tomsk
Very Senior Member
Ok good luck.... the problem is not the malware script anyway.... thats just behaving according to what the router is telling it.
I discovered where is the problem!
After a factory reset I restored the settings of the router to connect via ssh.
I connected to the router by ssh and I gave the command
the version of ipset is 6.29
After this i restore the jffs partition, rI rebooted rhe router and I gave the command
and i obtained the first error.
I can understand the the problem is the installation of Entware
After a factory reset I restored the settings of the router to connect via ssh.
I connected to the router by ssh and I gave the command
Code:
admin@RT-AC68U:/tmp/home/root# ipset -v
ipset v6.29, protocol version: 6After this i restore the jffs partition, rI rebooted rhe router and I gave the command
Code:
ipset -v
ipset v4.5, protocol version 4.
ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.I can understand the the problem is the installation of Entware
tomsk
Very Senior Member
Did you install the correct version of entware?... there is a version for MIPS routers and one for ARM routers.... you need the ARM version for your AC68U
I think so, i followed this guide:
https://www.hqt.ro/how-to-install-new-generation-entware/
https://www.hqt.ro/how-to-install-new-generation-entware/
tomsk
Very Senior Member
Maybe one of the packages is causing problems then..... list them out with "opkg list-installed" and you can remove them one by one with "opkg remove <package name>" Make sure you only use packages from the ARM repository too
I installed mc, and the package was downloaded from the arm repository.
However i just remove ipset4 using the command you suggested.
Now I'm running the script and seem it is running,
However i just remove ipset4 using the command you suggested.
Now I'm running the script and seem it is running,
Code:
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# ./malware-block.sh
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
/opt/var/cache/malware-filter/malware-list.tmp 59%[=====================================================================> ] 96.00K --.-KB/s in 31s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 160.31K 278KB/s in 0.6s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 2.12K --.-KB/s in 0s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 10.88K --.-KB/s in 0.03s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 15.20K 14.6KB/s in 1.0s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 27.24K 174KB/s in 0.2s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 57.96K --.-KB/s in 0.07s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 19.09K --.-KB/s in 0.001s
adding ipset rule to firewall this will take time.
system: Malware Filter loaded 19813
unique ip addresses.
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# /usr/sbin/iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set malware-filter src,dst reject-with icmp-port-unreachable
712 42176 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
13054 3520K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logdrop all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1178 76864 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
1178 76864 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin#tomsk
Very Senior Member
Ah ok....if you had the entware ipset4 utility package installed that would be the cause..... you don't need this as it is already in the firmware (for ipset6)
I didn't install ipset4 package, it was installed automatically by the installation of entware.
I have an other question to which I need an answer, how can I set the script so that start on boot of the router.
I thought to add the script in /jffs/scripts but it does not run on boot start.
The other solution I thought is to add the scritp in admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/etc/init.d
What is the correct way?
I have an other question to which I need an answer, how can I set the script so that start on boot of the router.
I thought to add the script in /jffs/scripts but it does not run on boot start.
The other solution I thought is to add the scritp in admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/etc/init.d
What is the correct way?
Cedarhillguy
Occasional Visitor
The wiki at: https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset gives the recommended method for starting it on boot using merlin firmware. You need to create/edit the /jffs/scripts/services-start script.
Here is a sample of my services-start, which runs the malware-block script and schedules it to run & update every day at 11:45am & pm.
Code:
#!/bin/sh
/jffs/scripts/malware-block
# Schedule the malware-block to run every day at 11:45am/pm
cru a malware-filter "45 11,23 * * * /jffs/scripts/malware-block"
swetoast
Guest
Revision 14
Changelog:
Changelog:
- Implemented failover path
Code:
#!/bin/sh
# Author: Toast
# Contributers: Octopus, Tomsk, Neurophile, jimf, spalife
# Testers: shooter40sw
# Revision 14
path=/opt/var/cache/malware-filter # Set your path here
retries=3 # Set number of tries here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_source () {
url=https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list
if [ ! -f $path/malware-filter.list ]
then wget $url -O $path/malware-filter.list; fi }
check_path () {
if [ ! -d "$path" ]; then
path='/tmp'
echo "path is not found using $path using as failover"
check_failover
else check_failover; fi }
check_failover () {
if [ ! -d "$path" ]; then
echo "failed to set failover path"
exit 1
else get_source; fi }
get_source () {
mkdir -p $path
wget -q --tries=$retries --show-progress -i $path/malware-filter.list -O $path/malware-list.tmp
awk '!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/' $path/malware-list.tmp > $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.blocklist
if [ -f $path/malware-list.tmp ]; then rm $path/malware-list.tmp; fi
if [ -f $path/malware-list.pre ]; then rm $path/malware-list.pre; fi
}
run_ipset () {
check_path
echo "adding ipset rule to firewall this will take time."
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
nice -n 2 ipset -N malware-filter $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.blocklist nice -n 2 ipset $SYNTAX malware-filter PARAM
else cat $path/malware-filter.blocklist | xargs -I {} ipset $SYNTAX malware-filter {}; fi
fi
else
nice -n 2 ipset -N malware-update $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.blocklist nice -n 2 ipset $SYNTAX malware-update PARAM
else cat $path/malware-filter.blocklist | xargs -I {} ipset $SYNTAX malware-update {}; fi
nice -n 2 ipset $SWAPPED malware-update malware-filter
nice -n 2 ipset $DESTROYED malware-update
fi
iptables -L | grep malware-filter > /dev/null 2>&1
if [ $? -ne 0 ]; then
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
else
nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
fi
}
run_ipset
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.blocklist | wc -l) unique ip addresses."
exit $?Hello swetoast,
I end up with ipset4 installing enteware. Non I didn't have any old jffs on my router, I installed Merlin 380.65 for the first time. I solved uninstalling the ipset4, and after this everything goes well.
Hello Cedarhillguy, installng entware, there is a script services-start, I added the line pointing to my scrips malware-block.sh, and I solved.
Thaks.
swetoast
Guest
wtf no it should not unless you used some goofy guide to install instead of the official way, basically it should only install
Configuring ldconfig.
Configuring libgcc.
Configuring libc.
Configuring libssp.
Configuring findutils.
and OPKG
@myname entware isnt a requirement for my scripts
Configuring ldconfig.
Configuring libgcc.
Configuring libc.
Configuring libssp.
Configuring findutils.
and OPKG
@myname entware isnt a requirement for my scripts
I installed entware using this guide https://www.hqt.ro/how-to-install-new-generation-entware/ even because in the wiki isn't indicated where to download the installing script of entware.
I found out after, that enware isn't a requirement for yours script
I found out after, that enware isn't a requirement for yours script
I haven't ask before, because i found the link I posted, in the wiki Setting up New Generation Entware (External link), and I followed it.
Last night following the advice of tomsk, i did a factory reset, cleaning also jffs, and after this I uninstalled ipset4.
Last night following the advice of tomsk, i did a factory reset, cleaning also jffs, and after this I uninstalled ipset4.
Similar threads
Similar threads
Similar threads
-
-
-
Wireless MAC (Band filter filtering out Guest network)
- Started by recharging
- Replies: 2
-
-
-
-
(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)
- Started by nbjam
- Replies: 2
-
Latest threads
-
-
Solved [Disregard] DNS Director stopped working on 3004.388.8_4?
- Started by Wonko
- Replies: 1
-
-
Diversion Exclude subnet from Diversion blocking- Started by kstamand
- Replies: 0
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!