tomsk
Very Senior Member
does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....iptables: No chain/target/match by that name
does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....iptables: No chain/target/match by that name
where do I change this, which line? If there is any more testing let me knowdoes it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....
I was suggesting it herewhere do I change this, which line? If there is any more testing let me know
mips)
MATCH_SET='--set' # Value for Mips Routers
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='−X'
OPTIONAL=''
I was suggesting it here
But @swetoast reckons it won't make a difference.... was just a guess on my partCode:mips) MATCH_SET='--set' # Value for Mips Routers HASH='iphash' SYNTAX='-q -A' SWAPPED='-W' DESTROYED='−X' OPTIONAL=''
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachable
7 420 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachabl
Well you won't get the error because the -q option before the -A in SYNTAX stands for "quiet" (shoot the messenger) , you can try removing the -q and seeing if the error comes back if you want to test it. As @swetoast mentioned , as long as the command works, thats the main thing. Just knowing the error is there just bugs the hell out of me though ..heheI just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it
Code:Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3 180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachable 7 420 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachabl
#!/bin/sh
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)
echo "this is running version 6"
;;
4)
echo "this is running version 4"
;;
esac
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6) # value for ipset version 6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4) # value for ipset version 4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
;;
esac
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6
path=/opt/var/cache/malware-filter # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6) # value for ipset version 6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4) # value for ipset version 4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
;;
esac
get_list () {
mkdir -p $path
wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
}
run_ipset () {
get_list
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
path=/opt/var/cache/malware-filter
ipset -N malware-filter $HASH $OPTIONAL
for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
path=/opt/var/cache/malware-filter
ipset -N malware-update $HASH $OPTIONAL
for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
ipset $SWAPPED malware-update malware-filter
ipset $DESTROYED malware-update
fi
iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}
run_ipset
exit $?
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>] 299.74K 259KB/s in 1.2s
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>] 8.22K --.-KB/s in 0.1s
ipset v4.5: -N requires setname and settype
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.
untested
Code:#!/bin/sh # Original script by swetoast. Updates by Neurophile & Octopus. # Revision 6 path=/opt/var/cache/malware-filter # Set your path here regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in 6) # value for ipset version 6 lsmod | grep "xt_set" > /dev/null 2>&1 || \ for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set do insmod $module done MATCH_SET='--match-set' HASH='hash:ip' SYNTAX='add' SWAPPED='swap' DESTROYED='destroy' OPTIONAL='family inet hashsize 2048 maxelem 65536' ;; 4) # value for ipset version 4 lsmod | grep "ipt_set" > /dev/null 2>&1 || \ for module in ip_set ip_set_nethash ip_set_iphash ipt_set do insmod $module done MATCH_SET='--set' HASH='iphash' SYNTAX='-q -A' SWAPPED='-W' DESTROYED='--destroy' OPTIONAL='' ;; esac get_list () { mkdir -p $path wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt } run_ipset () { get_list ipset -L malware-filter >/dev/null 2>&1 if [ $? -ne 0 ]; then if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then path=/opt/var/cache/malware-filter ipset -N malware-filter $HASH $OPTIONAL for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done fi else path=/opt/var/cache/malware-filter ipset -N malware-update $HASH $OPTIONAL for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done ipset $SWAPPED malware-update malware-filter ipset $DESTROYED malware-update fi iptables-save | grep malware-filter > /dev/null 2>&1 || \ iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses." } run_ipset exit $?
e-filter# ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"
/malware-filter#
bah
Code:ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"
what does that line return ?
try that it should return its running version 4Code:#!/bin/sh case $(ipset -v | grep -oE "ipset v[0-9]") in *v6) echo "this is running version 6" ;; *v4) echo "this is running version 4" ;; esac
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6
path=/opt/var/cache/malware-filter # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_list () {
mkdir -p $path
wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
}
run_ipset () {
get_list
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
ipset -N malware-filter $HASH $OPTIONAL
for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
ipset -N malware-update $HASH $OPTIONAL
for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
ipset $SWAPPED malware-update malware-filter
ipset $DESTROYED malware-update
fi
iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}
run_ipset
exit $?
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachable
3 180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachable
r/cache/malware-filter/blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 159.99K 275KB/s in 0.6s
/opt/var/cache/malware-filter/malwa [ <=> ] 2.34K --.-KB/s in 0.001s
/opt/var/cache/malware-filter/malwa [ <=> ] 10.51K 26.9KB/s in 0.4s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 17.00K --.-KB/s in 0.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 304.79K 270KB/s in 1.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 8.32K --.-KB/s in 0.1s
iptables: No chain/target/match by that name
system: Malware Filter loaded 35962 unique ip addresses.
Then this should work, its more streamlined less lines more action
Code:#!/bin/sh # Original script by swetoast. Updates by Neurophile & Octopus. # Revision 6 path=/opt/var/cache/malware-filter # Set your path here regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value case $(ipset -v | grep -oE "ipset v[0-9]") in *v6) # Value for ARM Routers MATCH_SET='--match-set' HASH='hash:ip' SYNTAX='add' SWAPPED='swap' DESTROYED='destroy' OPTIONAL='family inet hashsize 2048 maxelem 65536' ipsetv=6 lsmod | grep "xt_set" > /dev/null 2>&1 || \ for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set do insmod $module done ;; *v4) # Value for Mips Routers MATCH_SET='--set' HASH='iphash' SYNTAX='-q -A' SWAPPED='-W' DESTROYED='--destroy' OPTIONAL='' ipsetv=4 lsmod | grep "ipt_set" > /dev/null 2>&1 || \ for module in ip_set ip_set_nethash ip_set_iphash ipt_set do insmod $module done ;; esac get_list () { mkdir -p $path wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt } run_ipset () { get_list ipset -L malware-filter >/dev/null 2>&1 if [ $? -ne 0 ]; then if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then ipset -N malware-filter $HASH $OPTIONAL for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done fi else ipset -N malware-update $HASH $OPTIONAL for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done ipset $SWAPPED malware-update malware-filter ipset $DESTROYED malware-update fi iptables-save | grep malware-filter > /dev/null 2>&1 || \ iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses." } run_ipset exit $?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!