hello,
banip has been the only tool capable of blocking doh servers for me, my problem now is that i changed my network configuration and now i have the 4 ethernet ports segmented in 2 vlans with 2 of those ports/interfaces each and now banip only blocks on 1 port. what can i do to block on the other ports/interfaces? ps: i have an isolated guest wlan and banip works there too.
Anyone know why the luci-app-banip and banip packages are now missing?
1 Like
Not compatible with nftables in latest builds.
2 Likes
You can uninstall nftables and re-install legacy fw3 (iptables)... I was able to get it installed by pulling the .ipk from the 21.02 packages and manually use opkg install to get it to install. It's a hassle because I've been using the attended sysupgrade to install the latest snapshot and I think it still needs to be included (at least as legacy) in the 22.137+ builds so that I don't have to go through the trouble. I know that Dirk is working on the nftables version - but in the meantime... we need at least the legacy packages...
1 Like
How is it going? Any news to share?
Thanks for your great work.
5 Likes
i have a wrt1200ac with version 21.02.3 and is not using nftables, it is using ipset 7.6-1 and banIP is not blocking DOH, how can this be achieved so users dont bypass rules?
You'll probably have to go over the configuration and make sure it's setup right for your system. When I first installed I had to go over a lot of stuff to make it was working right and dropping packets in the desired fashion. If you're a first-timer it's probably the way it's injecting the chains. Check the firewall and make sure the ruleset is being applied correctly. Banip uses the iptables command that comes with fw3 to inject chains into the firewall - you have to make sure that the firewall chains are in order. Start simple with adding a test block in your blacklist just to make sure it's working. While testing, make sure you're not testing an ip without an established connection because there's a line in banip.sh that will allow established connections - but once the router and device is restarted it will prevent that connection from establishing and will be unable to enter that state to bypass the firewall.
thanks for the quick reply, im not an advanced user or pro, what i know is that when i used only banIP on a newly flashed router and selected the DOH blocklist it would block firefox from using DOH as well the devices that did, but, i restarted everything and installed AdGuard Home + sqm, then installed banIP and everything works except the blocking from banIP wich is a big bummer because it is the only way i could solve this DOH bypass problem. I noticed that banIP is not shown on netstat port listening list and on my level until now i just know how to implement the well known custom iptables redirect rule but just that. I tried checking and unchecking the -auto detection- box on banIP but it did not work either 
Even though a DoH ipset blocklist is offered through BanIP - you will inevitably run into situations where people can bypass blocks of DoH. This can be done by using a VPN. True that you can block certain providers hosting DoH but nothing is going to stop a user from setting up a forward or using a VPN unless you take a more robust approach to banning IP's. A lot of VPN's are using AWS to host their services - and if you block them, you'll most likely end up blocking desired services. To get BanIP to work you'll need to go over your conf. I'll post a few examples of working configurations that I use. I've actually gone even further and created my own ipsets since you can't exactly trust 100% the bansources. The safest thing you could do is ban every known IP address and individually whitelist IP's but it's very time consuming and you need to know what you're doing. It would help to have an API type interface that an application could easily monitor and apply bans but with BanIP, everything must be done by hand. There are also limitations to the number of entries that can be added to the whitelist and so it's important to know how to use CIDR entries. I mentioned that there was a line that allowed established connections but that was actually a tweak I performed in banip.sh. Take a look at my working configs - I didn't have enough time to post them earlier:
/etc/config/banip
config banip 'global'
option ban_debug '0'
option ban_monitor_enabled '0'
option ban_logsrc_enabled '0'
option ban_logdst_enabled '0'
option ban_autodetect '1'
option ban_autoblacklist '1'
option ban_autowhitelist '0'
option ban_global_settype 'src+dst'
option ban_target_dst 'DROP'
option ban_target_src 'DROP'
option ban_trigger 'wan'
option ban_maxqueue '32'
option ban_srcarc '/etc/banip/banip.mysources.gz'
option ban_fetchutil 'curl'
list ban_lan_inputchains_4 'input_rule'
list ban_lan_forwardchains_4 'forwarding_wan_rule'
list ban_wan_inputchains_4 'forwarding_rule'
list ban_wan_forwardchains_4 'output_rule'
list ban_logterms 'dropbear'
list ban_lan_inputchains_6 'input_rule'
list ban_lan_forwardchains_6 'forwarding_wan_rule'
list ban_wan_inputchains_6 'forwarding_rule'
list ban_wan_forwardchains_6 'output_rule'
list ban_countries 'ru'
list ban_countries 'in'
list ban_countries 'mx'
list ban_countries 'jp'
list ban_countries 'kr'
list ban_countries 'cn'
list ban_countries 'ro'
list ban_countries 'pa'
list ban_countries 'md'
list ban_countries 'gr'
list ban_countries 'cl'
list ban_countries 'ie'
list ban_countries 'se'
list ban_countries 'ir'
list ban_countries 'nl'
list ban_countries 'de'
list ban_countries 'gb'
list ban_countries 'tw'
list ban_countries 'by'
list ban_countries 'rs'
list ban_countries 'bg'
list ban_countries 'cu'
list ban_countries 'sy'
list ban_countries 'ni'
list ban_countries 've'
list ban_countries 'iq'
list ban_countries 'ly'
list ban_countries 'af'
list ban_countries 'kp'
list ban_countries 'vn'
list ban_countries 'la'
option ban_mail_enabled '1'
option ban_mailreceiver 'no-user@redacted.com'
option ban_mailsender 'no-reply@redacted.com'
list ban_mailactions 'start'
list ban_mailactions 'reload'
list ban_mailactions 'restart'
list ban_mailactions 'refresh'
option ban_mailprofile 'ban_notify'
list ban_settype_all 'blacklist'
list ban_settype_all 'asn'
list ban_settype_all 'bogon'
list ban_settype_all 'cinsscore'
list ban_settype_all 'country'
list ban_settype_all 'darklist'
list ban_settype_all 'debl'
list ban_settype_all 'doh'
list ban_settype_all 'drop'
list ban_settype_all 'edrop'
list ban_settype_all 'feodo'
list ban_settype_all 'firehol2'
list ban_settype_all 'firehol3'
list ban_settype_all 'firehol4'
list ban_settype_all 'greensnow'
list ban_settype_all 'myip'
list ban_settype_all 'nixspam'
list ban_settype_all 'proxy'
list ban_settype_all 'sslbl'
list ban_settype_all 'talos'
list ban_settype_all 'threat'
list ban_settype_all 'tor'
list ban_settype_all 'torrelay'
list ban_settype_all 'voip'
list ban_settype_all 'yoyo'
list ban_settype_all 'countries'
list ban_sources 'bogon'
list ban_sources 'cinsscore'
list ban_sources 'country'
list ban_sources 'darklist'
list ban_sources 'debl'
list ban_sources 'drop'
list ban_sources 'edrop'
list ban_sources 'feodo'
list ban_sources 'firehol2'
list ban_sources 'firehol3'
list ban_sources 'firehol4'
list ban_sources 'greensnow'
list ban_sources 'myip'
list ban_sources 'nixspam'
list ban_sources 'proxy'
list ban_sources 'sslbl'
list ban_sources 'talos'
list ban_sources 'threat'
list ban_sources 'tor'
list ban_sources 'voip'
list ban_sources 'yoyo'
list ban_sources 'countries'
option ban_mailtopic 'banIP Notification'
option ban_enabled '1'
option ban_nice '-20'
option ban_loglimit '500'
option ban_proto4_enabled '1'
list ban_ifaces 'wan'
from line 485 of /usr/bin/banip.sh
if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }; then
if [ "${src_name##*_}" = "4" ]; then
ipt_cmd="${ban_ipt4_cmd}"
if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]; then
: >"${ban_tmpfile}.${src_name##*_}.chains"
chainsets="${ban_lan_inputchains_4} ${ban_wan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_forwardchains_4}"
for chain in ${chainsets}; do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
f_iptrule "-A" "${ban_chain}" "-m conntrack --ctstate ESTABLISHED -j RETURN"
fi
My config makes use of the e-mail notifications so feel free to adjust to your needs. You probably don't need all of those country blocks and some of them are of my own design. Take notice of how I "DROP" packets instead of just rejecting them. When an attacker tries to talk to your public IP and the packet is dropped it takes longer for them to detect that something wrong happened and they don't get the same kind of reply from a router that just rejects it - it's more like a black hole. I add some of these countries on my list not because they are bad countries but because I know that in some cases they have a large number of attackers originating from within. Others I block because I know they have large NOC's that host things like Facebook and once the data leaves my country it also leaves the laws regarding it's protection. It's not because I think you are bad or a dishonorable nation. I end up having to white list a lot of German IP's because of where a lot of the OpenWRT stuff originates. -Good Luck.
3 Likes
@dibdot Blocklist backup cannot be disabled, unlike in Adblock. Could you add the option to disable it?
Another thing, in the GUI there used to be the Reload button, suddenly it's been replaced by the Refresh button. Is it a bug or did I touch something? Can this be changed?
1 Like
Hello, I'm wondering if someone may be able to help with the following issue:
- I'm running OpenWrt 19.07.8 on GL-MV1000 and banIP 0.3.11 and configured the Wireguard client
- it appears this is the latest package available for this OpenWrt version
- banIP (as well as LuCI add-on) install just fine
- service start with no errors
- there are no errors to follow even if the verbosity of logging is increased
Problem: nothing is being blocked. Neither via pre-configured blocklist nor a manual entry.
WAN interface to set to auto. Tried with manual settings as well but to no avail.
How can I troubleshoot the above scenario, please?
It is likely you are using fw4 an nftables that is currently not supported.
Doubt he is using fw4 on OpenWrt 19.07, since fw4 doesn’t exist for 19.07.
Hi all!
I upgraded from openwrt 19 to 21.02.3.
I am still using fw3.
However, banIp fails, with this error message : "banIP processing failed, fatal iptables errors during subshell processing"
Is this expected?
Hello!
I'm using banIP and I was wondering if there is a way to remove IP addresses that are added to the blacklist via the log monitor after a certain amount of time has passed since they were added. I tried using the "Blacklist timeout" option but it doesn't seem to have this effect. thanks a lot!
Beautiful piece of software. Thank you very much!
Just two simple questions:
-
I have a commercial wireguard VPN dealing with all my traffic. I have a LAN interface, WAN interface and WIREGUARD interface. All traffic goes through the WIREGUARD interface. With regards to the Network Interfaces in the banIP settings, should I just select WAN? WAN + LAN? WAN + WIREGUARD? It works well with just the WAN interface selected, but I was thinking whether this would allow banIP to pick up outgoing nasty traffic from the LAN (as this is directed to WIREGUARD rather than straight to WAN).
-
The log is showing around 3 to 4 malicious attempts per minute. Is this normal?
Thanks for your help!
I'm just wondering if I have done something wrong but banip and luci-app-banip does not seem to show up in make menuconfig but if i search for it in menuconfig it shows it.
I just noticed it is marked as broken is this just because it is not supported under fw4 ?
Have you looked at the menu place that the search function say there are?
It has a package depends of Broken and there is a menu item under advanced developer options to show broken platforms/ packages.
It will only list if I select that I have never noticed that option before, Im guessing this is to do with FW4 being the default now.
As far as I know BanIP isn’t working with nftables so the package is probably blocked if you try to build a 22.03 image or newer.