Malware Filter / bad host IPSET

tomsk · Jan 8, 2017

shooter40sw said:
iptables: No chain/target/match by that name

does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....

swetoast · Jan 8, 2017

doesnt have to have a value to work. all i want to do with the ipset is create a rule and looking at the logs after that i succeeded in doing that its not my fault that ipset 4 sux

shooter40sw · Jan 8, 2017

tomsk said:
does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....

where do I change this, which line? If there is any more testing let me know

tomsk · Jan 8, 2017

shooter40sw said:
where do I change this, which line? If there is any more testing let me know

I was suggesting it here

Code:

mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
    OPTIONAL=''

But @swetoast reckons it won't make a difference.... was just a guess on my part

shooter40sw · Jan 8, 2017

tomsk said:
I was suggesting it here

Code:

mips) MATCH_SET='--set' # Value for Mips Routers HASH='iphash' SYNTAX='-q -A' SWAPPED='-W' DESTROYED='−X' OPTIONAL=''

But @swetoast reckons it won't make a difference.... was just a guess on my part

I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachabl

tomsk · Jan 8, 2017

shooter40sw said:
I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3 180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachable 7 420 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter src,dst reject-with icmp-port-unreachabl

Well you won't get the error because the -q option before the -A in SYNTAX stands for "quiet" (shoot the messenger) , you can try removing the -q and seeing if the error comes back if you want to test it. As @swetoast mentioned , as long as the command works, thats the main thing. Just knowing the error is there just bugs the hell out of me though ..hehe

swetoast · Jan 8, 2017

it should remove the duplicate entry since i use octopus advice and deleted existing rule before adding it again..

and i the optional empty syntax works and gives no errors then i can add it just dont think its nessary

swetoast · Jan 8, 2017

revision 5 is on the wiki, enjoy and too all other update

swetoast · Jan 8, 2017

thinking of scraping the detection for ipset since i got 2 systems at the moment with something much simpler cause all i need to know if its running ipset 4 or ipset 6 and that i can do with this

Code:

#!/bin/sh
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)
echo "this is running version 6"
;;
4)
echo "this is running version 4"
;;
esac

instead of that whole other mess

swetoast · Jan 8, 2017

Would look something like this

Code:

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                       
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                             
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

swetoast · Jan 8, 2017

untested

Code:

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

shooter40sw · Jan 8, 2017

Hi there!, your last update broke the script for me, the rev 6, that says untested, did not test out the wiki one yet, you tell me!

Code:

/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>] 299.74K   259KB/s   in 1.2s
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>]   8.22K  --.-KB/s   in 0.1s
ipset v4.5: -N requires setname and settype
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.

swetoast said:

untested

Code:

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

swetoast · Jan 8, 2017

bah

Code:

ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"

what does that line return ?

shooter40sw · Jan 8, 2017

Nothing at all

Code:

e-filter# ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"
/malware-filter#

swetoast said:
bah

Code:

ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"

what does that line return ?

swetoast · Jan 8, 2017

ok so the detection is broken thats why it doesnt work

swetoast · Jan 8, 2017

Code:

#!/bin/sh
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) echo "this is running version 6"
;;
*v4) echo "this is running version 4"
;;
esac

try that it should return its running version 4

shooter40sw · Jan 8, 2017

Yes thats the result of the script version 4

swetoast said:
Code:

#!/bin/sh case $(ipset -v | grep -oE "ipset v[0-9]") in *v6) echo "this is running version 6" ;; *v4) echo "this is running version 4" ;; esac

try that it should return its running version 4

swetoast · Jan 8, 2017

Then this should work, its more streamlined less lines more action

Code:

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''   

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

shooter40sw · Jan 8, 2017

Great!
It gives me the same error from early, but the script is working, and it keeps having the detail that it piles up in the iptables

Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable

Code:

r/cache/malware-filter/blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 159.99K   275KB/s   in 0.6s

/opt/var/cache/malware-filter/malwa     [ <=>                                                                 ]   2.34K  --.-KB/s   in 0.001s
/opt/var/cache/malware-filter/malwa     [  <=>                                                                ]  10.51K  26.9KB/s   in 0.4s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]  17.00K  --.-KB/s   in 0.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 304.79K   270KB/s   in 1.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]   8.32K  --.-KB/s   in 0.1s
iptables: No chain/target/match by that name
system: Malware Filter loaded 35962 unique ip addresses.

swetoast said:

Then this should work, its more streamlined less lines more action

Code:

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''  

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

swetoast · Jan 8, 2017

ill look into that during the week see if i cant improve upon it but its working so thats atleast some good news

Thread starter	Title	Forum	Replies	Date
	MAC Filter Options	Asuswrt-Merlin	29	May 12, 2024
M	Wireless Mac filter defaulting to whitelist.	Asuswrt-Merlin	5	Apr 21, 2024
R	Wireless MAC (Band filter filtering out Guest network)	Asuswrt-Merlin	2	Apr 3, 2024
G	Feature request: firewall url filter log	Asuswrt-Merlin	0	Mar 20, 2024
	cannot add domain to router URL filter	Asuswrt-Merlin	15	Mar 13, 2024
C	How to filter out foreign countries	Asuswrt-Merlin	3	Feb 9, 2024
N	(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)	Asuswrt-Merlin	2	May 8, 2024
K	Need help with a bad DHCP issue!!!!	Asuswrt-Merlin	6	Jan 23, 2024

Malware Filter / bad host IPSET

Very Senior Member

Guest

Senior Member

Very Senior Member

Senior Member

Very Senior Member

Guest

Guest

Guest

Guest

Guest

Senior Member

Guest

Senior Member

Guest

Guest

Senior Member

Guest

Senior Member

Guest

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest