What's new

Malware Filter / bad host IPSET

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

iptables: No chain/target/match by that name
does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....
 
doesnt have to have a value to work. all i want to do with the ipset is create a rule and looking at the logs after that i succeeded in doing that its not my fault that ipset 4 sux :)
 
does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....
where do I change this, which line? If there is any more testing let me know
 
where do I change this, which line? If there is any more testing let me know
I was suggesting it here
Code:
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
    OPTIONAL=''
But @swetoast reckons it won't make a difference.... was just a guess on my part
 
I was suggesting it here
Code:
mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
    OPTIONAL=''
But @swetoast reckons it won't make a difference.... was just a guess on my part

I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachabl
 
I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachabl
Well you won't get the error because the -q option before the -A in SYNTAX stands for "quiet" (shoot the messenger) , you can try removing the -q and seeing if the error comes back if you want to test it. As @swetoast mentioned , as long as the command works, thats the main thing. Just knowing the error is there just bugs the hell out of me though ..hehe :)
 
it should remove the duplicate entry since i use octopus advice and deleted existing rule before adding it again..

and i the optional empty syntax works and gives no errors then i can add it just dont think its nessary
 
thinking of scraping the detection for ipset since i got 2 systems at the moment with something much simpler cause all i need to know if its running ipset 4 or ipset 6 and that i can do with this

Code:
#!/bin/sh
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)
echo "this is running version 6"
;;
4)
echo "this is running version 4"
;;
esac

instead of that whole other mess
 
Would look something like this

Code:
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                       
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                             
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac
 
untested

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?
 
Last edited:
Hi there!, your last update broke the script for me, the rev 6, that says untested, did not test out the wiki one yet, you tell me!

Code:
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>] 299.74K   259KB/s   in 1.2s
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>]   8.22K  --.-KB/s   in 0.1s
ipset v4.5: -N requires setname and settype
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.

untested

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?
 
bah

Code:
ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"

what does that line return ?
 
Code:
#!/bin/sh
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) echo "this is running version 6"
;;
*v4) echo "this is running version 4"
;;
esac
try that it should return its running version 4
 
Last edited:
Yes thats the result of the script version 4

Code:
#!/bin/sh
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) echo "this is running version 6"
;;
*v4) echo "this is running version 4"
;;
esac
try that it should return its running version 4
 
Then this should work, its more streamlined less lines more action :)

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''   

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?
 
Last edited:
Great!
It gives me the same error from early, but the script is working, and it keeps having the detail that it piles up in the iptables

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable

Code:
r/cache/malware-filter/blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 159.99K   275KB/s   in 0.6s

/opt/var/cache/malware-filter/malwa     [ <=>                                                                 ]   2.34K  --.-KB/s   in 0.001s
/opt/var/cache/malware-filter/malwa     [  <=>                                                                ]  10.51K  26.9KB/s   in 0.4s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]  17.00K  --.-KB/s   in 0.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 304.79K   270KB/s   in 1.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]   8.32K  --.-KB/s   in 0.1s
iptables: No chain/target/match by that name
system: Malware Filter loaded 35962 unique ip addresses.






Then this should work, its more streamlined less lines more action :)

Code:
#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''  

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top