Hi
I need to hard block (not just by TLD) ru and BY crap. At all. Preferably by IP ranges.
I found this instruction:
Method 1: Using IPset and GeoIP
Install the ipset
and geoip
packages on your OpenWRT router:
opkg update
opkg install ipset geoip
Create a new IP set for the countries you want to block:
ipset create block_ru hash:net
ipset create block_by hash:net
Download the GeoIP database for the countries you want to block:
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb
Convert the GeoIP database to an IP set format:
geoip2ipset -c RU,BY GeoLite2-Country.mmdb block_ru block_by
Add the IP sets to your firewall configuration to block traffic:
iptables -t filter -A FORWARD -m set --match-set block_ru src -j DROP
iptables -t filter -A FORWARD -m set --match-set block_by src -j DROP
Method 2: Using dnsmasq and GeoIP
Install the dnsmasq
package on your OpenWRT router:
opkg update
opkg install dnsmasq
Configure dnsmasq to use the GeoIP database:
uci set dnsmasq.@dnsmasq[0].geoip=/usr/share/GeoIP/GeoLite2-Country.mmdb
uci commit dnsmasq
Create a new configuration file for dnsmasq to block the countries:
echo "ipset=/block_ru,RU
ipset=/block_by,BY" >> /etc/dnsmasq.conf
Restart dnsmasq to apply the changes:
/etc/init.d/dnsmasq restart
Will this config work? Or you have more advices?
P.S: I do not expect to 100% accurate block. I want to block most of ru crap.
admon
June 22, 2024, 8:55am
2
Give it a try and report back.
Since it blocks the IP ranges it will help, but tbh … IP blocking is pretty useless since there are CDNs, vHosts and stuff like this.
It depends on your needs, which you need to clarify.
What do you mean? As I know they have law that forbids them to use servers abroad officially. They have abroad hostings blocked !
So in their case they should be blocked by IP
On my website I already banned access from ru IPs by this method, so I wonder will it work on OpenWRT
admon
June 22, 2024, 11:50am
4
Laws are only for people who obey them.
Many russians just use VPN - like in all „special“ countries.
@admon , can you take a look on this:
This ones to block…
Renato:
Block all VPNs
Why? I want to block access from my network, not to my network (for this case I just set drop to all incoming traffic)
admon
June 22, 2024, 2:04pm
8
So you want to block traffic flows from your network to any russian one? Then you are good to go with IP addresses. But it won't help against russian websites located outside of russia. And yeah, they exist for sure.
Not 100% I don’t expect 100% efficiency. But 90% will be ok. The main idea to prevent my family to access that crap. I know that this can be bypassed but I don’t expect 100% efficiency, I need to make it more difficult to use that crap.
Can you advise me how to block them in bulk? Or even set auto update?
admon
June 22, 2024, 3:09pm
10
None of them will work out-of-the-box, at least not on my system.
I might look into this to create a script, but can't promise a time range for that.
Starting by using AdGuard Home and blocking ru domains is the best you can do so far.
admon:
AdGuard Home
Spitz doesn’t support it
I will be really pleased if so. It is not urgent. If you want, you may help. But if it is burden, you should not
admon
June 22, 2024, 4:21pm
12
At least it's not possible to block that many addresses using the built-in firewall. It will cause the error:
uci: Parse error (too many arguments) at line 8563, byte 2372
The list would be huge, not even sure if the Spitz can handle it.
I can do extroot or store it on SD…
@alzhao or @bruce any ideas?
admon
June 22, 2024, 6:26pm
14
It's not about storage. The IP lists (for RU it's nearly 8000 lines) must be used in RAM during all time so the firewall can evaluate the traffic. That should be waaaaay too much
1 Like
admon:
used in RAM
Can I use part of SD as RAM? Or maybe use dnsmasq for this?
No, not that I'm aware of.
You need to get a beefier device. Look into a X86 as your firewall, OPNsense, and use the the glinet as the access point.
Or get a Firewalla purple for $329. It can do repeater mode (travel mode), It can block 10 countries and other cool features.
admon
June 23, 2024, 7:15am
17
Or go AdGuard DNS and block the countries there.
beniamin:
Firewalla purple
I wanna stick with Gl.
admon:
AdGuard DNS
Found better solution.
uci add_list dhcp.@dnsmasq[0].address='/ru/0.0.0.0'
uci commit dhcp
uci add_list dhcp.@dnsmasq[0].address='/su/0.0.0.0'
uci commit dhcp
service dnsmasq restart
Also you can set adblocking even on weak devices like:
uci add_list dhcp.@dnsmasq[0].addnhosts="/sda1/hosts.txt"
uci commit dhcp
/etc/init.d/dnsmasq restart
This will add hosts file on your SD as additional hosts
slesar
June 23, 2024, 11:24am
20
I think very simple in adguard home
Add manual filter:
||*.ru/^
||*.xn--p1ai$/^
Might be working second line is Cyrillic domain (*.рф)