You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 14, 2020. It is now read-only.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is an example of using [ipset utility](http://manpages.ubuntu.com/manpages/lucid/man8/ipset.8.html) with two different set types: iphash and nethash. The example shows how to block incoming connection from [Tor](https://www.torproject.org/) nodes (iphash set type — number of ip addresses) and how to block incoming connection from whole countries (nethash set type - number of ip subnets).
Please, enable and format [JFFS](https://github.com/RMerl/asuswrt-merlin/wiki/JFFS) through WEB UI, place this content to `/jffs/scripts/create-ipset-lists.sh`
* Enable and format [JFFS](https://github.com/RMerl/asuswrt-merlin/wiki/JFFS) through WEB UI first,
# Re-download blocklist if locally saved blocklist is older than this many days
BLOCKLISTS_SAVE_DAYS=15
# For the users of mips routers (kernel 2.x): You can now block sources with IPv6 with country blocklists
# Enable if you want to add huge country IPv6 netmask lists directly into ip6tables rules.
# Also, enabling this will add a *lot* of processing time!
# Note: This has no effect *if* you have ipset v6: It will always use ipset v6 for IPv6 country blocklists regardless of whether this is enabled or not.
# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
BLOCKED_COUNTRY_LIST="br cn kp kr pk sa tr tw ua vn"
# Use DROP or REJECT for iptable rule for the ipset. Briefly, for DROP, attacker (or IP being blocked) will get no response and timeout, and REJECT will send immediate response of destination-unreachable (Attacker will know your IP is actively rejecting requests)
# See: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and http://serverfault.com/questions/157375/reject-vs-drop-when-using-iptables
# Different routers got different iptables and ipset syntax
case $(ipset -v | grep -o "v[4,6]") in
v6)
MATCH_SET='--match-set'; CREATE='create'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net family inet'; NETHASH6='hash:net family inet6'; SETNOTFOUND='name does not exist'
# Loading ipset modules
lsmod | grep -q "xt_set" || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do
* Then place [**this content**](https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/create-ipset-lists.sh) to `/jffs/scripts/create-ipset-lists.sh`
then make it executable:
* Then make it executable:
```
chmod +x /jffs/scripts/create-ipset-lists.sh
```
and then call this at the end of your existing /jffs/firewall-start:
* Finally call this at the end of your existing /jffs/firewall-start:
There are no files selected for viewing