Geoip-shell: flexible geoip blocker for Linux

For the cron part, this is on a newly installed openwrt 23.05.3 x86/64 generic-squashfs-combined (just executing 'crontab -e' and quitting the editor, allows to start cron) :

root@OpenWrt:~# /etc/init.d/cron enabled && echo YES || echo NO
YES
root@OpenWrt:~# /etc/init.d/cron running && echo YES || echo NO
NO
root@OpenWrt:~# /etc/init.d/cron start
root@OpenWrt:~# /etc/init.d/cron running && echo YES || echo NO
NO
root@OpenWrt:~# crontab -l
crontab: can't open 'root': No such file or directory
root@OpenWrt:~# crontab -e
root@OpenWrt:~# /etc/init.d/cron start
root@OpenWrt:~# /etc/init.d/cron running && echo YES || echo NO
YES
root@OpenWrt:~# crontab -l
root@OpenWrt:~#

When trying to launch the configuration without the workaround from above I get :

root@OpenWrt:~# geoip-shell configure
geoip-shell: Firewall backend is not set.
geoip-shell: Error: cron is not running.
geoip-shell: The cron service needs to be enabled and started in order for automatic ip list updates to work.
geoip-shell: If you want to use geoip-shell without automatic ip list updates,
geoip-shell: install/configure geoip-shell with option '-s disable'.

Would you like geoip-shell to enable and start the cron service on this device? [y|n].
y|n: y

Attempting to enable and start cron... Failed.
root@OpenWrt:~#

Seems logic, but I didn't think of it. Maybe just mention it in the help(?)

Understandable.

Nice.

I confirm it is working now.

1 Like

Thank you for testing. This line above appears to indicate the culprit: missing file /etc/crontabs/root.

I just released v0.4.7.1 which should be able to handle this issue.

Seems logic, but I didn't think of it. Maybe just mention it in the help(?)

The help (which you get when running geoip-shell -h) is already kinda too big. There is a lot in terms of details which can be added to it but it just can't contain all of that. This is what documentation is for. I think in v0.4.6 the syntax for the protocols/ports command which was printed by geoip-shell -h was missing the all keyword, I added it in v0.4.7. So syntax-wise it should be good now. I'll see if I can make this point clearer in the documentation as well.

Edit: Next release will have geoip-shell -h print a better explanation of this command, I hope this will be enough.

Thank you for the useful comments.

1 Like

These specs imply that you are probably not extremely limited in terms of storage capacity and memory. If this is the case, you may want to consider configuring geoip-shell to use permanent storage for backup, and perhaps to optimize nftables sets for performance (rather than for memory). See docs for more information:

https://github.com/friendly-bits/geoip-shell/tree/main/OpenWrt#defaults-for-openwrt

1 Like

@antonk

Please add mk-owrt-package.sh option to build only OpenWrt package for manually copy and building on my own without recompiling geoip-shell ipk automatically. Preferably in a new folder in the same location as mk-owrt-package.sh instead of OpenWrt build root folder.

1 Like

I guess I'll split that script into prep-owrt-package and mk-owrt-package then. A bit surprised that someone else is interested in that script besides myself tbh :slight_smile:

Thanks for the geoip-shell, haven't tested it yet, still building my updated image.
Also mostly updating your own package in the OpenWrt upstream is not instantaneous, so it will be helpful one if we can building on our own geoip-shell package from your github repo :smile:.

1 Like

Sure, let me know what you think.

In the meantime, I released v0.4.8 which features improved usage for protocols-ports as promised to @Malakai . In addition, now geoip-shell checks RAM capacity and if it is higher than 2GiB, the 'performance' policy for nftables sets is used by default (the default doesn't affect existing installations but you can change the config if you like). Also a minor bug has been fixed.

1 Like

^ done, prep-owrt-package.sh and the updated mk-owrt-package.sh are in my repository.

@echelon Not sure where you want the build dir to be. The prepared openwrt build (before compilation) is created in geoip-shell/OpenWrt/owrt-build. The mk- and prep-owrt-package scripts are in geoip-shell/OpenWrt/ as well.

P.s. I re-implemented the option to build only for fw3+iptables or for fw4+nftables if you don't need both packages.

1 Like

So 3 days ago I started a pull request to include geoip-shell in the OpenWrt package repository. Still waiting for review and trying to be patient :slight_smile:

In the meantime, I published a couple of updates for geoip-shell. v0.4.9 features reliability and security improvements, v0.4.9.1 fixes a minor bug.

2 Likes

Big update here: geoip-shell has been merged into the OpenWrt packages repository and (to my understanding) should be available on the next stable OpenWrt release.

This is a very exciting development for me as I've been working towards this goal for quite a few months, gradually getting rid of extra dependencies, learning and implementing support for the various OpenWrt API's, learning the basics of development system setup and package building. I know that this is a fairly niche project but it has a big personal significance for me and this approval makes this whole effort worthwhile. Big thanks to everyone who answered my questions along the way and helped merge the project, not the least to @robimarko, @jow (your answers are always spot-on!) and @hnyman. Thank you @brada4 for recommendations. I don't always manage to understand you but the suggestions which I did understand, where useful and are now implemented in v.0.5.2.

I'm currently still providing the .ipk packages from my Github repo since they include important changes which the downstream version still has not incorporated (I'll submit a pull request soon), and because the packages are currently only unavailable from the development OpenWrt branch, and because the project is unlikely to get backported to earlier OpenWrt releases which support iptables and firewall3.

In the meantime, I have released v0.5.2 with important bug fixes and efficiency improvements, available here:

https://github.com/friendly-bits/geoip-shell/releases/tag/v0.5.2

4 Likes

Just a short update on this project.

At this point I have implemented all features I had planned and all features requested by users and recommended by reviewers which I found feasible. I have also fixed all bugs I'm aware of. So if someone here wants to request additional features, this is perhaps a good time for that. I don't promise to implement everything but I will definitely consider them. I would also like to hear from people who are using the project and what their experience is and if they feel that anything is missing.

Also - while geoip-shell is designed to support virtually any Linux system, making it visible to people is difficult. So if you like and appreciate this project, please consider spreading the word about it. After all, this is an open-source project which I am developing for free in my spare time, and the only benefit I'm getting from it is seeing people use and enjoy it.

2 Likes

Hello,

I’ve been looking up how to setup a simple geo block on my router and your thread came up in google. I see your last reply/update on this project was April. I hope it still works well as it’s exactly what I’m hoping to implement for my simple self hosted project as another layer of security.

1 Like

Hi Andromeda, basically geoip-shell is nearly feature-complete, so at this point releases are mainly for bug fixes. There is a new release in the works but for now you can use v0.5.3 which should work fine.

2 Likes

Or if you prefer to get OpenWrt-approved version, you can download geoip-shell v0.5.2 from OpenWrt packages snapshots:

https://mirror-03.infra.openwrt.org/snapshots/packages/

Hi all, here's a quick update on this project. There have been a few releases recently focusing mainly on bug fixes and reliability improvements. Some of them are OpenWrt-specific. As always, the most recent release (which includes packages for OpenWrt) is available on my Github page:

github.com/friendly-bits/geoip-shell

While the current release is v0.5.6, the official OpenWrt repository still has v0.5.2. I'll try to find time to push the update to the repository soon.

3 Likes

Thanks for this. I wanted to try it out but I get this error when creating the config:

geoip-shell: Applying config...

Can not find download utility with SSL support. Enable insecure downloads?
y|n: n
fetch: Error: No fetch utility available.
run: Error: Failed to fetch and validate lists 'AR_ipv4 AR_ipv6 US_ipv4 US_ipv6'.
run: Warning: Aborting the action 'add'.
geoip-shell: Warning: Discrepancy detected between the firewall state and the config file.
geoip-shell: Warning: missing ip lists in the firewall: 'AR_ipv4 AR_ipv6 US_ipv4 US_ipv6'
geoip-shell: Error: Failed to apply geoip-shell config.

and if I say yes to unsecure downloads it gets stuck in Checking connectivity

Thanks.

Hi, you don't have the packages required for SSL communication installed (can't tell which out the top of my head). As to checking connectivity issue, knowing that you are using adblock-lean in whitelist mode, I think that you will need to add ipdeny.com to the allowlist, then restart adblock-lean, in order for the connectivity check and download to work.

I have disabled adblock-lean before running the setup, but thanks for the reminder.
I can access ipdeny.com just fine on my browser.
I'll check and see what's the ssl utility called.
Thanks.

Interesting. Then possibly geoip-shell has an issue with uclient-fetch when SSL support is unavailable. I'll look into this. In the meantime, you could install curl if your device is not short on space.

1 Like

curl

Thanks, that did the trick. It's up and running now :smiley: .

1 Like