How to block ru crap?

blocker · June 22, 2024, 1:34am

Hi

I need to hard block (not just by TLD) ru and BY crap. At all. Preferably by IP ranges.

I found this instruction:

Method 1: Using IPset and GeoIP

Install the ipset and geoip packages on your OpenWRT router:

opkg update
opkg install ipset geoip

Create a new IP set for the countries you want to block:

ipset create block_ru hash:net
ipset create block_by hash:net

Download the GeoIP database for the countries you want to block:

wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb

Convert the GeoIP database to an IP set format:

geoip2ipset -c RU,BY GeoLite2-Country.mmdb block_ru block_by

Add the IP sets to your firewall configuration to block traffic:

iptables -t filter -A FORWARD -m set --match-set block_ru src -j DROP
iptables -t filter -A FORWARD -m set --match-set block_by src -j DROP

Method 2: Using dnsmasq and GeoIP

Install the dnsmasq package on your OpenWRT router:

opkg update
opkg install dnsmasq

Configure dnsmasq to use the GeoIP database:

uci set dnsmasq.@dnsmasq[0].geoip=/usr/share/GeoIP/GeoLite2-Country.mmdb
uci commit dnsmasq

Create a new configuration file for dnsmasq to block the countries:

echo "ipset=/block_ru,RU
ipset=/block_by,BY" >> /etc/dnsmasq.conf

Restart dnsmasq to apply the changes:

/etc/init.d/dnsmasq restart

Will this config work? Or you have more advices?

P.S: I do not expect to 100% accurate block. I want to block most of ru crap.

admon · June 22, 2024, 8:55am

Give it a try and report back.

Since it blocks the IP ranges it will help, but tbh … IP blocking is pretty useless since there are CDNs, vHosts and stuff like this.

It depends on your needs, which you need to clarify.

blocker · June 22, 2024, 11:32am

What do you mean? As I know they have law that forbids them to use servers abroad officially. They have abroad hostings blocked!

So in their case they should be blocked by IP

On my website I already banned access from ru IPs by this method, so I wonder will it work on OpenWRT

admon · June 22, 2024, 11:50am

Laws are only for people who obey them.
Many russians just use VPN - like in all „special“ countries.

slesar · June 22, 2024, 11:50am

try open website "ya.ru"

Renato · June 22, 2024, 1:51pm

Block all VPNs

blocker · June 22, 2024, 2:02pm

@admon, can you take a look on this:

github.com

herrbischoff/country-ip-blocks/blob/master/ipv4/ru.cidr

2.56.24.0/22
2.56.88.0/22
2.56.180.0/22
2.57.0.0/24
2.57.36.0/22
2.57.52.0/22
2.57.80.0/22
2.57.112.0/22
2.57.184.0/22
2.58.68.0/22
2.58.124.0/22
2.59.51.0/24
2.59.76.0/22
2.59.80.0/22
2.59.160.0/22
2.59.216.0/22
2.59.240.0/22
2.60.0.0/14
2.92.0.0/14
5.1.41.0/24

This file has been truncated. show original

github.com

herrbischoff/country-ip-blocks/blob/master/ipv6/ru.cidr

2001:640::/32
2001:678:13::/48
2001:678:14::/46
2001:678:18::/48
2001:678:ec::/48
2001:678:f4::/48
2001:678:124::/48
2001:678:128::/48
2001:678:178::/48
2001:678:190::/48
2001:678:1b0::/48
2001:678:1bc::/48
2001:678:220::/48
2001:678:278::/48
2001:678:280::/48
2001:678:2e8::/48
2001:678:2ec::/48
2001:678:344::/48
2001:678:350::/48
2001:678:384::/48

This file has been truncated. show original

This ones to block…

Why? I want to block access from my network, not to my network (for this case I just set drop to all incoming traffic)

admon · June 22, 2024, 2:04pm

So you want to block traffic flows from your network to any russian one? Then you are good to go with IP addresses. But it won't help against russian websites located outside of russia. And yeah, they exist for sure.

blocker · June 22, 2024, 2:08pm

Not 100% I don’t expect 100% efficiency. But 90% will be ok. The main idea to prevent my family to access that crap. I know that this can be bypassed but I don’t expect 100% efficiency, I need to make it more difficult to use that crap.

Can you advise me how to block them in bulk? Or even set auto update?

admon · June 22, 2024, 3:09pm

None of them will work out-of-the-box, at least not on my system.

I might look into this to create a script, but can't promise a time range for that.
Starting by using AdGuard Home and blocking ru domains is the best you can do so far.

blocker · June 22, 2024, 4:04pm

Spitz doesn’t support it

I will be really pleased if so. It is not urgent. If you want, you may help. But if it is burden, you should not

admon · June 22, 2024, 4:21pm

At least it's not possible to block that many addresses using the built-in firewall. It will cause the error:

uci: Parse error (too many arguments) at line 8563, byte 2372

The list would be huge, not even sure if the Spitz can handle it.

blocker · June 22, 2024, 4:53pm

I can do extroot or store it on SD…

@alzhao or @bruce any ideas?

admon · June 22, 2024, 6:26pm

It's not about storage. The IP lists (for RU it's nearly 8000 lines) must be used in RAM during all time so the firewall can evaluate the traffic. That should be waaaaay too much

blocker · June 22, 2024, 6:47pm

Can I use part of SD as RAM? Or maybe use dnsmasq for this?

beniamin · June 23, 2024, 12:32am

No, not that I'm aware of.

You need to get a beefier device. Look into a X86 as your firewall, OPNsense, and use the the glinet as the access point.

Or get a Firewalla purple for $329. It can do repeater mode (travel mode), It can block 10 countries and other cool features.

admon · June 23, 2024, 7:15am

Or go AdGuard DNS and block the countries there.

blocker · June 23, 2024, 7:53am

I wanna stick with Gl.

Found better solution.

uci add_list dhcp.@dnsmasq[0].address='/ru/0.0.0.0'
uci commit dhcp
uci add_list dhcp.@dnsmasq[0].address='/su/0.0.0.0'
uci commit dhcp
service dnsmasq restart

Also you can set adblocking even on weak devices like:

uci add_list dhcp.@dnsmasq[0].addnhosts="/sda1/hosts.txt"
uci commit dhcp
/etc/init.d/dnsmasq restart

This will add hosts file on your SD as additional hosts

admon · June 23, 2024, 8:05am

Does it work as well?

slesar · June 23, 2024, 11:24am

I think very simple in adguard home
Add manual filter:

||*.ru/^
||*.xn--p1ai$/^

Might be working second line is Cyrillic domain (*.рф)