Hi everyone,
I am trying to limit acess to a port forward rule I have by restraining acess from public source IP only to a specific country. I can get the IP list from https://www.ipdeny.com/ipblocks the idea is to create a rule that will import all public IP's (CDIR format) from a specific country and allow only them.
Whats the best way to perform this?
Thanks
create an ipset, reference it in your fw rule.
Research BanIP: https://openwrt.org/docs/guide-user/services/banip
That's partly outdated, a better place is here ...
packages/net/banip/files/README.md at master · openwrt/packages
As far as I know banip blocks all income traffic, this is not what I want. For just a spefic rule I want to block to a specific country set. Only for that rule not all income traffic on my router
then you don't know.
the firewall does this, banip creates holes in the fw for you.
and you're contradicting yourself ...
Don't quote part of my question quote everything and you will see I am not contradicting myself.
Full quote is "I am trying to limit acess to a port forward rule I have by restraining acess from public source IP only to a specific country" not "specific country and allow only them.".
Maybe I was not clear on my question. An example of what I am trying to achieve is to restraining access to my Wireguard VPN only from my country.
Nope, just select the countries you want to block or other suspicious IP blocks ... just check the readme.
Not seeing a way I can implement what I want with banip, already looked at the seetings (I currently already use banip).
Like I mentioned on previous post to give better context an example of what I am trying to achieve is to restraining access to my Wireguard VPN only from my country.
Maybe this is what you are looking for, from the BanIP readme:
Allowlist-only mode
banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are not listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.
'Allowlist Only' mode => allow only the country/countries you want ...
Caveat emptor: there is no real guarantee that any list will be free of false positives (here containing IP addresses used in a different country) and false negatives (here lacking IP addresses that are actually used within a given country)). As long as all you need is getting it approximately right, existing list should be OK, but if you need high precision this becomes a bit dubious quickly.
True, and there is still IP spoofing. But it's always better than leaving it opened to the entire world.
Ended up setting this solution, this was exactly what I wanted.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
