OpenWrt Forum Archive

Topic: What packages are needed to have LuCI create an IP Blacklist?

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Is there any OpenWRT package(s) that will allow creation of a blacklist (and Whitelist) of IP addresses, using the LuCI browser interface?

I wanted to make a separate nano router act as an IP filter before it connects to my main home router, and have the nano router plug into my modem first.

I would suspect I'd need a router with at least 2 Ethernet ports, so the nano 'filtering-router' can remain wired to the modem and my normal router, without using a WiFi link, but do I need to re-configure either Ethernet port to act like the same modem port, for the normal home router, so it behaves as it should, thinking it's connected to my cable-modem?

I was thinking about this, and wondered if it's simply controlled with the firewall thru the LuCI interface?

I'm not trying to block ads, I'm just trying to block an actual IP address, so if I'm correct that the Firewall can create a blackList of unwanted IP address #'s, is there a special rule other than simply have it ignore it?

I'd appreciate any confirmation so I don't need to continue my search.   smile
If it's more than just that, PLEASE direct me to the Wiki page to explain it.

Thanks.

If you know the IP addresses to be blocked, you can just use firewall to block traffic. No need for an additional router.

You can add the blocking rule to the firewall config by hand. Example in wiki:
https://wiki.openwrt.org/doc/uci/firewall?s[]=firewall#block_access_to_a_specific_host
The example below blocks traffic for a specific site (www.mtv3.fi):

config rule
        option enabled '1'
        option src 'lan'
        option dest 'wan'
        option name 'blockMTV3'
        option dest_ip '178.217.129.234'
        option target 'REJECT'

Or use Luci to set it. I used Luci to creating the above rule.
(Network - Firewall - Traffic rules - "new forward rule" - edit rule. When editing, you need to set the "destination address" to the IP and "action" to silent "drop" or feedback-providing "reject")

If you have a long list of addresses, then you might consider using one of the adblock packages. E.g. the "adblock" package does the same and also makes sure that a possible www browser gets feedback and does not just wait for the page to load the whole timeout.

Thank you hnyman, I thought so, but wasn't sure.

I may need to use a separate router to do this because my main router doesn't have this extensive firewall capability, and isn't OpenWRT compatible to install OpenWRT.

I can get a 2 Ethernet port nano router to use as this 'filter-router' between my cable modem and the main router for around $25 USD, so it's not a problem.

If I turn off DHCP on it, and give it a STATIC IP address, I don't think it should cause any problems with being between the modem and main router.  Am I correct?
Or do you have anything regarding that, I should know about it?

One more thing I wanted to make sure that is understood...
The IP addresses I'm needing to block are the INCOMING traffic ...not outgoing.

They are from hackers trying to get into various ports on my router, like 5050 and 520
So there's no URL (name) associated with them.

I hope the firewall also has provisions to block separate incoming IP #'s as easily as it seems for the outgoing traffic too.  smile

I'll be adding these as they show-up on my router log, (one-at-a-time) so I don't think I'll need to create or add any Adblock package, with text lists to load in.

LInux has special solution for dealing with large ip lists. Its called ipset.
No sure about direct luci support but openwrt's firewall support ipsets in /etc/config/firewall

The discussion might have continued from here.