So ive been running test since the new revision and 30000+ takes around 5~ min on a RT-AC56U kinda curious to hear results from others. I am interested in both routers with and without entware installed.
just do this command
and when the script ends it prints out 3 stats i used the "real" as measurement for my tests so please post avg time and router model and if entware was present.Code:time malware-block
/cache/malware-filter# time malware-block
time: can't execute 'malware-block': No such file or directory
Command exited with non-zero status 127
real 0m 0.00s
user 0m 0.00s
sys 0m 0.00s
opkg install time
system: Malware Filter loaded 35002 unique ip addresses.
159.67user 107.07system 2:48.78elapsed 158%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+0minor)pagefaults 0swaps
time -f "\t%U user,\t%S system,\t%E elasped, \t%e real" malware-block
system: Malware Filter loaded 34997 unique ip addresses.
161.19 user, 105.15 system, 2:45.65 elasped, 165.65 real
Around 05:10 for both RT-N66R (single-core MIPS) and RT-AC68U (dual-core ARM).So ive been running test since the new revision and 30000+ takes around 5~ min on a RT-AC56U kinda curious to hear results from others. I am interested in both routers with and without entware installed.
just do this command
and when the script ends it prints out 3 stats i used the "real" as measurement for my tests so please post avg time and router model and if entware was present.Code:time malware-block
iptables -vnL FORWARD
Chain FORWARD (Policy DROP 0 packets, 0 bytes)
pkts bytes target Prot opt in out source destination
0 0 DROP ALL -- * * 0.0.0.0/0 0.0.0.0/0 match-set malware-filter src
#!/bin/sh
if [ "$(iptables -vnL FORWARD | grep -w 'malware-filter' | cut -c1-5)" != " 0" ]; then
# SMTP parameters
SMTP="smtp server address ie smtp.outlook.com"
PORT="465"
USERNAME="email account"
PASSWORD="email password"
# Mail Enveloppe
FROM_NAME="Router"
FROM_ADDRESS="from email address"
TO_NAME="name"
TO_ADDRESS="to email address"
### Do not change below
echo "From: \"$FROM_NAME\" <$FROM_ADDRESS>" > /tmp/mail.txt
echo "To: \"$TO_NAME\" <$TO_ADDRESS>" >> /tmp/mail.txt
echo "Subject: Malware filter block results" >> /tmp/mail.txt
echo "" >> /tmp/mail.txt
iptables -vnL FORWARD 1 >> /tmp/mail.txt
curl --url smtps://$SMTP:$PORT \
--mail-from "$FROM_ADDRESS" --mail-rcpt "$TO_ADDRESS" \
--upload-file /tmp/mail.txt \
--ssl-reqd \
--user "$USERNAME:$PASSWORD" --insecure
rm /tmp/mail.txt
fi
$path/malware-email
#!/bin/sh
# Author: Toast
# Contributers: Octopus, Tomsk, Neurophile, jimf, spalife
# Testers: shooter40sw
# Revision 10
path=/opt/var/cache/malware-filter # Set your path here
retries=3 # Set number of tries here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_list () {
mkdir -p $path
wget -q --tries=$retries --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
}
run_ipset () {
get_list
echo "adding ipset rule to firewall this will take time."
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
nice -n 2 ipset -N malware-filter $HASH $OPTIONAL
cat $path/malware-filter.txt | xargs -P10 -I {} ipset $SYNTAX malware-filter {}
fi
else
nice -n 2 ipset -N malware-update $HASH $OPTIONAL
cat $path/malware-filter.txt | xargs -P10 -I {} ipset $SYNTAX malware-update {}
nice -n 2 ipset $SWAPPED malware-update malware-filter
nice -n 2 ipset $DESTROYED malware-update
fi
iptables -L | grep malware-filter > /dev/null 2>&1
if [ $? -ne 0 ]; then
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
else
nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
fi
}
run_ipset
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
exit $?
Oh well... the busybox xargs must be pretty stripped down..... thats really basic usageno it doesnt and thats nothing i can do anything about so either install entware or do it the old slow way.
cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-filter {}
Replaces
for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
And
cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-update {}
Replaces
for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
You may want to compare the speed for piping cat through ipset in entware with the -P10 option against the existing version too, it seemed pretty spiffy for me when i tried.cool ill review and test and if its good ill merge creds as usual
#!/bin/sh
# Author: Toast
# Contributers: Octopus, Tomsk, Neurophile, jimf, spalife
# Testers: shooter40sw
# Revision 11
path=/opt/var/cache/malware-filter # Set your path here
retries=3 # Set number of tries here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_list () {
mkdir -p $path
wget -q --tries=$retries --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
}
run_ipset () {
get_list
echo "adding ipset rule to firewall this will take time."
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
nice -n 2 ipset -N malware-filter $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.txt nice -n 2 ipset $SYNTAX malware-filter PARAM
else cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-filter {}; fi
fi
else
nice -n 2 ipset -N malware-update $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.txt nice -n 2 ipset $SYNTAX malware-update PARAM
else cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-update {}; fi
nice -n 2 ipset $SWAPPED malware-update malware-filter
nice -n 2 ipset $DESTROYED malware-update
fi
iptables -L | grep malware-filter > /dev/null 2>&1
if [ $? -ne 0 ]; then
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
else
nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
fi
}
run_ipset
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
exit $?
#!/bin/sh
# Author: Toast
# Contributers: Octopus, Tomsk, Neurophile, jimf, spalife
# Testers: shooter40sw
# Revision 12
path=/opt/var/cache/malware-filter # Set your path here
retries=3 # Set number of tries here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_list () {
mkdir -p $path
wget -q --tries=$retries --show-progress -i $path/malware-filter.list -O $path/malware-list.tmp
awk '!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/' $path/malware-list.tmp > $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
if [ -f $path/malware-list.tmp ]; then rm $path/malware-list.tmp; fi
if [ -f $path/malware-list.pre ]; then rm $path/malware-list.pre; fi
}
run_ipset () {
get_list
echo "adding ipset rule to firewall this will take time."
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
nice -n 2 ipset -N malware-filter $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.txt nice -n 2 ipset $SYNTAX malware-filter PARAM
else cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-filter {}; fi
fi
else
nice -n 2 ipset -N malware-update $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.txt nice -n 2 ipset $SYNTAX malware-update PARAM
else cat $path/malware-filter.txt | xargs -I {} ipset $SYNTAX malware-update {}; fi
nice -n 2 ipset $SWAPPED malware-update malware-filter
nice -n 2 ipset $DESTROYED malware-update
fi
iptables -L | grep malware-filter > /dev/null 2>&1
if [ $? -ne 0 ]; then
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
else
nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
fi
}
run_ipset
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
exit $?
./malware-block.sh
ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: can't insert 'ip_set_nethash.ko': No such file or directory
insmod: can't insert 'ip_set_iphash.ko': No such file or directory
insmod: can't insert 'ipt_set.ko': No such file or directory
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 160.31K 363KB/s in 0.4s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 2.12K --.-KB/s in 0s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 10.88K --.-KB/s in 0.05s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 15.20K 94.8KB/s in 0.2s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 27.24K --.-KB/s in 0.1s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 58.11K --.-KB/s in 0.04s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 19.27K --.-KB/s in 0.001s
adding ipset rule to firewall this will take time.
--set option deprecated, please use --match-set
iptables v1.4.14: Set malware-filter doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
system: Malware Filter loaded 19831
unique ip addresses.
AC68U on 380.65 should be using ipset V6.... if you just type ipset at the command line what does it say?Hello to everybody.
First of all I apologize for my poor english, well a have an RT-AC68U with arm processor at 800Mhz, I have installed merlin 380.65, and after I have installed entware; then I tried to run the script object of this topic.
I cut and paste the version that is in the wiki, but I'm not able to run the script corrctly.
This is the error i get from ssh interface:
I understood that the problem is th version of ipset, but I'm not able to correct the problem. Does anybody help me?Code:./malware-block.sh ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4. Please upgrade your kernel and/or ipset(8) utillity. insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists insmod: can't insert 'ip_set_nethash.ko': No such file or directory insmod: can't insert 'ip_set_iphash.ko': No such file or directory insmod: can't insert 'ipt_set.ko': No such file or directory /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 160.31K 363KB/s in 0.4s /opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 2.12K --.-KB/s in 0s /opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 10.88K --.-KB/s in 0.05s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 15.20K 94.8KB/s in 0.2s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 27.24K --.-KB/s in 0.1s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 58.11K --.-KB/s in 0.04s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 19.27K --.-KB/s in 0.001s adding ipset rule to firewall this will take time. --set option deprecated, please use --match-set iptables v1.4.14: Set malware-filter doesn't exist. Try `iptables -h' or 'iptables --help' for more information. system: Malware Filter loaded 19831 unique ip addresses.
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# ipset -v
ipset v4.5, protocol version 4.
ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.
ipset v6.29, protocol version: 6
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!