Block specific ports

[vladosam]

Hi, is there option to geoblock some ports and leave other ports unblocked?

[friendly-bits]

Hi, is there option to geoblock some ports and leave other ports unblocked?

It is possible with nftables but currently my code doesn't implement this. You can add a feature request and if there will be more people asking for this feature, I'll implement it.

In the meanwhile, you could modify the geoip-shell-apply.sh script to block some ports. The code is reasonably well commented, so you should be able to find the relevant lines easily. If you need more specific directions, please describe your use case and what you want to block and allow (open all ports except what's closed? close all ports except what's open? which protocols?)

[vladosam]

I set everything up as per your instructions. As I said before, I have traefik and wireguard on this server. What will geoip-shell do with 22,80,443 and 51820 ports?

[friendly-bits]

Oh wait, I just realized that the additional rules I suggested you are incorrect. These are the (I believe) correct rules:

		printf '%s\n' "-I $geochain -p tcp ! --dport 21115:21119 -j ACCEPT -m comment --comment ${geotag}_aux_custom"
		printf '%s\n' "-I $geochain -p udp ! --dport 21116 -j ACCEPT -m comment --comment ${geotag}_aux_custom"

The difference is the ! before --dport.
Basically these rules say "check if destination port is ..., if it's not then ACCEPT, i.e. don't geoblock, otherwise pass the packet to the geoblocking rules". Meaning that traffic arriving on other ports will not be subjected to geoblocking rules.

[friendly-bits]

You should test that this actually does exactly that.

[vladosam]

Excellent. I will try it today.

[friendly-bits]

I should note that what the ACCEPT verdict does is it makes the ACCEPTed packets bypass all other rules in the same table it was issued. The packet then continues to traverse further tables, and may be dropped in any of them. The nftables branch of geoip-shell creates a separate table and all geoip blocking is done within it. The iptables branch doesn't do that because of limitations of iptables. Instead, the iptables branch uses the existing mangle table and creates custom chains within it, attaching to the existing PREROUTING chain. What all this means essentially is that if you have further rules in later tables, for example in the filter table then they may subject the packets to additional rules.

[vladosam]

I'm getting ipv4 address '98.140.240.90' failed regex validation. I change that ip for security purpose. I want to use only my public address.

Autodetected ipv4 LAN subnets: '172.17.0.0/16 172.20.0.0/16 172.21.0.0/16 10.0.0.0/24 10.20.30.2/32 98.140.240.90/32'.
(c)onfirm, c(h)ange, (s)kip or (a)bort installation? 
c|h|s|a: 

Type in ipv4 LAN subnets (whitespace separated), or Enter to abort installation.
98.140.240.90/32
ipv4 address '98.140.240.90' failed regex validation.

[friendly-bits]

If using geoip-shell in host mode then specifically, when the installer asks:
(A)uto-detect local subnets when autoupdating and at launch or keep this config (c)onstant?
you should answer c to keep the config constant.

[vladosam]

I did choose that constant option. It looked logical to set it that way.

[friendly-bits]

In the latest release, I improved the wording of the explanation concerning WAN interfaces. Now this is no longer called 'router mode' but rather simply asks whether the machine has any WAN interfaces. Hopefully this will make it less confusing. The status report in the new version for iptables also provides statistics about how much each rule has been "hit" by the traffic.

Also If you don't mind, I'd like to find out why the LAN autodetection code incorrectly detects your WAN subnet. I would need a few technical details about the network on that machine.

[vladosam]

I'll help you if I can. What do you need to know?

[vladosam]

Now I can see if my block rule actually block something?

[friendly-bits]

I'll help you if I can. What do you need to know?

I'll need output of these 3 commands (the latter 2 present more or less the same information but with slightly different detail):

sudo ip -f inet route show table local scope link

sudo ip -f inet route show table local scope link | grep -v "[[:space:]]lo[[:space:]]" | grep -oE "dev[[:space:]]+[^[:space:]]+" | sed 's/^dev[[:space:]]*//g' | sort -u | while read -r iface; do sudo ip -o -f inet addr show "$iface"; done

sudo ip -f inet route show table local scope link | grep -v "[[:space:]]lo[[:space:]]" | grep -oE "dev[[:space:]]+[^[:space:]]+" | sed 's/^dev[[:space:]]*//g' | sort -u | while read -r iface; do sudo ip -f inet addr show "$iface"; done

[vladosam]

Now that you have reddit account you should post updates about project every 2-3 months. With changelogs from last post to latest version. People on selfhost subreddit don't like when you flood them with every update but occasional posts are fine.

[friendly-bits]

My current focus is on making the project compatible with OpenWrt. At this point I think I just need to make a startup script for it (because on OpenWrt cron-based persistence doesn't work). Once that is complete, I'll announce it on their forum. I hope this will increase project's visibility. I'll probably write a post on Reddit as well at some point.

[friendly-bits]

I think I may also need to change my github name to something that sounds more trustworthy than blunderful-scripts, hehe. In the beginning my scripts had actually a ton of "blunders" (a.k.a. mindless mistakes) and were generally pretty bad but I improved a lot since then and the scripts improved a lot, so at this point this name probably makes a bad impression which is unwarranted.

[vladosam]

I didn't know what blunderful means but now that you said it changing name sounds like a good idea. :)

[friendly-bits]

aaaand here is the new username
(and OpenWrt support is complete for the nftables branch but now I want to merge the 2 branches before announcing it)

[friendly-bits]

Now I can see if my block rule actually block something?

You'll be able to see statistics of traffic hitting each rule, including the whitelist blocking rule and the ACCEPT rules. So in short, yes. To see that, use the geoip-shell status -v command to have a verbose report, and there to the left of each rule you'll see the statistics.

If you update, don't forget to re-add your custom rules to the -apply script (now it's line 306).

[friendly-bits]

@vladosam I wonder if you are still using the project and what your experience with it is. Also you probably have already noticed, but just to make sure: geoip-shell doesn't have separate branches for iptables and nftables anymore. All recent releases support both firewall backends (and I implemented the option to change the backend if you have both nftables and iptables-compat installed). There were a few bugs affecting iptables installs because the code went through substantial changes, now I believe all of them have been ironed out.

P.s. I tried to write a post on the selfhosted subreddit but it didn't get approved by the admins, probably because my karma is not good enough xD.

[vladosam]

@friendly-bits Hi, yes I'm using it on my VPS server. And I regulary update it :D It works just fine. My country is not blocked and all others are so thanks for that. 🥇
I can post info about progress on you're behalf. Just send me text.

[friendly-bits]

There was a period where I would release an update every day. Just wanted to implement all planned features and get it ready for OpenWrt. Now both goals have been achieved and geoip-shell has been merged into OpenWrt packages repo. So probably updates will become much more scarce now (unless someone requests additional features or I discover some bugs).

I really appreciate your offer, however please don't feel that you are obliged. That said, if you want to tell the reddit people about the project, I think best if you just describe your own experience with it.