside?

352

@trendy,

All lan devices have internet and the line you quote correctly identifies the WAN device as wwan0 as I get internet wirelessly via a huawei modem that presents as an NCM interface, hence wwan0.

I was much more careful with my testing this time,

I did fresh build of trunk with a minimal config, e.g. no dsl stuff, and two services: adblock and banip, plus LUCI.
I flashed, erasing the existing config files, so I have the default build. The only usual thing I do is setup pivot overlay to /dev/sda1, a 16G ssd card in the huawei modem but I've done that for well over a year without issue.

The default build for my device, a bthh5a, defines WAN as DSL. I comment out the default wan zone in /etc/config/network and inserted this:

config interface 'wan'
        option ifname 'wwan0'
        option proto 'ncm'
        option device '/dev/cdc-wdm0'
        option apn 'broadband.mymeteor.ie'
        option delay '1'

From LUCI I then config adblock, which works perfectly btw, with a small set, ~7k. Again, from LUCI I config banip for 14 sets, count ~220,000, with src+dst selected and logging of both enabled.

Sadly, I can port scan my router and my LAN from a mobile phone connected to a different service provider and where the phone ip address is in banip.blacklist when banip is loaded. And as you say, no wan packets according to iptables -vL., which seems bizzare.

root@OpenWrt:~# opkg list-installed|grep ipt
iptables - 1.8.4-1
kmod-ipt-conntrack - 5.4.81-1
kmod-ipt-core - 5.4.81-1
kmod-ipt-ipset - 5.4.81-1
kmod-ipt-nat - 5.4.81-1
kmod-ipt-offload - 5.4.81-1
kmod-nf-ipt - 5.4.81-1
kmod-nf-ipt6 - 5.4.81-1
libjson-script - 2020-08-06-9e52171d-1
root@OpenWrt:~#``

So I really am scratching my head?

353

@DermotMcDonnell,

I'm scratching my head just like you, as it sure looks there's no inbound traffic at all: both zone_wan_input (internet > router) and zone_wan_forward (internet > LAN via Firewall port forwarding) have a packet count of 0.

Could it be that your ISP is blocking "unsolicited" inbound traffic? (i.e. anything not related to an established outbound connection) Do they perhaps have some kind of web portal that allows you to configure allowed inbound traffic and it blocks everything else, which by default means it blocks everything?

Could Huawei imodem itself have some hardware firewall sitting in front of wwan0? It seems unlikely on a device capable of running OpenWRT, and I've never seen anything like it, but purely technically speaking it's not possible...

Have you ever tried to setup a port forward on your router to route traffic to some device on your LAN? If yes, did that work at all?

When you ran that port scan, did the scanner report any port as being open? I would expected no findings whatsoever, but if it found any open port at all then we need to figure out how that gets into/past your router in ways that don't show up in the iptables commands used so far :slight_smile:

Cheers,

  • Richard.
354

I don't know how you are trying to test with the port scan etc, however I added the IP of my vps in the blacklist and it worked fine.
[3:252] -A banIP -o pppoe-wan -m conntrack --ctstate NEW -m set --match-set blacklist dst -j REJECT --reject-with icmp-port-unreachable
From the vps ipv6 worked as I blocked only the ipv4.

trendy@vps:[~]$ping www.example.com
PING www.example.comX:Y:7500::1 (X:Y:7500::1) 56 data bytes
64 bytes from X:Y:7500::1 (X:Y:7500::1): icmp_seq=1 ttl=52 time=10.8 ms
64 bytes from X:Y:7500::1 (X:Y:7500::1): icmp_seq=2 ttl=52 time=10.5 ms
^C
--- www.example.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 10.542/10.663/10.784/0.121 ms
trendy@vps:[~]$ping -4 www.example.com
PING www.example.com (X.Y.211.117) 56(84) bytes of data.
^C
--- www.example.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 6ms

Also from inside:

dietpi@odroid:[~]$ ping X.Y.11.30
PING X.Y.11.30 (X.Y.11.30) 56(84) bytes of data.
From 10.0.2.1 icmp_seq=1 Destination Port Unreachable
From 10.0.2.1 icmp_seq=2 Destination Port Unreachable
From 10.0.2.1 icmp_seq=3 Destination Port Unreachable
^C
--- X.Y.11.30 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5ms
355

@rg4github and @trendy

Thank you for your help with this. It appears to be an interesting, and annoying, intermittent but easily reproduceable bug in trunk. I will confirm later this week when I test with the last official release.

So heres what I discovered. This is post boot from a clean install of trunk with networking, LAN and WAN, configured.


Sun Dec  6 22:09:36 2020 authpriv.info dropbear[3599]: Child connection from 192.168.9.186:53376
Sun Dec  6 22:09:37 2020 authpriv.notice dropbear[3599]: Auth succeeded with blank password for 'root' from 192.168.9.186:53376
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# iptables -vL|grep zone_wan_
    1   100 zone_wan_input  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
   71  5024 zone_wan_output  all  --  any    wwan0   anywhere             anywhere             /* !fw3 */
   16  3484 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
Chain zone_wan_dest_ACCEPT (2 references)
Chain zone_wan_dest_REJECT (1 references)
Chain zone_wan_forward (1 references)
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_input (1 references)
    1   100 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_output (1 references)
   71  5024 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
root@OpenWrt:~#
root@OpenWrt:~#

you can see traffic on the zone_wan_input and a single chain. I have had more than 1 chain and higher counts but they soon zero out and never reappear.

It's also intermittent at boot, sometimes its zero, sometimes not. An ifwan or network restart does not help. I will do a bug report once I have more data.

It would be good to good to have confirmation that other users of banip with trunk are seeing this problem?

Again, I greatly appreciate your valuable assistance.

356

Which bug/problem? I don't get your problem actually ...

357

@dibdot
Hi, banip is already, imo, the single greatest contribution to openwrt I have seen in a decade from a security point of view. Absolutely everyone reading this thread should be using it.

Let me explain. I know well a business centre with 50 people that recently installed a very expensive commercial grade router with its equivalent of banip. At the end of day one, the router logs showed an average of 3 hits per second from a banned list of ~275,000.

Within a few days, the hit rate had dropped to ~1 per 30 second. That's a lot of very dodgy individuals coming after YOU.

banip ip goes a very long way in addressing this threat that we all face, For me, I can do this on a cheap second hand BT HH5a router that you can easily find on ebay uk for next to nothing. Pay a few euro extra and it comes with openwrt. I can comfortably ban 225,000 with 33% ram free afterwards.

It's a terrific achievement.

It is completely clear to me that banip had nothing to do with the difficulties I encountered in getting it to work for me, With the help of Richard and @Trendy it became clear that on my NCM WAN network, the WAN counters soon went to zero and stayed there. I was able to establish this morning that when I use eth.02 for wan everything works as expected, including banip.

The most likely cause maybe in the kmod-usb subsystem, at a guess. It is likely to deny the benefits to those in the openwrt community who rely of wireless internet of the full benefit of banip. On the plus side, it great to have an easily reproduceable way of triggering it.

I will do a bug report in due course. Thanks again to everyone that contributed to banip.

358

With a 500MHz CPU it might become the bottleneck of your network, especially if you talk business.

Are you sure that banip is configured for both wan connections? If you let it automatically detect the wan, it might have missed the lte.

359

If you use multiple wan interfaces, please disable the interface auto-detection an select the relevant interfaces manually. At least enable debug logging and check if the auto-detection covers all of your interfaces.

1 Like
360

Is it correct that Banip is not working for the guest network? It works fine for the normal lan, but not on de guest network.

I tested it with iso country code (ru) From normal lan it's get blocked, from guest it's not.
Both networks go through wan->vpn

I did set wan interface on manual.

Version 0.3.11.

config banip 'global'
	option ban_basever '0.3'
	option ban_realtime '0'
	option ban_enabled '1'
	option ban_log_src '1'
	option ban_log_dst '1'
	option ban_automatic '0'
	option ban_iface 'vpnclient wan wan6'

config banip 'extra'
	option ban_maxqueue '4'
	option ban_nice '0'
	option ban_backupdir '/tmp'
	option ban_sshdaemon 'dropbear'
	option ban_debug '0'

config source 'whitelist'
	option ban_src '/etc/banip/banip.whitelist'
	option ban_src_6 '/etc/banip/banip.whitelist'
	option ban_src_desc 'Always allow these IPs (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add whitelist \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add whitelist_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src+dst'
	option ban_src_on '1'
	option ban_src_on_6 '0'

config source 'blacklist'
	option ban_src '/etc/banip/banip.blacklist'
	option ban_src_6 '/etc/banip/banip.blacklist'
	option ban_src_desc 'Always deny these IPs (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add blacklist \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add blacklist_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src+dst'
	option ban_src_on_6 '0'
	option ban_src_on '1'

config source 'bogon'
	option ban_src 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt'
	option ban_src_6 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt'
	option ban_src_desc 'Bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned to ISPs (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add bogon \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add bogon_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src+dst'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'DoH'
	option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt'
	option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt'
	option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src+dst'
	option ban_src_on_6 '0'
	option ban_src_on '1'

config source 'tor'
	option ban_src 'https://check.torproject.org/exit-addresses'
	option ban_src_desc 'List of Tor Exit Nodes (IPv4)'
	option ban_src_rset '/^(ExitAddress ([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add tor \"\$2}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'threat'
	option ban_src 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
	option ban_src_desc 'Emerging Threats (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add threat \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'debl'
	option ban_src 'https://www.blocklist.de/downloads/export-ips_all.txt'
	option ban_src_6 'https://www.blocklist.de/downloads/export-ips_all.txt'
	option ban_src_desc 'Fail2ban reporting service (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add debl \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add debl_6 \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'myip'
	option ban_src 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
	option ban_src_6 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
	option ban_src_desc 'IP blacklist provided by myip.ms (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add myip \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add myip_6 \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'yoyo'
	option ban_src 'https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext'
	option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'sslbl'
	option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
	option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)'
	option ban_src_rset 'BEGIN{FS=\",\"}/(([0-9]{1,3}\.){3}[0-9]{1,3},).*/{print \"add sslbl \"\$2}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'ransomware'
	option ban_src 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt'
	option ban_src_desc 'Ransomware Tracker by abuse.ch (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add ransomware \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '1'
	option ban_src_on_6 '0'

config source 'feodo'
	option ban_src 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt'
	option ban_src_desc 'Feodo Tracker by abuse.ch (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add feodo \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'dshield'
	option ban_src 'https://feeds.dshield.org/block.txt'
	option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '1'
	option ban_src_on_6 '0'

config source 'proxy'
	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset'
	option ban_src_desc 'List of Open Proxies (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add proxy \"\$1}'
	option ban_src_settype 'ip'
	option ban_src_ruletype 'src'
	option ban_src_on_6 '0'
	option ban_src_on '1'

config source 'iblocklist'
	option ban_src 'https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz'
	option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'drop'
	option ban_src 'https://www.spamhaus.org/drop/drop.txt'
	option ban_src_6 'https://www.spamhaus.org/drop/dropv6.txt'
	option ban_src_desc 'Spamhaus drop compilation (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add drop \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add drop_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'edrop'
	option ban_src 'https://www.spamhaus.org/drop/edrop.txt'
	option ban_src_desc 'Spamhaus edrop compilation (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add edrop \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'firehol1'
	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
	option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'firehol2'
	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset'
	option ban_src_desc 'Firehol Level 2 compilation. Contains blocklists that track attacks, during the last 48 hours (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol2 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'firehol3'
	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset'
	option ban_src_desc 'Firehol Level 3 compilation. Contains blocklists that track attacks, spyware and viruses (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol3 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'firehol4'
	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset'
	option ban_src_desc 'Firehol Level 4 compilation. May include a large number of false positives (IPv4)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol4 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'

config source 'country'
	option ban_src 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
	option ban_src_6 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
	option ban_src_desc 'Build a dynamic IPSet by country iso codes based on RIPE data (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add country \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add country_6 \"\$1}'
	option ban_src_settype 'net'
	option ban_src_on_6 '0'
	option ban_src_on '1'
	option ban_src_ruletype 'src+dst'
	list ban_src_cat 'ru'
	list ban_src_cat 'cn'
	list ban_src_cat 'gg'
	list ban_src_cat 'io'

config source 'asn'
	option ban_src 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
	option ban_src_6 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
	option ban_src_desc 'Build a dynamic IPSet by ASN numbers based on RIPE data (IPv4/IPv6)'
	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add asn \"\$1}'
	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add asn_6 \"\$1}'
	list ban_src_cat '32934'
	option ban_src_settype 'net'
	option ban_src_ruletype 'src'
	option ban_src_on '0'
	option ban_src_on_6 '0'
361

I can confirm that. BanIP is applied only to the forwarding and input of lan and wan, even though there are more zones.

362

@dibdot

I always use a single NCM WAN i/f, a huawei usb modem. I simply used eth.02 for comparison purposes on the same build, with ncm disabled.

I also tested routing WAN through the usb-net subsystem, with a usb to ethernet adaptor that shows up as eth1. The behaviour is the same as using the dedicated WAN ethernet port (eth.02), lots of wan_zone_input traffic.

The behaviour using NCM is completely inconsistent, almost always showing zero traffic from boot til infinity. Just occasionally zone_wan_input show low volume traffic but soon shows zero.

I have open a thread in the developers section seeking wisdom.

Thanks again to all here who have been so helpful.

363

banIP currently supports only a single/configurable input chain, e.g. 'forwarding_lan_rule'. I'll try to work on enhancements during my christmas holidays ....

2 Likes
364

@dibdot ooh ok, I thought I was doing something wrong. :wink:
It's just not possible (yet) :yum:

365

Just an idea, wouldn't it work better to insert the banIP chain in zone_wan_dest_ACCEPT ?
That way whatever is meant to be forwarded to the wan can be checked no matter the source zone.

366

@trendy that is the way I thought it would work. :wink:
@dibdot very handy package though.