shooter40sw
Senior Member
Hi, I got this error on the ssh interface with rev 24
Code:
/tmp/mnt/sda1/malware-filter# ./malware-block
Please wait while this script is running, this will take awhile..
ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specified
Try `ipset -H' or 'ipset --help' for more information.and this output on the syslog
Code:
system: Malware Filter Adding ipset rules to firewall...
Apr 5 09:53:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1024 to 1536
Apr 5 09:53:39 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 1536 to 2304
Apr 5 09:53:40 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 2304 to 3456
Apr 5 09:53:48 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 3456 to 5184
Apr 5 09:53:51 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 5184 to 7776
Apr 5 09:54:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 7776 to 11664
Apr 5 09:54:19 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 11664 to 17496
Apr 5 09:54:37 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 17496 to 26244
Apr 5 09:55:13 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 26244 to 39366
Apr 5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 1536
Apr 5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 1024 to 2304
Apr 5 09:55:16 kernel: net/ipv4/netfilter/ip_set_nethash.c: nethash_retry: rehashing of set Malware-Range-Update triggered: hashsize grows from 2304 to 3456
Apr 5 09:55:43 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 39366 to 59049
Apr 5 09:56:04 kernel: net/ipv4/netfilter/ip_set_iphash.c: iphash_retry: rehashing of set Malware-Update-Filter triggered: hashsize grows from 59049 to 88573
Apr 5 09:57:28 system: Malware-Filter loaded 25478 unique ip addresses that will be rejected from contacting your router.
Apr 5 09:57:28 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.also iptables - L - n -v, The last set was the old one, but it created 2 different ones
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set Malware-Range-Filter src,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set Malware-Filter src,dst
5 836 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dstshooter40sw
Senior Member
:/tmp/mnt/sda1/malware-filter# ipset -L Malware-Range-Filter
Name: Malware-Range-Filter
Type: nethash
References: 1
Header: hashsize: 3456 probes: 4 resize: 50
Members:
49.238.64.0/18
197.159.80.0/21
204.187.248.0/22
103.16.76.0/24
206.224.160.0/19
151.212.0.0/16
203.86.252.0/22
167.224.0.0/19
209.97.128.0/18
196.196.0.0/16
188.72.96.0/24
61.11.224.0/19
45.127.36.0/22
204.187.252.0/23
198.177.176.0/22
103.232.172.0/22
192.40.29.0/24
69.169.224.0/20
165.192.0.0/16
192.67.160.0/22
185.148.128.0/22
185.11.140.0/24
153.14.0.0/16
196.240.0.0/15
159.151.0.0/16
swetoast
Guest
well it did block ranges just like it should but the error messages well those are wierd need some time to investigate since i dont have ipset version 4, just ignore em for now since the script performs as intended.
this seems to be a malformed string from some list just ignore that one.
btw reboot your router and it will drop the old rules
or better yet @shooter40sw perform this command
remove your list and get a new updated list with new sources
Code:
ipset v4.5: Out of range cidr `198.20.69.0/241.161.228.232' specifiedthis seems to be a malformed string from some list just ignore that one.
btw reboot your router and it will drop the old rules
or better yet @shooter40sw perform this command
Code:
rm /jffs/malware-filter.listremove your list and get a new updated list with new sources
Last edited:
shooter40sw
Senior Member
Sorry but where are the lists? I cant find them
shooter40sw
Senior Member
Something did not work, its giving me ipset v4.5: Unknown set error
shooter40sw
Senior Member
Great now its working! Thanks
Xentrk
Part of the Furniture
thanks, I saw that message and will give it a try. I'll let you know the results.
Let me run it again. I noticed you have new entries in https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list. Maybe the script needs to populate malware-filter.list each time it runs so any updates get auto populated to /jffs/malware-filter.list.
EDIT: Updating the /jffs/malware-filter.list with the entries on GitHub link above fixed the issue
Last edited:
Xentrk
Part of the Furniture
Perhaps a reminder may be needed for users to update the /jffs/malware-filter.list file on the wiki or forum posting. The updated wiki appears to be missing the instructions on the /jffs/malware-filter.list that used to be there. For first time users, no problems since it will get created automatically. But as we see in my example, I had a prior installation.
Or, tell users to delete any previous verison of /jffs/malware-filter.list?
Last edited:
shooter40sw
Senior Member
Yes it doubled the count!
Code:
Apr 5 11:00:54 system: Malware-Filter loaded 45292 unique ip addresses that will be rejected from contacting your router.
Apr 5 11:00:54 system: Malware-Filter loaded 850 unique ip ranges that will be rejected from contacting your router.Xentrk
Part of the Furniture
Looks like I need to stay on older version of malware-filter on DD-WRT. On DD-WRT, iptables-save command is fubar. There are posts about the issue. Even though I installed entware iptables package, it still is broken.
Apparently the entware iptables package is incomplete per zyxmon:
https://github.com/Entware-ng/Entware-ng/issues/271
This is just another reason why I have moved away from DD-WRT. I had to work some magic to get xt_set working on DD-WRT, which is not included in the DD-WRT builds.
I thank you once again for your contributions.
Code:
Can't find library for target `TRIGGER'https://github.com/Entware-ng/Entware-ng/issues/271
This is just another reason why I have moved away from DD-WRT. I had to work some magic to get xt_set working on DD-WRT, which is not included in the DD-WRT builds.
I thank you once again for your contributions.
Similar threads
Similar threads
Similar threads
-
-
-
Wireless MAC (Band filter filtering out Guest network)
- Started by recharging
- Replies: 2
-
-
-
-
(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)
- Started by nbjam
- Replies: 2
-