Openwrt how to block countries but allow a specific path using BanIp
from Hercules@lemmy.world to selfhosted@lemmy.world on 16 Mar 16:45
https://lemmy.world/post/44341716
from Hercules@lemmy.world to selfhosted@lemmy.world on 16 Mar 16:45
https://lemmy.world/post/44341716
Hey,
Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.
I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.
Is their an option to allow this from any country but block all other requests?
My current config is as following:
root@OpenWrt:~# uci show | grep ban banip.global=banip banip.global.ban_enabled='0' banip.global.ban_debug='0' banip.global.ban_autodetect='1' banip.global.ban_allowlistonly='1' banip.global.ban_fetchcmd='curl' banip.global.ban_protov4='1' banip.global.ban_ifv4='wan' banip.global.ban_protov6='1' banip.global.ban_ifv6='wan6' banip.global.ban_dev='eth0' banip.global.ban_fetchretry='5' banip.global.ban_nicelimit='0' banip.global.ban_filelimit='1024' banip.global.ban_deduplicate='1' banip.global.ban_nftpriority='-100' banip.global.ban_icmplimit='25' banip.global.ban_synlimit='10' banip.global.ban_udplimit='100' banip.global.ban_nftpolicy='memory' banip.global.ban_nftretry='5' banip.global.ban_blockpolicy='drop' banip.global.ban_nftloglevel='warn' banip.global.ban_logprerouting='0' banip.global.ban_loginbound='1' banip.global.ban_logoutbound='0' banip.global.ban_loglimit='100' banip.global.ban_autoallowlist='1' banip.global.ban_autoallowuplink='subnet' banip.global.ban_autoblocklist='1' banip.global.ban_country='us' banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*' banip.global.ban_vlanallow='br-lan' banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone' banip.global.ban_geoip='1' banip.global.geoip_src='dbip' banip.global.geoip_mode='allowlist' banip.global.ban_feeds='country:US' 'country:US' 'geoip:US' banip.global.ban_all='1' banip.global.allow_country='US' banip.global.ban_feedin='country' banip.global.ban_feed='hagezi' 'tor' 'vpn' wireless.radio0.band='2g' wireless.radio1.band='5g'
Thanks for your time and have a great day!
threaded - newest
banIP works at IP layer. It basically injects additional firewall rules to nftable to reject packets from specific set of IP addresses. It is not aware of layer 7 like HTTP.
What is your goal exactly? Do you want to allow /.well-known to all countries including the bad ones you are blocking? Then you’ve to do it at application layer or setup a reverse proxy that has WAF (Web Application Firewall) and serve ./well-known from the proxy.
The path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality like that.
It might be easier (and more performant if the firewall has weak hardware) to just allow tcp port 80 and let your reverse proxy do the filtering for that, since it (usually) needs to parse the http anyways.
Can you use DNS challenges instead? That would just require that you can create a TXT record in your domain.