miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Blacklisting remote IPs

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Feature Request
View previous topic :: View next topic  
Author Message
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Fri Sep 23, 2011 7:04 pm    Post subject: Blacklisting remote IPs Reply with quote

I'd like to be able to programmatically block (blacklist) remote IPs -- such as the spam-sources or from where a password-guessing attack originates.

I'm currently doing the blacklisting on the primary host itself, but I'd rather the router were doing it so that the entire network was protected.

This could be done by routing connections from such hosts to a non-existing internal IP, for example, or somehow else -- if UPnP supports such blacklisting...

If this matters, my router is identified as:

Code:
<friendlyName>Actiontec "Wireless Broadband Router"</friendlyName>
<manufacturer>Actiontec</manufacturer>
<manufacturerURL>http://www.actiontec.com</manufacturerURL>
<modelDescription>Actiontec "Wireless Broadband Router" Internet Gateway Device</modelDescription>
<modelName>"Wireless Broadband Router"</modelName>
<modelNumber>20.19.8</modelNumber>
<modelURL>http://www.actiontec.com</modelURL>


Thanks!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Sep 25, 2011 7:51 am    Post subject: Reply with quote

to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Mon Sep 26, 2011 3:59 pm    Post subject: Reply with quote

miniupnp wrote:
to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common.
Can the device be checked for the capability? Alternatively, can miniupnpc simply requested to do the block and report any failures?

Thanks!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Sep 26, 2011 4:11 pm    Post subject: Reply with quote

unitedwallabies wrote:
miniupnp wrote:
to do that, your router have to support UPnP mapping with specific RemoteHost parameter. That is not common.
Can the device be checked for the capability? Alternatively, can miniupnpc simply requested to do the block and report any failures?

Thanks!

well... it does... have you tried ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Tue Sep 27, 2011 7:18 pm    Post subject: Reply with quote

miniupnp wrote:
well... it does... have you tried ?

No, I haven't... I don't know, how:
Code:
Usage : upnpc [options] -a ip port external_port protocol
                Add port redirection
        upnpc [options] -d external_port protocol [port2 protocol2]б═[...]
                Delete port redirection
        upnpc [options] -s
                Get Connection status
        upnpc [options] -l
                List redirections
        upnpc [options] -r port1 protocol1 [port2 protocol2] [...]
                Add all redirections to the current host

protocol is UDP or TCP
Options:
  -u url : bypass discovery process by providing the XML root description url.
  -m address : provide ip address of the interface to use for sending SSDP multicast packets.
  -p path : use this path for MiniSSDPd socket.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Sep 27, 2011 7:58 pm    Post subject: Reply with quote

Well it is not possible with the commandline tool.
You have to call directly the function UPNP_AddPortMapping() (from upnpcommands.h).
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Tue Sep 27, 2011 8:06 pm    Post subject: Reply with quote

miniupnp wrote:
Well it is not possible with the commandline tool.
Hence my request for this feature on the miniupnpc Feature Request forum Smile

I don't know the UPNP API, so coming up with my own program will take some time and effort...
Back to top
View user's profile Send private message
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Wed Oct 26, 2011 6:28 pm    Post subject: Reply with quote

unitedwallabies wrote:
Hence my request for this feature on the miniupnpc Feature Request forum Smile
Is there, perhaps, a patch out there for me to try? Thanks!
Back to top
View user's profile Send private message
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Wed Oct 26, 2011 8:55 pm    Post subject: Attempt at implementation Reply with quote

Ok, I wrote the sample program, which ends up calling the UPNP_AddPortMapping() with most arguments being "*". What I get is:
Quote:
upnpblock -v 31.210.72.69
upnpblock: Found valid IGD: http://192.168.1.1:2555/upnp/1fc4b4c0-2001-3f69-9c10-ddf365214b58/WANIPConn1.ctl
upnpblock: 31.210.72.69: WildCardNotPermittedInExtPort

Replacing "*" with empty string "" does not change anything.

Does this mean, my router is not capable of such blacklisting, or I should just provide for a different value for ExtPort?

After setting external port value to "25", I get a different error:
Quote:
upnpblock: 31.210.72.69: RemoteHostOnlySupportsWildcard
I guess, even if it were possible to figure out the ext-port issue, my router really can't simply blacklist individual IPs, can it? Please, advise. Thanks!
Code:
#include <stdio.h>
#include <stdlib.h>
#include <miniupnpc.h>
#include <upnperrors.h>
#include <upnpcommands.h>
#include <unistd.h>
#include <sysexits.h>
#include <err.h>

static void
usage(const char *me, const char *message, int code)
{
        if (message)
                fprintf(stderr, "%s\n", message);
        fprintf(stderr, "Usage:\n\t%s [-6] [-v] [-d] ip.ad.res.s\n", me);

        exit(code);
}

int
main(int argc, char *argv[])
{
        struct UPNPDev  *devlist;
        struct UPNPUrls  urls;
        struct IGDdatas  data;
        int              error, opt, verbose = 0, ipv6 = 0, ecount, delist = 0;
        char             lanaddr[64];
        const char      *url = NULL, *me = argv[0];

        while ((opt = getopt(argc, argv, "du:6hv")) != -1) {
                switch (opt) {
                case 'v':
                        verbose++;
                        break;
                case '6':
                        ipv6 = 1;
                        break;
                case 'u':
                        url = optarg;
                        break;
                case 'd':
                        delist = 1;
                        break;
                case 'h':
                        usage(me, NULL, EX_OK);
                default:
                        usage(me, NULL, EX_USAGE);
                }
        }
        argv += optind;
        argc -= optind;
        if (argc == 0)
                usage(me, "No IP-address(es) given", EX_USAGE);

        if (url) {
                if (!UPNP_GetIGDFromUrl(url, &urls, &data,
                    lanaddr, sizeof(lanaddr)))
                        errx(EX_NOHOST, "No valid IGDs from %s", url);
        } else {
                devlist = upnpDiscover(2000,
                    NULL        /* multicast interface*/,
                    NULL        /* minissdp path */,
                    0   /* same port    */,
                    ipv6,
                    &error);

                if (devlist == NULL)
                        errx(EX_NOHOST, "No devices discovered (%d: %s)",
                            error, strupnperror(error));
                switch (UPNP_GetValidIGD(devlist, &urls, &data,
                    lanaddr, sizeof(lanaddr))) {
                case 0:
                        errx(EX_NOHOST, "UPNP_GetValidIGD: no valid IGDs");
                case 1:
                        if (verbose)
                                warnx("Found valid IGD: %s", urls.controlURL);
                        break;
                default:
                        warnx("Found a something at: %s. "
                            "Trying to continue", urls.controlURL);
                        break;
                }
        }

        for (ecount = 0; argc; argc--, argv++) {
                if (delist) {
                        error = UPNP_DeletePortMapping(urls.controlURL,
                            "*" /* any service type */,
                            "*" /* any ext-port */,
                            "*" /* any protocol */,
                            argv[0]);
                } else {
                        error = UPNP_AddPortMapping(urls.controlURL,
                            "*" /* any service type */,
                            "*" /* any ext-port */,
                            "*" /* any in-port */,
                            "*" /* any in-client */,
                            "blacklisted",
                            "*" /* any protocl */,
                            argv[0],
                            "0");
                }
                if (error) {
                        warnx("%s: %s", argv[0], strupnperror(error));
                        ecount++;
                }
        }

        return ecount ? 1 : 0;
}
(I wish, syntax-coloring mod was installed on the forum...)
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Oct 27, 2011 11:13 am    Post subject: Re: Attempt at implementation Reply with quote

unitedwallabies wrote:
Ok, I wrote the sample program, which ends up calling the UPNP_AddPortMapping() with most arguments being "*". What I get is:
Quote:
upnpblock -v 31.210.72.69
upnpblock: Found valid IGD: http://192.168.1.1:2555/upnp/1fc4b4c0-2001-3f69-9c10-ddf365214b58/WANIPConn1.ctl
upnpblock: 31.210.72.69: WildCardNotPermittedInExtPort

Replacing "*" with empty string "" does not change anything.

Does this mean, my router is not capable of such blacklisting, or I should just provide for a different value for ExtPort?

Well you router does not permit wildcard in extPort. empty string is usually interpreted as wildcard.
unitedwallabies wrote:
After setting external port value to "25", I get a different error:
Quote:
upnpblock: 31.210.72.69: RemoteHostOnlySupportsWildcard
I guess, even if it were possible to figure out the ext-port issue, my router really can't simply blacklist individual IPs, can it? Please, advise. Thanks!

Well your router does not support specifying a RemoteHost in a port mapping.
I think that is very common. I think I've never seen a router supporting it !
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
unitedwallabies



Joined: 23 Sep 2011
Posts: 8
Location: North-Eastern US

PostPosted: Thu Oct 27, 2011 2:52 pm    Post subject: Reply with quote

Well, the router -- Actiontec -- does have an "Advanced Filtering" section, where one can list IP-addresses, IP-ranges, and sub-nets to be rejected (or dropped).

One can edit that section via the router's web-interface, but there is no obvious way to do that programmatically. I wonder, if UPnP can, in fact, be used for that -- how would I analyze the router's capabilities?

I made the router's desc.xml available (and the WANEthIFC1.xml referenced from that) -- any chance, you could give me a hint? Thanks!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Oct 27, 2011 6:55 pm    Post subject: Reply with quote

unitedwallabies wrote:
Well, the router -- Actiontec -- does have an "Advanced Filtering" section, where one can list IP-addresses, IP-ranges, and sub-nets to be rejected (or dropped).

One can edit that section via the router's web-interface, but there is no obvious way to do that programmatically. I wonder, if UPnP can, in fact, be used for that -- how would I analyze the router's capabilities?

I made the router's desc.xml available (and the WANEthIFC1.xml referenced from that) -- any chance, you could give me a hint? Thanks!


UPnP IGD is not designed for that. And now I'm pretty sure it cannot do that on your router.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.