mass blocking IPs with tomato

Discussion in 'Tomato Firmware' started by rs232, Oct 6, 2013.

  1. rs232

    rs232 Network Guru Member

    I started to have a look on how to block connections based on iblock lists (like peerblock/peerguardian per say) and found this interesting link:

    However when I go running the iptables line:
    ipset --create ipban iphash
    iptables -I INPUT -i vlan2 -m set --set ipban src -j DROP
    I get:

    iptables: No chain/target/match by that name
    Reading up elsewhere it appears like the CONFIG_NETFILTER_XT_MATCH_STATE is not configured in the kernel. I was wondering how likely it would be for the mods to add this to their build so that we can take full advantage of the already installed ipset


    p.s. totally unrelated but the mod netem would also be a great addition
  2. kthaddock

    kthaddock Network Guru Member

  3. rs232

    rs232 Network Guru Member

    Thanks for this, I actually found it and tried it before posting.
    The list is compiled (it takes sometime on my RT-N16) but when it comes to run the very last command:

    iptables -I FORWARD -m set --set BluetackLevel1 src,dst -j DROP
    I still get:

    iptables: No chain/target/match by that name
    Am I doing anything wrong or is it rather the kernel support missing as per original post?
  4. kthaddock

    kthaddock Network Guru Member

    You need all this:
    rs232 likes this.
  5. rs232

    rs232 Network Guru Member

    Gee it works! wow great stuff

    I want to test this, especially how it affects the performance.

    Next step would be a little modification to support multiple lists then I can get the rid of all the peerblock/peerguardian installations on my clients

    Last edited: Oct 7, 2013
  6. jerrm

    jerrm Network Guru Member

    ipset performs well, but the rule is probably better placed in the wanin/wanout chains. Placing it at the top of FORWARD is looking at a lot of unnecessary packets.
    Last edited: Oct 7, 2013
    koitsu likes this.
  7. rs232

    rs232 Network Guru Member

    I've added a second list which demonstrate the principle and can be replicated for N lists (RAM permitting):

    # Level 2
    if [ "$(ipset --swap BluetackLevel2 BluetackLevel2 2>&1 | grep 'Unknown set')" != "" ]
    ipset --create BluetackLevel2 iptreemap
    [ -e /tmp/bluetack_lev2.lst ] || wget -q -O - "" | \
    gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > /tmp/bluetack_lev2.lst
    for IP in $(cat /tmp/bluetack_lev2.lst)
    ipset -A BluetackLevel2 $IP
    iptables -I FORWARD -m set --set BluetackLevel2 src,dst -j DROP

    It seems to be working fine. though a "for/while" loop would possibly be the best option for multiple lists

    Few questions:

    1) about ipset: does the list really have to live permanently in /tmp? This is using quite a lot of RAM and I was thinking to either move it into cifs or remove it as soon as the ipset is populated. What do you think?

    2) About the FORWARD I guess that would be good enough for LAN traffic but it wouldn't protect p2p downloads in case "transmission" on the router is used. So perhaps better use INPUT?

    3) Can you think of any way to check if the iplist needs to be re-downloaded or not (e.g. updated or not)?
  8. jerrm

    jerrm Network Guru Member

    1: No, list can live on any storage medium, or could be deleted after building the ipset.
    2: Correct, for the router you would also need to add a rule to the INPUT chain. Note you will need both FORWARD and INPUT rules.
    3: Look at Script: Clean, Lean and Mean Adblocking for a very clever way to check the http Last-Modified header to determine if a file has been updated. May or may not work with the blocklist files, depends on how the files are generated and served. Alternatively, download and save the gzipped version, and run a cmp test to see if it has changed. You'd still be downloading the file, but not going through the list building process unless needed.

    EDIT: It looks like the update URLs redirect to a different file. If you want to use haarp's method, it would need to be expanded to follow the redirect request. At first glance, it appears a valid Last-Modified header is served for the actual file.
    Last edited: Oct 7, 2013
  9. rs232

    rs232 Network Guru Member

    Thanks for the inputs

    After running few tests there's still something I can't figure out

    The script as it is (peerguardian part) with list level1 set will block certain internet sites e.g. and that include media content like iplayer a.s.o.
    What I can't understand is: if I do not run this script on the router, and use instead peerblock on my laptop with the very same list (level1) why do these sites work instead?
  10. 68rustang

    68rustang Serious Server Member

    Is any more work done with this? Is there a tutorial for dummies? I was able to follow the instructions for Lean and Mean Adblocking but do not understand how to make this work alongside it.
  11. Almaz

    Almaz Networkin' Nut Member

  12. rs232

    rs232 Network Guru Member

    Look at the p2partisan post:

    For LAN clients e.g. utorrent on windows and any other traffic (not only p2p)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice