View previous topic :: View next topic |
Author |
Message |
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Fri Sep 23, 2011 7:04 pm Post subject: Blacklisting remote IPs |
|
|
I'd like to be able to programmatically block (blacklist) remote IPs -- such as the spam-sources or from where a password-guessing attack originates.
I'm currently doing the blacklisting on the primary host itself, but I'd rather the router were doing it so that the entire network was protected.
This could be done by routing connections from such hosts to a non-existing internal IP, for example, or somehow else -- if UPnP supports such blacklisting...
If this matters, my router is identified as:
Code: | <friendlyName>Actiontec "Wireless Broadband Router"</friendlyName>
<manufacturer>Actiontec</manufacturer>
<manufacturerURL>http://www.actiontec.com</manufacturerURL>
<modelDescription>Actiontec "Wireless Broadband Router" Internet Gateway Device</modelDescription>
<modelName>"Wireless Broadband Router"</modelName>
<modelNumber>20.19.8</modelNumber>
<modelURL>http://www.actiontec.com</modelURL> |
Thanks! |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sun Sep 25, 2011 7:51 am Post subject: |
|
|
to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Mon Sep 26, 2011 3:59 pm Post subject: |
|
|
miniupnp wrote: | to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common. | Can the device be checked for the capability? Alternatively, can miniupnpc simply requested to do the block and report any failures?
Thanks! |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Mon Sep 26, 2011 4:11 pm Post subject: |
|
|
unitedwallabies wrote: | miniupnp wrote: | to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common. | Can the device be checked for the capability? Alternatively, can miniupnpc simply requested to do the block and report any failures?
Thanks! |
well... it does... have you tried ? _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Tue Sep 27, 2011 7:18 pm Post subject: |
|
|
miniupnp wrote: | well... it does... have you tried ? |
No, I haven't... I don't know, how:
Code: | Usage : upnpc [options] -a ip port external_port protocol
Add port redirection
upnpc [options] -d external_port protocol [port2 protocol2]б═[...]
Delete port redirection
upnpc [options] -s
Get Connection status
upnpc [options] -l
List redirections
upnpc [options] -r port1 protocol1 [port2 protocol2] [...]
Add all redirections to the current host
protocol is UDP or TCP
Options:
-u url : bypass discovery process by providing the XML root description url.
-m address : provide ip address of the interface to use for sending SSDP multicast packets.
-p path : use this path for MiniSSDPd socket. |
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Tue Sep 27, 2011 7:58 pm Post subject: |
|
|
Well it is not possible with the commandline tool.
You have to call directly the function UPNP_AddPortMapping() (from upnpcommands.h). _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Tue Sep 27, 2011 8:06 pm Post subject: |
|
|
miniupnp wrote: | Well it is not possible with the commandline tool. | Hence my request for this feature on the miniupnpc Feature Request forum
I don't know the UPNP API, so coming up with my own program will take some time and effort... |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Wed Oct 26, 2011 6:28 pm Post subject: |
|
|
unitedwallabies wrote: | Hence my request for this feature on the miniupnpc Feature Request forum | Is there, perhaps, a patch out there for me to try? Thanks! |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Wed Oct 26, 2011 8:55 pm Post subject: Attempt at implementation |
|
|
Ok, I wrote the sample program, which ends up calling the UPNP_AddPortMapping() with most arguments being "*". What I get is:
Replacing "*" with empty string "" does not change anything.
Does this mean, my router is not capable of such blacklisting, or I should just provide for a different value for ExtPort?
After setting external port value to "25", I get a different error: Quote: | upnpblock: 31.210.72.69: RemoteHostOnlySupportsWildcard | I guess, even if it were possible to figure out the ext-port issue, my router really can't simply blacklist individual IPs, can it? Please, advise. Thanks!
Code: | #include <stdio.h>
#include <stdlib.h>
#include <miniupnpc.h>
#include <upnperrors.h>
#include <upnpcommands.h>
#include <unistd.h>
#include <sysexits.h>
#include <err.h>
static void
usage(const char *me, const char *message, int code)
{
if (message)
fprintf(stderr, "%s\n", message);
fprintf(stderr, "Usage:\n\t%s [-6] [-v] [-d] ip.ad.res.s\n", me);
exit(code);
}
int
main(int argc, char *argv[])
{
struct UPNPDev *devlist;
struct UPNPUrls urls;
struct IGDdatas data;
int error, opt, verbose = 0, ipv6 = 0, ecount, delist = 0;
char lanaddr[64];
const char *url = NULL, *me = argv[0];
while ((opt = getopt(argc, argv, "du:6hv")) != -1) {
switch (opt) {
case 'v':
verbose++;
break;
case '6':
ipv6 = 1;
break;
case 'u':
url = optarg;
break;
case 'd':
delist = 1;
break;
case 'h':
usage(me, NULL, EX_OK);
default:
usage(me, NULL, EX_USAGE);
}
}
argv += optind;
argc -= optind;
if (argc == 0)
usage(me, "No IP-address(es) given", EX_USAGE);
if (url) {
if (!UPNP_GetIGDFromUrl(url, &urls, &data,
lanaddr, sizeof(lanaddr)))
errx(EX_NOHOST, "No valid IGDs from %s", url);
} else {
devlist = upnpDiscover(2000,
NULL /* multicast interface*/,
NULL /* minissdp path */,
0 /* same port */,
ipv6,
&error);
if (devlist == NULL)
errx(EX_NOHOST, "No devices discovered (%d: %s)",
error, strupnperror(error));
switch (UPNP_GetValidIGD(devlist, &urls, &data,
lanaddr, sizeof(lanaddr))) {
case 0:
errx(EX_NOHOST, "UPNP_GetValidIGD: no valid IGDs");
case 1:
if (verbose)
warnx("Found valid IGD: %s", urls.controlURL);
break;
default:
warnx("Found a something at: %s. "
"Trying to continue", urls.controlURL);
break;
}
}
for (ecount = 0; argc; argc--, argv++) {
if (delist) {
error = UPNP_DeletePortMapping(urls.controlURL,
"*" /* any service type */,
"*" /* any ext-port */,
"*" /* any protocol */,
argv[0]);
} else {
error = UPNP_AddPortMapping(urls.controlURL,
"*" /* any service type */,
"*" /* any ext-port */,
"*" /* any in-port */,
"*" /* any in-client */,
"blacklisted",
"*" /* any protocl */,
argv[0],
"0");
}
if (error) {
warnx("%s: %s", argv[0], strupnperror(error));
ecount++;
}
}
return ecount ? 1 : 0;
} | (I wish, syntax-coloring mod was installed on the forum...) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Oct 27, 2011 11:13 am Post subject: Re: Attempt at implementation |
|
|
unitedwallabies wrote: | Ok, I wrote the sample program, which ends up calling the UPNP_AddPortMapping() with most arguments being "*". What I get is:
Replacing "*" with empty string "" does not change anything.
Does this mean, my router is not capable of such blacklisting, or I should just provide for a different value for ExtPort?
|
Well you router does not permit wildcard in extPort. empty string is usually interpreted as wildcard.
unitedwallabies wrote: | After setting external port value to "25", I get a different error: Quote: | upnpblock: 31.210.72.69: RemoteHostOnlySupportsWildcard | I guess, even if it were possible to figure out the ext-port issue, my router really can't simply blacklist individual IPs, can it? Please, advise. Thanks! |
Well your router does not support specifying a RemoteHost in a port mapping.
I think that is very common. I think I've never seen a router supporting it ! _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
unitedwallabies
Joined: 23 Sep 2011 Posts: 8 Location: North-Eastern US
|
Posted: Thu Oct 27, 2011 2:52 pm Post subject: |
|
|
Well, the router -- Actiontec -- does have an "Advanced Filtering" section, where one can list IP-addresses, IP-ranges, and sub-nets to be rejected (or dropped).
One can edit that section via the router's web-interface, but there is no obvious way to do that programmatically. I wonder, if UPnP can, in fact, be used for that -- how would I analyze the router's capabilities?
I made the router's desc.xml available (and the WANEthIFC1.xml referenced from that) -- any chance, you could give me a hint? Thanks! |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Oct 27, 2011 6:55 pm Post subject: |
|
|
unitedwallabies wrote: | Well, the router -- Actiontec -- does have an "Advanced Filtering" section, where one can list IP-addresses, IP-ranges, and sub-nets to be rejected (or dropped).
One can edit that section via the router's web-interface, but there is no obvious way to do that programmatically. I wonder, if UPnP can, in fact, be used for that -- how would I analyze the router's capabilities?
I made the router's desc.xml available (and the WANEthIFC1.xml referenced from that) -- any chance, you could give me a hint? Thanks! |
UPnP IGD is not designed for that. And now I'm pretty sure it cannot do that on your router. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
© 2007 Thomas Bernard, author of MiniUPNP.
|