Malware Filter / bad host IPSET

[kobejo34]

Hello,

I am trying to block outbound connects to know bad host from my LAN/ Wireless. I am running the script located below and have the below firewall rules so it looks to be working. Any know what else to check?

Running this script under the heading "Malware Filter"

https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

Firewall Rule

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst
256K 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
33 3014 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
433 22328 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
92238 7445K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0


Install script seems to work

admin@rt-:/jffs/scripts# sh -x firewall-start
+ path=/jffs/filters
+ echo \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ regexp=\b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ lsmod
+ grep ipt_set
+ uname -m
+ MATCH_SET=--set
+ ipset --swap malware-filter malware-filter
+ grep Unknown set
+ [ != ]
+ ipset --destroy malware-update
+ echo -e -N malware-update iphash\n
+ get_update
+ mkdir -p /jffs/filters
+ wget -q --show-progress -i /jffs/filters/malware-filter.list -O /jffs/filters/malware-list.pre
+ nice ipset --restore
+ nice sed s/^/-A malware-update /
/jffs/filters/malware-list.pre 100%[====================================================================>] 158.12K 753KB/s in 0.2s
/jffs/filters/malware-list.pre [ <=> ] 2.28K --.-KB/s in 0.002s
/jffs/filters/malware-list.pre [ <=> ] 10.21K --.-KB/s in 0.1s
/jffs/filters/malware-list.pre 100%[====================================================================>] 17.06K --.-KB/s in 0.02s
/jffs/filters/malware-list.pre 100%[====================================================================>] 92.21K --.-KB/s in 0.1s
+ cat /jffs/filters/malware-list.pre
+ grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
+ sort -u
+ echo -e \nCOMMIT\n
+ nice ipset --swap malware-update malware-filter
+ nice ipset --destroy malware-update
+ exit 0

 

[Fitz Mutch]

Any know what else to check?

Try pinging any malware IP address, to see if it's working. Look at the Iptables packet and byte counters, to verify that your ipset match rule is working.

/usr/sbin/iptables -L FORWARD -v -n

 

[kobejo34]

Yes thank you I have a ping running. and they are being accepted. The iptables command came back with ACCEPT thats weird. Looks like there are matches but they are ACCEPTED

admin@rt-holland:/jffs/scripts# /usr/sbin/iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79939 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
18 1318 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
178 9139 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
22091 1732K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0

 

[Fitz Mutch]

The iptables command came back with ACCEPT thats weird.

The DROP rule seems to be missing at the top of your FORWARD chain. I saw it in your previous post, but not this one. The "pkts" and "bytes" columns are what you want to be looking at for the DROP rule. You will know that the rule is matching packets when you see those 2 numbers increasing.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst

 

[kobejo34]

Seems like the scripts writes it that way

done
[ -z "$(iptables-save | grep malware-filter)" ] && iptables -I FORWARD -m set $MATCH_SET malware-filter dst -j DROP
fi


Im clueless how to change it.

 

[octopus]

What router and programversion do you use? (don't say laters)

 

[kobejo34]

What router and programversion do you use? (don't say laters)

Asus RT-AC66R Merlin 380.62

 

[octopus]

okey ipsat have been updated, not sure about RT-AC66 tho.

Try to change:

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
    insmod $module
done

To

# Load ipset modules
ipset -v | grep -i "v4" > /dev/null 2>&1                                    
if [ $? -eq 0 ]; then                                                                  
       # old ipset                                                          
   ipsetv=4                                                            
   lsmod | grep "ipt_set" > /dev/null 2>&1 || \                        
   for module in ip_set ip_set_nethash ip_set_iphash ipt_set            
   do                                                                  
       insmod $module                                              
   done                                                                
    else                                                                        
  
    # new ipset                                                
   ipsetv=6                                                    
   lsmod | grep "xt_set" > /dev/null 2>&1 || \                
   for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set  
   do                                                          
       insmod $module                                      
   done                                                        
fi

http://www.snbforums.com/threads/fo...ilable-v18e3-v19b4.18914/page-209#post-278253

 

[RMerlin]

okey ipsat have been updated, not sure about RT-AC66 tho.

ipset version is only upgraded in 380.63, and it's only for ARM models. RT-N66U and RT-AC66U are staying on 4.x due to their Jurassic kernel.

 

[octopus]

ipset version is only upgraded in 380.63, and it's only for ARM models. RT-N66U and RT-AC66U are staying on 4.x due to their Jurassic kernel.

okey i was unsure about that. sorry

 

[swetoast]

@octopus mind changing if that works for you on the wiki ?

 

[kobejo34]

Well it does say drop now but the script does have some errors perhaps from IPv6 maybe but the traffic is still allowed to ping out.

admin@rt-holland:/jffs/scripts# /usr/sbin/iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst
156K 30M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
11 907 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
14 966 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
586 29690 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
56251 4685K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0


insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
+ insmod ip_set_nethash
+ insmod ip_set_iphash
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_iphash.ko': File exists
+ insmod ipt_set
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ipt_set.ko': File exists

 

[kanetaker]

When i install the script i have a problem with this message:
+ nice ipset --swap malware-update malware-filter
ipset v6.29: Sets cannot be swapped: the second set does not exist
+ exit 1
Someone knows how to resolve it?

I have the programversion 380.65 alpha2 on my arm rt-ac68u

 

[swetoast]

there is a updated version on the wiki, i took the time to update and acknowledge the people that helped out to improve the filter so it should work for the latest ipset

https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#malware-filter

 

[kanetaker]

Is the same script that i have installed on the partition /jffs/scripts/firewall-start, and when i executed it i have this message, ipset v6.29: Sets cannot be swapped: the second set does not exist
i copy and paste the script, and i don't know if i have to change something before execute it.

 

[swetoast]

yeah im getting the same so ill investigate and update once ive fixed it

 

[kanetaker]

admin@RT-AC68U-F000:/jffs/scripts# ./firewall-start
/opt/var/cache/malw 100%[=====================>] 159.60K 230KB/s in 0.7s
/opt/var/cache/malw [ <=> ] 2.34K --.-KB/s in 0.001s
/opt/var/cache/malw [ <=> ] 10.47K --.-KB/s in 0.04s
/opt/var/cache/malw 100%[=====================>] 17.00K 111KB/s in 0.2s
/opt/var/cache/malw 100%[=====================>] 193.50K 192KB/s in 1.0s
ipset v6.29: Sets cannot be swapped: the second set does not exist

 

[octopus]

ipset v6.29: Change to this:

if [ "$(ipset --swap malware-filter malware-filter 2>&1 |grep -E 'Unknown set | The set with the given name does not exist')" != "" ]; then

Start modules with this:

lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
    do
    insmod $module
done

 

[swetoast]

So this is my cleanup feel free to go thru it and suggest improvements and please change on the wiki and not just post to this thread.

also added a link for mirai blocklist on the wiki

#!/bin/sh

# Original script by swetoast. Updates by Neurophile & Octopus.

# SET CONFIG
path=/opt/var/cache/malware-filter  #path for malware filter files
# END CONFIG

# SET VARIBLES
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
# END VARIBLES

#Load ipset modules

ipset -v | grep -i "v4" > /dev/null 2>&1
if [ $? -eq 0 ]; then
     # old ipset
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     # new ipset
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

#Different routers got different iptables syntax
case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'
;;
mips)
    MATCH_SET='--set'
;;
esac

# Get lists
get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list
ipset --destroy malware-filter > /dev/null 2>&1 # destroy the old rules to get new ones.

# Create ip set
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
  ipset -N malware-filter iphash
fi

# Apply iptables rule
iptables-save | grep malware-filter > /dev/null 2>&1 || \
  iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j DROP
}

run_ipset
exit $?

 

[octopus]

Just a suggestion: in FORWARD chain use REJECT that prevent DROP wait out timing and drop after n-seconds.

 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT