iblocklist.com generic ipset loader for ipset v6 and v4

[redhat27]

@bayern1975 @amplatfus I think the reason that this script could be called twice is that the firewall-start script was called twice somehow by the system during startup. One way to avoid that is to move the call to a scheduled run via cron (if you want to periodically reload the lists every few days) or in services-start (if you prefer to run it just once after the router has booted)

 

[bayern1975]

will test without run via cru from services-start.....so, then will script on every reboot pick up latest iblocklist? without cru i think double runing gone?

ASUSWRT-Merlin RT-AC3200 380.66-beta2-g7682479 Fri Apr 28 02:30:18 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N Blacklist
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j Blacklist
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m set --match-set Whitelist src -j ACCEPT
-A INPUT -m set --match-set Blacklist src -j DROP
-A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j Blacklist
-A INPUT -j DROP
-A FORWARD -m set --match-set BluetackMicrosoftCIDR src -j DROP
-A FORWARD -m set --match-set BluetackMicrosoftSingle src -j DROP
-A FORWARD -m set --match-set BluetackProxyCIDR src -j DROP
-A FORWARD -m set --match-set BluetackProxySingle src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitCIDR src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitSingle src -j DROP
-A FORWARD -m set --match-set BluetackDshieldCIDR src -j DROP
-A FORWARD -m set --match-set BluetackDshieldSingle src -j DROP
-A FORWARD -m set --match-set BluetackSpiderCIDR src -j DROP
-A FORWARD -m set --match-set BluetackSpiderSingle src -j DROP
-A FORWARD -m set --match-set privacy-filter_ipv4 src,dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 192.168.5.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 213.229.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.128.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.198.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.196.0.0/14 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 178.58.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 95.159.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 75 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j Blacklist
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j Blacklist
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A Blacklist -m state --state NEW -j SET --add-set Blacklist src
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
admin@RT-AC3200-0000:/tmp/home/root#

EDIT: rebooted router and again double writing....so run via cru is not a problem....huhh, i do not have idea what is wrong.....

 

[amplatfus]

No, it is not normal to have BlacklistDomains listed twice. I suspect the script may be called twice or another script is using the same name. Can you verify what scripts are called on startup? The syslog may give some indication when and what scripts are executing when.

Strange. Firewall-start is runned twice at boot.

Apr 30 11:17:30 custom script: Running /jffs/scripts/firewall-start (args: ppp0)
Apr 30 11:17:34 custom script: Running /jffs/scripts/firewall-start (args: ppp0)

After restart WhitelistDomains is listed twice (not Blacklist as before).
The only below line presence of iblocklist-loader.sh is in firewall-start.

sh /jffs/scripts/iblocklist-loader.sh

I commended the line and reboot. No rule in iptables -S. I executed manually execute the script twice and I got no duplicated:

-A FORWARD -m set --match-set WhitelistDomains src,dst -j ACCEPT
-A FORWARD -m set --match-set BlacklistDomains src,dst -j DROP

Is strange:
1. Why aren't both BlacklistDomains and WhitelistDomains duplicated?
2. Why when manually run lists are not duplicated?
Edit: I have found a thread Why does /jffs/scripts/firewall-start script run twice? https://www.snbforums.com/threads/why-does-jffs-scripts-firewall-start-script-run-twice.13045/ and here https://www.snbforums.com/index.php?threads/38853/ but it doesn't answer to my questions
All the best!

 

[amplatfus]

I did it with a trick. I put sleep so when the script will start at boot to wait 180 seconds before load the block lists. And it works. I have no duplicated WhitelistDomains or BlacklistDomains:

sleep 180
# Load ipset filter rules
sh /jffs/scripts/iblocklist-loader.sh

Edit:
I stil have other duplicated even I haven't Blacklist duplicated any more:

-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -i tun21 -j ACCEPT

Thank you all!

 

[redhat27]

Is strange:
1. Why aren't both BlacklistDomains and WhitelistDomains duplicated?
2. Why when manually run lists are not duplicated?

The script is also meant to be run in a scheduler (like cru) So what it does is it checks for the iptables rule before it creates it. So if you do the same thing in your firewall-start: for example

iptables -S | grep -q 9091 || iptables -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
iptables -S | grep -q 51413 || (iptables -A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT; iptables -A INPUT -p udp -m udp --dport 51413 -j ACCEPT)

That will ensure that the iptables rule is not created twice

 

[kvic]

The script is also meant to be run in a scheduler (like cru) So what it does is it checks for the iptables rule before it creates it. So if you do the same thing in your firewall-start: for example

I remember firewall-start was called at least twice on reboot. Perhaps even more. Can't remember the exact number. It differs from time to time...I consider the firewall/nat rules in ASUSWRT a mess. The user scripts firewall-start/nat-start being called at multiple places in merlin builds make the situation even more messy

I used to simply flush everything at the beginning of firewall-start, and re-build all rules of my own. So yeah..definitely need more check if people are adding/manipulating iptables rules in scripts.

 

[RMerlin]

The user scripts firewall-start/nat-start being called at multiple places in merlin builds make the situation even more messy

Those scripts are only called in one single place in the code. It's just that numerous events will require the router to reconfigure the firewall rules, which means the script has to be re-run each time that happens. If you only use the scripts for their intended purposes it's not an issue, since they always get run after the related iptables chains have been wiped clean. If you do any other manipulations (such as creating new ipsets), it's your script's job to ensure that they aren't redoing something they already did previously - the firmware only wipes the chain/tables they care about at that time.

That's also why I separated nat and firewall into separate scripts, as they are separate events.

People must remember that those scripts are event-based, they are NOT timeline-based.

 

[amplatfus]

The script is also meant to be run in a scheduler (like cru) So what it does is it checks for the iptables rule before it creates it. So if you do the same thing in your firewall-start: for example

iptables -S | grep -q 9091 || iptables -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
iptables -S | grep -q 51413 || (iptables -A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT; iptables -A INPUT -p udp -m udp --dport 51413 -j ACCEPT)

That will ensure that the iptables rule is not created twice

Hi. Thank you for idea. I implemented and worked .
After this, after google-ing I did similar for iblocklist-loader.sh in order to avoid script to have it run in many instances:
ps w | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh
So the firewall became:

#!/bin/sh
iptables -S | grep -q 51413 || (iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT; iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT)
iptables -S | grep -q 9091 || iptables -I INPUT -p tcp --destination-port 9091 -j ACCEPT
ps w  | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh

And works
Thank you all!
Edit: changed commands for 9091 and 51413

 

[bayern1975]

i didn`t find solution....yesterday and today played about this but nothing better....i removed scripts from jffs....

 

[amplatfus]

i didn`t find solution....yesterday and today played about this but nothing better....i removed scripts from jffs....

How about #68? Especially line to avoid iblocklist-loader.sh to be run in multiple instances:

ps w  | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh

 

[bayern1975]

How about #68? Especially line to avoid iblocklist-loader.sh to be run in multiple instances:

ps w  | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh

i do not think so that will help me because i have this problem with iblocker,ipset, block and privacy-filter.....it is fine just if i install just one script....if i add second then goes double runing....

 

[redhat27]

@bayern1975 There should be ways to get around your issue. You can try:

# Call the create/update generic block list loader script
ipset -L BlacklistDomains 2>&1 | grep -q "does not exist" && sh /jffs/scripts/iblocklist-loader.sh

in firewall-start
OR
Try to remove the call completely out of firewall-start and move it to services-start
OR
Run it in cru every few days. You can also opt to change the line USE_LOCAL_CACHE=Y to USE_LOCAL_CACHE=N to get a fresh copy of the list each time its run

 

[bayern1975]

i think i solve double runing with @amplatfus.....i put this lines in firewall-start....i was rebooted router twice and i think no more double runing....

ps w | grep -v grep | grep /jffs/scripts/IPSET_Block.sh || sh /jffs/scripts/IPSET_Block.sh
ps w | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh
ps w | grep -v grep | grep /jffs/scripts/HackerPorts.sh || sh /jffs/scripts/HackerPorts.sh
ps w | grep -v grep | grep /jffs/scripts/privacy-filter || sh /jffs/scripts/privacy-filter

ASUSWRT-Merlin RT-AC3200 380.66-beta2-g7682479 Fri Apr 28 02:30:18 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m set --match-set privacy-filter_ipv4 src,dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m set --match-set BluetackProxyCIDR src -j DROP
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m set --match-set BluetackProxySingle src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitCIDR src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitSingle src -j DROP
-A FORWARD -m set --match-set BluetackDshieldCIDR src -j DROP
-A FORWARD -m set --match-set BluetackDshieldSingle src -j DROP
-A FORWARD -m set --match-set BluetackSpiderCIDR src -j DROP
-A FORWARD -m set --match-set BluetackSpiderSingle src -j DROP
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 192.168.5.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 213.229.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.128.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.198.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.196.0.0/14 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 178.58.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 95.159.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 75 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
admin@RT-AC3200-0000:/tmp/home/root#

 

[redhat27]

Awesome. Glad you got it sorted. I see a few repeated entries, you can use a similar approach to post #65 to have them appear once (if you like).

 

[amplatfus]

i think i solve double runing with @amplatfus.....i put this lines in firewall-start....i was rebooted router twice and i think no more double runing....

ps w | grep -v grep | grep /jffs/scripts/IPSET_Block.sh || sh /jffs/scripts/IPSET_Block.sh
ps w | grep -v grep | grep /jffs/scripts/iblocklist-loader.sh || sh /jffs/scripts/iblocklist-loader.sh
ps w | grep -v grep | grep /jffs/scripts/HackerPorts.sh || sh /jffs/scripts/HackerPorts.sh
ps w | grep -v grep | grep /jffs/scripts/privacy-filter || sh /jffs/scripts/privacy-filter

ASUSWRT-Merlin RT-AC3200 380.66-beta2-g7682479 Fri Apr 28 02:30:18 UTC 2017
admin@RT-AC3200-0000:/tmp/home/root# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N SECURITY_PROTECT
-N logaccept
-N logdrop
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j SECURITY_PROTECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m set --match-set privacy-filter_ipv4 src,dst -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m set --match-set BluetackProxyCIDR src -j DROP
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m set --match-set BluetackProxySingle src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitCIDR src -j DROP
-A FORWARD -m set --match-set BluetackWebexploitSingle src -j DROP
-A FORWARD -m set --match-set BluetackDshieldCIDR src -j DROP
-A FORWARD -m set --match-set BluetackDshieldSingle src -j DROP
-A FORWARD -m set --match-set BluetackSpiderCIDR src -j DROP
-A FORWARD -m set --match-set BluetackSpiderSingle src -j DROP
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 192.168.5.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 213.229.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.128.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.198.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.196.0.0/14 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 178.58.0.0/16 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 95.159.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 75 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
admin@RT-AC3200-0000:/tmp/home/root#

Like @redhat27 said I can also see you still have some at ports open. For those please use redhat27 method at #65

-A FORWARD -s 188.199.192.0/18 -p tcp -m tcp --dport 75 -j ACCEPT
-A FORWARD -s 188.199.128.0/18 -p tcp -m tcp --dport 75 -j ACCEPT

 

[bayern1975]

yes, port 75 is open but access to this port has just specific IP addresses....

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[amplatfus]

yes, port 75 is open but access to this port has just specific IP addresses....

Poslano z mojega EVA-L09 z uporabo Tapatalk

But that line is listed twice identical... solution is at #65.

 

[bayern1975]

But that line is listed twice identical... solution is at #65.

It isn't...there are two different cidr addresses....

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[redhat27]

Yes, sorry they looked identical . The only identical line is the one with the x'ed out address.

 

[p1r473]

The script is for free lists. The gzipped archive may be password encrypted. You can try to modify the script to gunzip with your pin, but I cannot guarantee it would work, as I've never tried it myself.

If you wget the archived file (with your username/pin url), can you gunzip without a password? If you can, the script should work.

Hi, 2 quick questions
1. If I run this script, then ANOTHER different script (I want to make my own IPTABLE script blocking port 22), will I be able to run my own script before / after this one? I am wondering if somewhere, your script erases all previous IPTABLES, and so do I have to write my own IPTABLES rules after your script, and not before, or if it doesn't matter in which order the scripts are run?
2. I tried to download a premium gzip with my subscriber account. The archive is not locked with a password or pin in any way. The only thing that is different is HOW it is accessed. Simply visiting the URL gives me a gzip that I was able to open in winrar WITHOUT needing to enter any password/pin.
The format as I put before is:
http://list.iblocklist.com/?list=LI...rchiveformat=gz&username=MYUSERNAME&pin=MYPIN
With LISTID, MYUSERNAME, and MYPIN all redacted.
My question is, if the list is not passworded at all, then why do I still get the error?
gunzip: invalid magic
It appears the only difference is the inclusion at the very end of the URL of &username=MYNAME&pin=MYPIN, the rest is all the same