Openwrt how to block countries but allow a specific path using BanIp
from Hercules@lemmy.world to selfhosted@lemmy.world on 16 Mar 16:45
https://lemmy.world/post/44341716
from Hercules@lemmy.world to selfhosted@lemmy.world on 16 Mar 16:45
https://lemmy.world/post/44341716
Hey,
Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.
I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.
Is their an option to allow this from any country but block all other requests?
My current config is as following:
root@OpenWrt:~# uci show | grep ban banip.global=banip banip.global.ban_enabled='0' banip.global.ban_debug='0' banip.global.ban_autodetect='1' banip.global.ban_allowlistonly='1' banip.global.ban_fetchcmd='curl' banip.global.ban_protov4='1' banip.global.ban_ifv4='wan' banip.global.ban_protov6='1' banip.global.ban_ifv6='wan6' banip.global.ban_dev='eth0' banip.global.ban_fetchretry='5' banip.global.ban_nicelimit='0' banip.global.ban_filelimit='1024' banip.global.ban_deduplicate='1' banip.global.ban_nftpriority='-100' banip.global.ban_icmplimit='25' banip.global.ban_synlimit='10' banip.global.ban_udplimit='100' banip.global.ban_nftpolicy='memory' banip.global.ban_nftretry='5' banip.global.ban_blockpolicy='drop' banip.global.ban_nftloglevel='warn' banip.global.ban_logprerouting='0' banip.global.ban_loginbound='1' banip.global.ban_logoutbound='0' banip.global.ban_loglimit='100' banip.global.ban_autoallowlist='1' banip.global.ban_autoallowuplink='subnet' banip.global.ban_autoblocklist='1' banip.global.ban_country='us' banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*' banip.global.ban_vlanallow='br-lan' banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone' banip.global.ban_geoip='1' banip.global.geoip_src='dbip' banip.global.geoip_mode='allowlist' banip.global.ban_feeds='country:US' 'country:US' 'geoip:US' banip.global.ban_all='1' banip.global.allow_country='US' banip.global.ban_feedin='country' banip.global.ban_feed='hagezi' 'tor' 'vpn' wireless.radio0.band='2g' wireless.radio1.band='5g'
Thanks for your time and have a great day!
#selfhosted
threaded - newest
banIP works at IP layer. It basically injects additional firewall rules to nftable to reject packets from specific set of IP addresses. It is not aware of layer 7 like HTTP.
What is your goal exactly? Do you want to allow /.well-known to all countries including the bad ones you are blocking? Then you’ve to do it at application layer or setup a reverse proxy that has WAF (Web Application Firewall) and serve ./well-known from the proxy.
The path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality like that.
It might be easier (and more performant if the firewall has weak hardware) to just allow tcp port 80 and let your reverse proxy do the filtering for that, since it (usually) needs to parse the http anyways.
I don’t think openwrt can do this. Im running k3s with nginx as ingress but the issue is it doesn’t see the actual ip but rather the ip of the container so i can’t use nginx to block countries.
Can you use DNS challenges instead? That would just require that you can create a TXT record in your domain.
That is what i currently have setup but cert-manager is giving me a headache and not working correctly so im looking into http instead since its easier to setup
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
[Thread #174 for this comm, first seen 16th Mar 2026, 21:00] [FAQ] [Full list] [Contact] [Source code]