Feature Request : BanIP

routeruser1 · January 27, 2024, 8:57pm

@staff would there be any interest in supporting BanIP as a built in package?

It takes feeds from threat intelligence sites like URLHaus and adds to NFTables rules.

Malware lists on AdGuard are fine, but some threats do not use DNS when phoning home, so using this augments DNS blocking.

Being able to install this package is what made me choose my mt-6000 over UniFi - the latter has a similar function but it is closed source.

I previously used NGBlocker on PFSense to do this, but their support for PPPoE is poor…hence moving to OpenWRT.

github.com

openwrt/packages/blob/master/net/banip/files/README.md

<!-- markdownlint-disable -->

# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables

## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.  

## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).  
  **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.  

| Feed                | Focus                          | WAN-INP | WAN-FWD | LAN-FWD | Information                                                   |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :-----------------------------------------------------------  |
| adaway              | adaway IPs                     |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| adguard             | adguard IPs                    |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| adguardtrackers     | adguardtracker IPs             |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| antipopads          | antipopads IPs                 |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| asn                 | ASN IPs                        |         |         |    x    | [Link](https://asn.ipinfo.app)                                |
| backscatterer       | backscatterer IPs              |    x    |    x    |         | [Link](https://www.uceprotect.net/en/index.php)               |
| binarydefense       | binary defense banlist         |    x    |    x    |         | [Link](https://iplists.firehol.org/?ipset=bds_atif)           |

This file has been truncated. show original

admon · January 27, 2024, 9:13pm

Afaik nftables isn’t used - does it work with iptables as well?

routeruser1 · January 27, 2024, 9:17pm

Hmm that could be a problem. It was running on my x86 OpenWRT box that I had since switching to PPPoE…I have the package installed on my mt-6000 but haven’t got round to configuring it.

NFTables is needed I believe since it uses ipsets

I had assumed that since gl-inet base their software off OpenWRT 23 the backend would be using NFTables…is this not the case?

bring.fringe18 · January 28, 2024, 7:13am

Yeah, it’s true; GL customizations to make key GUI functions happen still relying on iptables, even on their flagship the Flint v2 which runs OWRT 23.05. I’ve been on their case about it but most of the other devices still run OWRT 21.02 so…

The good news is that upstream OWRT has a 23.05 dev snapshot available. Related thread:

routeruser1 · January 28, 2024, 10:53am

Thank you, however I’m a bit confused now.

When SSHing into my mt-6000, iptables -L doesn’t list many rules

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ts-input   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ts-forward  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             match-set GL_MAC_BLOCK src

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ts-forward (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK xset 0x40000/0xff0000
ACCEPT     all  --  anywhere             anywhere             mark match 0x40000/0xff0000
ACCEPT     all  --  anywhere             anywhere

Chain ts-input (1 references)
target     prot opt source               destination

However nft list ruleset rules matches some of the rules in LuCI → Network → Firewall

For example Allow-DHCP-Renew is in both nft output and GUI, but Tailscale rules are only in the nft output

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 1 bytes 28 accept comment "!fw4: Allow-DHCP-Renew"
		meta nfproto ipv4 meta l4proto igmp counter packets 2813 bytes 101268 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"

The presence of !fw4 suggest that fw4 is managing these rules, and as far as I know it uses nftables - so I’m assuming iptables is not used.

bring.fringe18 · January 28, 2024, 10:57am

Toss this in the shell; you may need bash.

if command -v iptables; then
    if iptables -V | grep -E ' \(nf_tables\) *$'; then
        echo "nft"
    else
        echo "iptables"
    fi
elif command -v nft; then
    echo "nft";
fi

Shamelessly stolen fr linux - Check whether iptables or nftables are in use - Unix & Linux Stack Exchange … & untested.

routeruser1 · January 28, 2024, 11:22am

NFTables is definitely in use, there’s a symlink pointing iptables to it (output of that script is nft as well)

0 lrwxrwxrwx 1 root root 27 Jan 18 09:21 /usr/sbin/iptables -> /usr/sbin/xtables-nft-multi

root@GL-MT6000:~# iptables -V
iptables v1.8.8 (nf_tables)

I’m on 4.5.6, which is based off this version of OpenWrt

OpenWrt 23.05-SNAPSHOT r23001+721-38c150612c / LuCI openwrt-23.05 branch git-23.357.58018-024e7ab

Do you think something has changed since you looked at the Wireguard issue?

I will configure BanIP at some point, but need to find a good time in case it breaks connectivity.

bring.fringe18 · January 28, 2024, 11:31am

… and there it is!

I don’t have the issue; I run vanilla/pure OWRT 23.05’s PBR as a jump box behind a Slate AX as a WG gateway. I’m not inclined to trust ‘shim’ procs; not when there’s a chance of tunnel leakage. There’s a reason I don’t run without a kill switch on my gateway. YMMV.

Here, so you can fcvk around yet still unfcvk yourself :

admon · January 28, 2024, 11:39am

So it’s still iptables but with the modern API?
Why would you do something like this? I mean … legacy software, ok … but with modern API?

bring.fringe18 · January 28, 2024, 11:45am

It’s a shim. I refer you back to Iran:

routeruser1 · January 28, 2024, 12:04pm

Backwards compatibility - this tool allows the iptables syntax to be used with the nftables backend.

There’s a lot of stuff out there that’s still using iptables, Docker and K8s for example.

routeruser1 · February 4, 2024, 12:17pm

If anyone’s interested BanIP works great on my mt-6000. Had to install manually from downloads.openwrt.org to get the latest version.

Was confused for a while since it wasn’t blocking, which turned out to be Apple Private Relay working as designed.

        set urlhausv4 {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                elements = { 1.41.113.39, 1.70.10.165,
                             1.70.131.212, 1.70.185.99,
                             1.87.219.127, 1.196.104.64,
                             1.232.65.33, 2.36.68.156,

Sun Feb  4 11:09:47 2024 kern.warn kernel: [73048.674007] banIP/fwd-lan/reject/urlhausv4: IN=br-lan OUT=pppoe-secondwan SRC=192.168.8.123 DST=1.41.113.39 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=26448 PROTO=ICMP TYPE=8 CODE=0 ID=38773 SEQ=0
Sun Feb  4 11:09:48 2024 kern.warn kernel: [73049.676711] banIP/fwd-lan/reject/urlhausv4: IN=br-lan OUT=pppoe-secondwan SRC=192.168.8.123 DST=1.41.113.39 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=62386 PROTO=ICMP TYPE=8 CODE=0 ID=38773 SEQ=1
Sun Feb  4 11:10:16 2024 kern.warn kernel: [73077.985677] banIP/fwd-lan/reject/countryv4: IN=br-lan OUT=pppoe-secondwan SRC=192.168.8.123 DST=95.173.136.163 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=65291 PROTO=ICMP TYPE=8 CODE=0 ID=41589 SEQ=0
Sun Feb  4 11:10:17 2024 kern.warn kernel: [73078.986537] banIP/fwd-lan/reject/countryv4: IN=br-lan OUT=pppoe-secondwan SRC=192.168.8.123 DST=95.173.136.163 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=46570 PROTO=ICMP TYPE=8 CODE=0 ID=41589 SEQ=1

Would be great to see this functionality built into the gl-inet firmware, a malware blocking appliance is a great selling point.

admon · February 4, 2024, 12:54pm

Tbh this doesn’t work really well. Banning IPs is so 2000… since cloud computing got waaaay bigger banning IPs isn’t really useful anymore, imho.

routeruser1 · February 4, 2024, 1:48pm

Thank you, but respectfully disagree on that one - remember my use case is detecting IOCs going outbound not banning bad stuff in the WAN INPUT chain (the latter I think you might be referring to).

Malware commonly uses hard coded IP addresses to talk back to C2 servers, either for stealth or simplicity.

DNS blocking (e.g Adblock with Malware feed) will not stop these connections.

An ideal solution is to look for IOCs in both firewall and DNS logs.

xize11 · February 4, 2024, 3:05pm

I guess its a nice idea , but im afraid banip will not work on all routers due the hardware specifications it might need.

And sometimes banip can also become too restrictive , for example in one of my feeds it appears it blocked some ip from spotify so i had to add the offending domain names in the allow list, other times it blocked my local ranges.

Its a nice feature but im very afraid people might lack the essential skill to find the right offender in such situations

Edit:

Also ip addresses can change from ownership, the sad truth is that you can never fully control it, and often a entry can become a false positive.

bring.fringe18 · February 4, 2024, 3:25pm

I think Safing’s Portmaster Plus (read: paid) subscription should be handle that for you. It’s client side though. The F/OSS/Free-beer edition is great if you’re just looking for interception, denial.

routeruser1 · February 4, 2024, 5:35pm

@xize11 Thanks, was that the Firehol lists - they have many AWS/Azure ranges associated with spam email, and even RFC1918 ranges in there(!). I had the same problem with NGBlocker on PFSense.

URLHaus has had the least false positives and real hits for me, I use this professionally in an enterprise setting.

@bring.fringe18 Thanks, really interesting product. Although the appeal of the mt-6000 is that it’s the exit point to the internet, provides a shell/python, runs 24x7 at 7-10 watts and through Adblock/BanIP it can block IOT/mobile threats.

Anyway, thanks for the feedback everyone - it looks like it works fine on my router and I’m very happy.

Perhaps someone from @staff could kindly consider this for a feature request, Unifi have a similar feature on their high end solutions but I’d rather use gl-inet.

bring.fringe18 · February 4, 2024, 5:47pm

Well IDK how much this could be useful to you but dnscrypt-proxy2 can log all DNS lookups in conjunction w/ dnsmasq logging the LAN client/host. IDK about outbound IP attempts though. Still, it might be of interest to your use case. ‘More tools for the box’, if you will.

xize11 · February 4, 2024, 5:49pm

Jup this one is known for me, but it also happens on some country feeds.

routeruser1 · February 4, 2024, 6:00pm

Thank you, gl-inet provide this out the box with AdGuardHome though - the lists used are here