Geoip-shell: flexible geoip blocker for Linux, now supports OpenWrt

i cna you share you config here please thanks :wink:

datadir=/tmp/geoip-shell-data
user_ccode=GE
iplists=
geomode=
tcp_ports=skip
udp_ports=skip
geosource=ipdeny
families=ipv4 ipv6
schedule=0 * * * *
max_attempts=30
ifaces=
autodetect=
nft_perf=
lan_ips_ipv4=
lan_ips_ipv6=
trusted_ipv4=
trusted_ipv6=
reboot_sleep=30
nobackup=true
no_persist=
noblock=
http=

i would like implement by ip src adresse and ip dest adress at destination to other ip , with reject or accept port

i don't know if you understand i will use translate tonight at my home

thanks

I really don't understand, I'm sorry :slight_smile: Please try to write as specifically as possible. P.s. judging by the config, you may be using an earlier version of geoip-shell. Recent versions have introduced significant improvements, so I recommend you to update. Edit: also possible that you installed geoip-shell via an ipk but haven't configured it yet.

Also ipk packages are now available, and the OpenWrt README shows a command using which you can download the latest ipk directly to your router. Just remember that if you installed using the -install script previously and now are going to install using the ipk, first uninstall the earlier version via this command: "sh geoip-shell-uninstall.sh". If you will want to update via ipk in the future, you won't need to do this step anymore.

v0.4.2 is out with some additional bug fixes (I think we're done with bugs for now).
Also the OpenWrt installs are now slightly smaller since I'm now stripping debug-related code from them.

Just released geoip-shell v0.4.3 with following changes:

  • Improved firewall rules order (now the icmpv6 and dhcpv6 rules are always processed before ipsets)
  • The status report now includes last successful update date and time
  • Improved usage() output in multiple scripts
  • Refinements in installation and setup
  • In particular, faster initial setup for iptables-based OpenWrt systems

This release should be pretty stable.

i'm block here now is right ?

geoip-shell: geoip mode is not set.

Select geoip blocking mode: [w]hitelist or [b]lacklist, or [a] to abort.
w|b|a: w

Please enter country codes to include in geoip whitelist.
Country codes (2 letters) or [a] to abort: DE
geoip-shell: Error: $ccode_list variable is empty. Perhaps cca2.list is missing?
Invalid 2-letter country codes: 'DE'.
Country codes (2 letters) or [a] to abort:

Which version did you install and with which method? ipk or via the install script?

hi the last version via ipk

please run this command and post output:
ls -lh /etc/geoip-shell/

and this one:
cat /etc/geoip-shell/cca2.list

-rw------- 1 root root 791 Mar 28 22:53 cca2.list
-rw------- 1 root root 130 Mar 28 22:53 geoip-shell-constants
-rw------- 1 root root 295 Mar 28 22:53 geoip-shell.conf

ARIN= AI AQ AG BS BB BM BV CA KY DM GD GP HM JM MQ MS PR BL SH KN LC PM VC MF TC US UM VG VI
RIPENCC= AL AD AM AT AZ BH BY BE BA BG HR CY CZ DK EE FO FI FR GE DE GI GR GL GG VA HU IS IR IQ IE IM IL IT JE JO KZ KW KG LV LB LI LT LU MT MD MC ME NL MK NO OM PS PL PT QA RO RU SM SA RS SK SI ES SJ SE CH SY TJ TM TR UA AE GB UZ YE AX
APNIC= AF AS AU BD BT IO BN KH CN CX CC CK FJ PF TF GU HK IN ID JP KI KP KR LA MO MY MV MH FM MN MM NR NP NC NZ NU NF MP PK PW PG PH PN WS SG SB LK TW TH TL TK TO TV VU VN WF
AFRINIC= DZ AO BJ BW BF BI CM CV CF TD KM CG CD CI DJ EG GQ ER SZ ET GA GM GH GN GW KE LS LR LY MG MW ML MR MU YT MA MZ NA NE NG RE RW ST SN SC SL SO ZA SS SD TZ TG TN UG EH ZM ZW
LACNIC= AR AW BZ BO BQ BR CL CO CR CU CW DO EC SV FK GF GT GY HT HN MX NI PA PY PE SX GS SR TT UY VE

also this one please:
cat /usr/bin/geoip-shell-geoinit.sh

#!/bin/sh

# Copyright: antonk (antonk.d3v@gmail.com)
# github.com/friendly-bits

export conf_dir="/etc/geoip-shell" install_dir="/usr/bin" lib_dir="/usr/lib" iplist_dir="/tmp" lock_file="/tmp/geoip-shell.lock"
export conf_file="/etc/geoip-shell/geoip-shell.conf" _lib="$lib_dir/geoip-shell-lib" i_script="$install_dir/geoip-shell" _nl='
'
export LC_ALL=C POSIXLY_CORRECT=yes default_IFS="
"


[ "$root_ok" ] || { [ "$(id -u)" = 0 ] && export root_ok="1"; }
. "${_lib}-common.sh" || exit 1
[ "$fwbe_ok" ] || [ ! "$root_ok" ] && return 0
. "/etc/geoip-shell/${p_name}-constants" || exit 1
_no_l="$nolog"
{ nolog=1 check_deps nft 2>/dev/null && export _fw_backend=nft; } ||
{ check_deps iptables ip6tables iptables-save ip6tables-save iptables-restore ip6tables-restore ipset && export _fw_backend=ipt
} || die "neither nftables nor iptables+ipset found."
export fwbe_ok=1
r_no_l
:

I think I understand where the issue is. Will get back to you soon with a solution.

1 Like

@Dopam-IT_1987 I released v0.4.4 which should fix this issue

1 Like

hi i will try now thanks and i keep informed

1 Like
geoip-shell status:

geoip-shell v0.4.4

Geoip blocking mode: whitelist
Ip lists source: ipdeny
Country codes in the whitelist: DE ✔
IP families in firewall rules: ipv4 ipv6 ✔
Geoip rules applied to network interfaces: eth1

Protocols:
tcp: Geoip is applied to all ports
udp: Geoip is applied to all ports

Geoip firewall chain: enabled ✔
Whitelist blocking rule: ✔

Cron system service: ✔
Update cron job: ✔
Update schedule: '15 4 * * *'
Last successful update: Apr-02-2024 16:12:01
Persistence: ✔
Automatic backup of ip lists: Off

No problems detected.

seems works :wink:

1 Like

Today I was able to try geoip-shell. Conclusion : simple and impressive. I remember reading somewhere that you wanted to add other functions (not related to geoip blocking), but frankly it would be better to start another project and leave this one as straightforward as possible. It is KISS and I like it like that.
A few configurations and the expected result was there.

Now, if I have to point out some things, I would say :

  1. I tried to install the ipk as stated here using the curl command for firewall4 + nftables. Sadly this way it didn't work and I got the following error message :
# curl -O "$(curl -s https://api.github.com/repos/friendly-bits/geoip-shell/releases | grep -m1 -o 'https://.*geoip-shell_.*\.ipk')"
# opkg install geoip-shell_0.4.5-r1.ipk 
Collected errors:
 * pkg_init_from_file: Malformed package file geoip-shell_0.4.5-r1.ipk.

But it worked correctly when I downloaded the ipk from the releases and installed it the same way.

  1. When running the 'geoip-shell configure' command right after installing the ipk, I had an error about cron not being enabled or started. Even after enabling and starting it from init.d it still gave me the same error. The problem was that I had to put a new line in 'System -> Scheduled Tasks' as cron doesn't accept to start if there is nothing there. Not related to geoip-shell but could worth a mention in the doc. Or better, try to enable/start cron (if possible) after adding the line specific to geoip-shell ; this way cron would start correctly.

  2. As an improvement, maybe add the possibility to reset the ports added with the 'configure -p' option (like it is possible with the 'lan_ips' option and the 'none' parameter). This way if we don't need anymore the ports there, it would be easy to reset.

Also, it could be nice to have the package in the repos (this way it will be easier when you do an attended sysupgrade and keep the packages list and configurations). BTW also adapt the configuration to uci (?)

But overall, frankly, nice work!

1 Like

Great review, thank you for it. I'll check out what's wrong with downloading via the curl command. Also with cron - I've never had this issue but I'll try to reproduce it and see how this should be fixed. Regarding ports, the reset command is geoip-shell configure -p tcp:block:all -p udp:block:all. If you think a simpler command should be made available, I could definitely implement it.

As to uci, maybe in the future. The thing is, geoip-shell is not exclusive to OpenWrt - it runs on almost any Linux system (at least in theory). Implementing 2 alternative systems for config management would make this project much more complex. I'll think about it, anyway.

As to adding the package to the repos, I'm working on it, hopefully will happen soon.

Edit: turns out I forgot to allow redirections with the curl command. Updated the OpenWrt readme with the correct command.

@Malakai which command did you use to start the cron service? For me it works if I simply run

/etc/init.d/cron enable
/etc/init.d/cron start

I don't need to add any cron jobs for the cron service to be running after that.

geoip-shell could offer the user to enable and start cron for them (I don't really want to enable system services without permission) but I'd like to see if maybe you ran into a particular issue.which this solution will not cover. Would be really nice if you could test this again, just to see if the issue is reproducible on your end.

opkg remove geoip-shell-nftables
/etc/init.d/cron stop
/etc/init.d/cron disable
opkg install geoip-shell-nftables_0.4.6-r2.ipk
/etc/init.d/cron enable
/etc/init.d/cron start
geoip-shell configure

(your geoip-shell settings should be preserved)

Which OpenWrt version are you running btw?

1 Like

Update: geoip-shell v0.4.7 implements @Malakai 's idea to enable and start the cron service when detecting that cron is not running. The user is asked for approval, all the rest is done automatically.