Hello!

    I am getting confused about configuring the firewall in Kamikaze.

    From Luci I can easily enable/disable WAN ports etc. A few days ago I am getting attacks from various countries to my open ports.

    I would like to configure my firewall to immediately drop all incoming packets originated outside of my country, and use Luci firewall settings for packets originated in my country.

    I have a CIDR list of allowed IPs:
----extract----
allow from 31.46.64.0/18
allow from 31.46.128.0/17
allow from 31.171.224.0/20
----extract----

    Can you please suggest a solution?

Cheers,

   Attila

(Last edited by apstech on 30 Apr 2012, 15:47)

This site has a pretty handy guide, including scripts.

http://www.cyberciti.biz/faq/block-enti … -iptables/

And I know the referenced ipdeny.com site still has the lists available for download because I was on that site just recently.

Thanks for the idea!
   The site explains blacklisting specific countries. Which could be a solution to my problem.

   Originally I would like to do the inverse, and if possible keep the web IF configuration as well... Do you think it is possible to do a "complex pre-filtering" before the web UI filters get evaluated?

   Do you think worth keeping WEBUI configuration and adding additional "complex pre-filtering" rules, or just use iptables -F in firewall.user?

Tanks,

    Attila

You can prefilter just fine, simply use -I to insert your rules.

Are you trying to block IPs going to your router or through forwarded ports?  The IP information from http://www.ipdeny.com/ipblocks/ together with ipset and iptables might be useful for you.

Thanks for all of your ideas! I have succeeded in restricting access to a range of IP addresses. In case someone wants to do the country based filtering, the code below for firewall.user solved my issue ...

Unfortunately there is a small glitch left in the filter , as I did not really understood the FORWARD concept.

Here's the problem:
I am running transmission on a laptop machine connected to my router.
Opening a  zone_wan_forward port to --dport 51413 enables transmission up/dowload on the laptop (and transmission diagnostics reports port open)
As soon as I enable zone_wan filters by IPrange, all packet that does not match  zone_wan filters are dropped (however I thought they would pass because of the forwarding rule) Transmission diagnostics reports port closed.

Syslog says the dropped packet's destination is the router, not the laptop behind it. The forwarding rule did not change.

What cause this behavior? How could I do a work-around?

#!/bin/sh
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
### Allow all traffic from hungary (hu) Use ISO code separated by space ###
ISO="hu"
 
### Set PATH ###
IPT=/usr/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
ACCEPTLIST="countryok"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F $ACCEPTLIST
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $ACCEPTLIST
 
for c  in $ISO
do
    # local zone file
    tDB=$ZONEROOT/$c.zone
 
    # get fresh zone file
    $WGET -O $tDB $DLROOT/$c.zone
 
    # country specific log message
    SPAMDROPMSG="External IP Drop"
 
    # get
    GOODIPS=$(egrep -v "^#|^$" $tDB)
    for ipaccept in $GOODIPS
    do
       $IPT -A $ACCEPTLIST -s $ipaccept -j RETURN
    done
done

# Allow transmission 
$IPT -A $ACCEPTLIST -p tcp -m tcp --dport 51413 -j RETURN
$IPT -A $ACCEPTLIST -p udp -m udp --dport 51413 -j RETURN

# Log and Drop everything else
$IPT -A $ACCEPTLIST -j LOG --log-prefix "$SPAMDROPMSG"
$IPT -A $ACCEPTLIST -j DROP
$IPT -I zone_wan -j $ACCEPTLIST

exit 0