Jak blokovat prichozi provoz podle regionu

V siti mam web server a v turrisu mam nastaveny port forward. Chtel bych ale, aby to poustelo dovnitr pouze provoz z EU - tedy aby to blokovalo zajmena provoz z Ciny, Ruska a dalsich mimo EU statu.
Da se to nejak udelat?

1 Like

Vygoogluj si iptables + ipset + countries a návodů je dost.
Nějaké ipsety najdeš tady https://github.com/mkorthof/ipset-country

balik “banip” to robi. Su tam aj update a luci extension.

banip vypada slibne. Jen mi bohuzel nejde nainstalovat. Zkusim za par dni, jestli bude novy balik.

Collected errors:

  • check_data_file_clashes: Package logd wants to install file /sbin/logread
    But that file is already provided by package * syslog-ng
  • opkg_install_cmd: Cannot install package banip.

Nieje to pekne ale dal som preinstalovat cez ten balik (ignore v pkg).
Novy balik je 0.7 ale ten je pre novsie openwrt a maintainer nechce backportovat do starsich.

Takze bud pockas na novy Turris OS alebo to prepises.

Přihlaš se do ssh a vypiš si všechny závislosti balíku banip.

root@sw-mox:~# opkg depends -A banip
banip depends on:
	libc
	jshn
	jsonfilter
	ip
	ipset
	iptables
	ca-bundle
	logd

Nainstaluj si všechny balíky vyjma logd. Pak nainstaluj balík banip.

root@sw-mox:~# opkg --nodeps install banip
Installing banip (0.3.11-1) to root...
Downloading https://repo.turris.cz/hbl/mox/packages/packages/banip_0.3.11-1_all.ipk
Configuring banip.
root@sw-mox:~#

Netestováno jestli to opravdu funguje, YMMV.

@dibdot, I see this was fixed in newer version of banip included in OpenWrt 21.02 and master according to this issue:

Should I send the pull request with cherry-pick for OpenWrt 19.07? :slight_smile:

BTW: Guys, sorry for hijack in English.

1 Like

Please don’t do it. :wink:
This includes another 19.x incompatible change. I’ll remove that dependency later today in 19.x-branch.

Recommendation: Do not waste time with banIP 0.3.x - it was really an unfinished early bird. Interested 19.x/turris users should manually update to 0.7.x, e.g.:

* rm -f /etc/config/banip # remove the old banIP config
* opkg update  # update/sync your local package index
* cd /tmp
* wget https://downloads.openwrt.org/snapshots/packages/x86_64/packages/banip_0.7.8-1_all.ipk
* wget https://downloads.openwrt.org/snapshots/packages/x86_64/luci/luci-app-banip_git-21.122.69643-c75ed32_all.ipk
* opkg install banip_0.7.8-1_all.ipk
* opkg install luci-app-banip_git-21.122.69643-c75ed32_all.ipk

Edit: The dependency in banIP 0.3.x/19.07-branch has been removed with https://github.com/openwrt/packages/commit/1c90bc08aeba8febd8f499ec9f1f91f6c41655d4

2 Likes

Not sure what happend on my side but the luci was in kind of broken state, I had to remove everything (including config files and packages).
After clean reinstall I am up and running again.

Thank you for this nice tool :slight_smile:

1 Like

One issue I encounter after manually installing the packages. The update process wants to install “newer” luci-app-banip.

In the post you specified:

luci-app-banip_git-21.122.69643-c75ed32_all.ipk

In the update I see:

install	luci-app-banip		git-21.132.36199-d0cf6e4-1

What seems newer according to the version number but after it is installed it is the old ban-ip interface from 0.3 version.

Any hint on how to disable the update or fix this?

Nope, sorry. Most probably you can trick the package index, but the easiest approach is just to ignore this “update”. :wink:

@Pepe -> you have maybe any easy idea how to ignore this update?

ok, you asked for it … quick and dirty…:wink:
edit /usr/lib/opkg/status, e.g.

Package: luci-app-banip
Version: git-21.154.29028-dc0cfc6
Depends: libc, banip, luci-lib-jsonc
Status: install user installed
Architecture: all
Installed-Time: 1622728851

…bump the version number and you’re done!

thank you but that did not really work for me :confused:

INFO:Queue downgrade of luci-app-banip/luci/git-21.132.36199-d0cf6e4-1[git-21.154.29028-dc0cfc6]

Even if I set the version to identical one the updater wants to reinstall it:

INFO:Queue reinstall of luci-app-banip/luci/git-21.132.36199-d0cf6e4-1

Probably missing something :confused: