OpenWrt Geoblocking

Hello,

I'm searching for the best way to block IPs by country. Any suggestions to get this working with openwrt.

Thanks Christian

banip has option for that.

1 Like

I discovered geo blocking is pretty inaccurate, even though I used the latest DBs, and started blocking all + white list of ISP ranges I would allow.

thanks@trendy I'll take a look

@frollic it may be inaccurate, I'm using Maxminds GeoIP Database on another server with nginx and had no problems so far. In my oppion its better and more secure to filter prox. about 90% percent of the ips on this world for my services than not.... in addition to the other safety features ...

I used the same DB, updating it on a weekly basis.

I had the lists injected into my shorewall firewall, and noticed (mainly) IPs originating from
CN wouldn't get blocked, since the DB wasn't accurate (or updated ?) enough.

Using some other lookup tool/site like ipinfo.io, confirmed the IP location.

But I agree, it's better than nothing.

like i said better block than not block. i, for my personal needs, will block all and whitelist a few countries so the hope that they're more accurate is higher....

i had a quickview on banIP but it seems its not precompiled in snapshot i use (bpi-r3). there are easier way?

I heartily disagree, geoIP is fundamentally just a heuristic and one that fails relatively often. That might be OK if you need to convince your content providers that you only serve a specific region of the world and hence do not need to pay for world-wide distribution rights. But for anything else you need to consider whether the inevitable false positive rate is going to be a problem as well as the inevitable false negative rates, that is you will fail to detect users from excluded parts of the world and you will mis classify users from permitted parts of the world as being located in excluded parts. Well possible that this is an acceptable trade-off, but it certainly not a win all around.

Personally, I would rather look at fail2ban or similar solutions that are based on suspect behaviour instead of suspect IP ranges, but I understand that this is a subjective preference (plus my in my case I routinely see how geoIP providers consistently fail to localize my link appropriately, even though the country is correct).

1 Like

I thought I just said the same ? :wink:

I actually used f2b with the previously mentioned ipinfo.io. All IPs got queried, and if the reply
didn't match the white list, it got added to the f2b DB, and dropped in the fw.
IP also got distributed to the other host(s), open to internet.

Eventually I just blocked everything, and put up a narrow white list :slight_smile:

1 Like

Sorry, I was reading too much endorsement into your "better than nothing"....

1 Like

That works well, if you can control the IPs of your intended remote end-devices...

Thanks for answers. F2b alone is just additional for sure but with ipinfo.io and all queried this locks really promising. and like i said geoblocking cant be the one but blocking that amount is a beginning for my demands. i won't serve customers from different locations. i only serve me with best security i can get for my service an one would be block all expect in addition to all other features.

while i'm writing: why query every single ip with ipinfo.io although i can block 90% with ipsets?

thanks christian

Because the geo db is a hit or miss...

I have just another idea. What about taking the data from ripe.net and make ipset for eu countries to whitelist?

If a company mainly located in the ripe area happens to use ripe-sourced IP ranges for oversea branches you get false positives...
Let's face it geoIP is at best a rough heuristic that should not be taken too seriuously, it is not a good match for how IP networks like the internet are set up and operate....

Sidenote, the 'obviouos' alternative, delay triangulation from a set of known vantage points has similar challenges, e.g. with rural customers in country A being served via geostationary satellite in country B... or chestnuts like the otherwise excellent init7 routing traffic too from european incumbents via data centers in the US to make a policy point..,.

However if one truly wants to outsource the decision which IPs to accept or reject, ripe and friends seem like better places than commercial geoIP providers....

Again, for some use-cases false positive and negatives can be a non-issue and there geoIP might have some utility.... or a lot of utility it really depends on the 'why' one wants this information in the first place.

1 Like

thanks so far. at this moment i set this a few steps back due the lack of time and many other things i have to do to make services running reliable and harden it.

I'll come back soon and report.

Thanks