Menu
What's new
By:
Filters Better Search

Malware Filter / bad host IPSET

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

swetoast said:
Untested, remember adding an ipset might take time so dont rush it when testing.

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 1

path=/opt/var/cache/malware-filter              # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
;;
mips)
    MATCH_SET='--set'                       # Value for Mips Routers
;;
*)
    MATCH_SET='--match-set'                 # Value for ARM Routers
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter hash:ip family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset add malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update hash:ip family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset add malware-update $i ; done
    ipset swap malware-update malware-filter
    ipset destroy malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
Click to expand...

upload_2017-1-6_20-34-37.png


/opt/var/cache/malware-filter/m 100%[========================================================>] 159.95K 187KB/s in 0.9s
/opt/var/cache/malware-filter/m [ <=> ] 2.34K --.-KB/s in 0s
/opt/var/cache/malware-filter/m [ <=> ] 10.51K 28.0KB/s in 0.4s
/opt/var/cache/malware-filter/m 100%[========================================================>] 17.00K 56.7KB/s in 0.3s
/opt/var/cache/malware-filter/m 100%[========================================================>] 283.41K 151KB/s in 1.9s
/opt/var/cache/malware-filter/m 100%[========================================================>] 6.61K 22.1KB/s in 0.3s

I now see IP addresses listed under Members: when running the ipset -L malware-filter command. I tried to ping six ip address from windows cmd line in the list and they all came back with request timed out. They are still can be pinged from SSH session.

THANK YOU! Great Job.
 
Any concern that I have 3 entries for malware-filter? Or will the extras go away upon reboot?

Code: 
admin@RT-AC88U-5248:/jffs/scripts# /usr/sbin/iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                              
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   match-set malware-filter src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0     match-set malware-filter src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0     match-set malware-filter src,dst reject-with icmp-port-unreachable
 
im gonna add it as soon as more people test it and confirm that is working for em with a new description telling users not to add it to firewall-start unless they wanna wait 5 min when they reboot it better to have it as a service with cru in services-start

add the script to /opt/bin/malware-block

then type this

nano /jffs/scripts/services-start

and append

cru a malware-filter ""0 */12 * * */opt/bin/malware-block"

save it
 
Last edited:
swetoast said:
it will go away on reboot
Click to expand...
Or you can insert a extra row to avoid it.

Code: 
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
 
cool tnx, adding it to post

@octopus think i should add nice to the ipset when it adds it so that slower routers have a chance to work on it without it taking up too much cpu ?
 
The script did not work for me, I have another path and then I had to change it in 2 places of the script, then when it started It entered a loop and crashed, what I got was ipset could not set hash

ipset v4.5: couldn load settype hash:ip: file not found
bad argument ´add´
Click to expand...
 
again post the full lines of what you changed cause it needs to be changed in the script for everybody with mips and since i dont have a mips router well you get the gist of it.
 
I rebooted and it took the same about of time. The /usr/sbin/iptables -L FORWARD -v -n command showed no match-set malware-filter line.

I ran my firewall-start manually and got this error:
Code: 
admin@RT-AC88U-5248:/jffs/scripts# ./firewall-start
iptables v1.4.14: Kernel module xt_set is not loaded in.

firewall-start code:
Code: 
#!/bin/sh
iptables -I FORWARD -m set --match-set malware-filter src,dst -j REJECT

Just wanted to provide the feedback. I reran the malware-filter script and it is all good now.
 
My path is the one that can be changed, and below a bolded out the ones that I hade to change for it to run, and when it does, it gives me the error about the pset v4.5 could load settype


swetoast said:
Untested, remember adding an ipset might take time so dont rush it when testing.

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 1

path=/tmp/mnt/sda1/blockip/malware-filter              # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
;;
mips)
    MATCH_SET='--set'                       # Value for Mips Routers
;;
*)
    MATCH_SET='--match-set'                 # Value for ARM Routers
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter hash:ip family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset add malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update hash:ip family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset add malware-update $i ; done
    ipset swap malware-update malware-filter
    ipset destroy malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
Click to expand...
 
and thats why i need the syntax for loading a set there since i dont have the old syntax ive made the changes.

im going from this manual
http://man.cx/ipset(8)

check the mips lines see if it corresponds with your ipset version and then if it does i can make all the changes needed

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 2

path=/opt/var/cache/malware-filter              # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
;;
mips)
    MATCH_SET='--set'                       # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-N'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
 
Last edited:
swetoast said:
@Xentrk check earlier posts dont have this in firewall start rather in services-start instead see this post on howto
Click to expand...
swetoast said:
http://www.snbforums.com/threads/malware-filter-bad-host-ipset.35423/page-5#post-300069
Click to expand...

Thanks. I see it now. I added it to my services-start at the end as I don't want to step on AB-Solution 3 and have @thelonelycoder come after me.:)

Code: 
#!/bin/sh
# DO NOT EDIT this part of the file #
# generated by AB-Solution 3
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
  i=$(($i-1))
  if [ "$i" -lt 1 ] ; then
    logger "Could not start Entware"
    exit
  fi
  sleep 1
done
$RC start
# end of DO NOT EDIT #
cru a malware-filter ""0 */12 * * */opt/bin/malware-block"
 
This was the old code that does not crash but does not load de ipset, I also changed the paths to match the scripts one to avoid any other issue with that.


Code: 
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
       insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
       insmod $module
     done
fi

case $(uname -m) in
armv7l)
      MATCH_SET='--match-set'                 # Value for ARM Routers
;;
mips)
      MATCH_SET='--set'                       # Value for Mips Routers
;;
esac

get_list () {
         mkdir -p $path
         wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
         cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
}

run_ipset () {

get_list
ipset --destroy malware-filter > /dev/null 2>&1         # Delete the filter so it doesnt clash with the update

if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
         ipset -N malware-filter iphash
         while [ $((--i)) -ge 0 ]; do
                ipset --add temp_ipset $(cat $path/malware-filter.txt)
         done
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?










swetoast said:
and thats why i need the syntax for loading a set there since i dont have the old syntax ive made the changes.

im going from this manual
http://man.cx/ipset(8)

check the mips lines see if it corresponds with your ipset version and then if it does i can make all the changes needed

Code: 
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 2

path=/opt/var/cache/malware-filter              # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

ipset -v | grep -i "v4" > /dev/null 2>&1

if [ $? -eq 0 ]; then
     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
else
     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
fi

case $(uname -m) in
armv7l)
    MATCH_SET='--match-set'                 # Value for ARM Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
;;
mips)
    MATCH_SET='--set'                       # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-N'
    SWAPPED='-W'
    DESTROYED='−X'
;;
*)
    MATCH_SET='--match-set'                 # Value for Wildcard Routers
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-filter $i ; done
fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH family inet hashsize 2048 maxelem 65536
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi


iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
}

run_ipset
exit $?
Click to expand...
 
testing again there is an issue says bad argument in "family" for the mips routers

Code: 
/opt/var/cache/malware-filter/malware-list.p 100%[=====================================================================
/opt/var/cache/malware-filter/malware-list.p 100%[=====================================================================
Bad argument `family'
Try `ipset -H' or 'ipset --help' for more information.
ipset v4.5: Couldn't load settype `1.160.42.198':File not found

swetoast said:
@shooter40sw i only asked for the updated lines on the NEW script the old one doesnt work proper but your welcome to use it.

@Xentrk adding that line doesnt mess up @thelonelycoder adblocker
Click to expand...
 
swetoast said:
please print the full printout of ipset -H makes my work so much easier
Click to expand...

Thanks very much for your efforts and patience

/tmp/mnt/sda1/blockip# ipset -H
ipset v4.5

Usage: ipset -N new-set settype [options]
ipset -[XFLSH] [set] [options]
ipset -[EW] from-set to-set
ipset -[ADT] set IP
ipset -R
ipset -v
ipset -h (print this help information)

Commands:
Either long or short options are allowed.
--create -N setname settype <options>
Create a new set
--destroy -X [setname]
Destroy a set or all sets
--flush -F [setname]
Flush a set or all sets
--rename -E from-set to-set
Rename from-set to to-set
--swap -W from-set to-set
Swap the content of two existing sets
--list -L [setname] [options]
List the IPs in a set or all sets
--save -S [setname]
Save the set or all sets to stdout
--restore -R [option]
Restores a saved state
--add -A setname IP
Add an IP to a set
--del -D setname IP
Deletes an IP from a set
--test -T setname IP
Tests if an IP exists in a set.
--help -H [settype]
Prints this help, and settype specific help
--version -V
Prints version information

Options:
--sorted -s Numeric sort of the IPs in -L
--numeric -n Numeric output of addresses in a -L (default)
--resolve -r Try to resolve addresses in a -L
--quiet -q Suppress any output to stdout and stderr.
Click to expand...
 
@sobored04 why is that script introduced to this thread ?

updated the wiki with the latest revision with updated instructions.
 
Last edited:
You must log in or register to reply here.

Similar threads

N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
950
nearlyheadlessarvie
N
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
cyruz
Reversing the web node reboot feature
Replies
0
Views
675
cyruz
cyruz
cyruz
cfgmnt-sender - Send decoded event to the cfg_server
Replies
0
Views
533
cyruz
cyruz
commodoro
DDNS Custom check External IP and refresh if necessary
Replies
0
Views
683
commodoro
commodoro
Similar threads
Thread starter Title Forum Replies Date
TheLyppardMan MAC Filter Options Asuswrt-Merlin 29
M Wireless Mac filter defaulting to whitelist. Asuswrt-Merlin 5
R Wireless MAC (Band filter filtering out Guest network) Asuswrt-Merlin 2
G Feature request: firewall url filter log Asuswrt-Merlin 0
TanyaC cannot add domain to router URL filter Asuswrt-Merlin 15
C How to filter out foreign countries Asuswrt-Merlin 3
N (Solved - Bad router) RT-AX88U node causes network instability (3004.388.7) Asuswrt-Merlin 2
K Need help with a bad DHCP issue!!!! Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 962 (members: 40, guests: 922)
Top