Ok good luck.... the problem is not the malware script anyway.... thats just behaving according to what the router is telling it.I don't come from an older version of Merlin, the version I installed is the first installation.
However I try a factory reset.
admin@RT-AC68U:/tmp/home/root# ipset -v
ipset v6.29, protocol version: 6
ipset -v
ipset v4.5, protocol version 4.
ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.
Did you install the correct version of entware?... there is a version for MIPS routers and one for ARM routers.... you need the ARM version for your AC68UI discovered where is the problem!
After a factory reset I restored the settings of the router to connect via ssh.
I connected to the router by ssh and I gave the command
the version of ipset is 6.29Code:admin@RT-AC68U:/tmp/home/root# ipset -v ipset v6.29, protocol version: 6
After this i restore the jffs partition, rI rebooted rhe router and I gave the command
and i obtained the first error.Code:ipset -v ipset v4.5, protocol version 4. ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4. Please upgrade your kernel and/or ipset(8) utillity.
I can understand the the problem is the installation of Entware
Maybe one of the packages is causing problems then..... list them out with "opkg list-installed" and you can remove them one by one with "opkg remove <package name>" Make sure you only use packages from the ARM repository tooI think so, i followed this guide:
https://www.hqt.ro/how-to-install-new-generation-entware/
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# ./malware-block.sh
insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
/opt/var/cache/malware-filter/malware-list.tmp 59%[=====================================================================> ] 96.00K --.-KB/s in 31s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 160.31K 278KB/s in 0.6s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 2.12K --.-KB/s in 0s
/opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 10.88K --.-KB/s in 0.03s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 15.20K 14.6KB/s in 1.0s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 27.24K 174KB/s in 0.2s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 57.96K --.-KB/s in 0.07s
/opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 19.09K --.-KB/s in 0.001s
adding ipset rule to firewall this will take time.
system: Malware Filter loaded 19813
unique ip addresses.
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# /usr/sbin/iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set malware-filter src,dst reject-with icmp-port-unreachable
712 42176 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
13054 3520K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logdrop all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1178 76864 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
1178 76864 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin#
Ah ok....if you had the entware ipset4 utility package installed that would be the cause..... you don't need this as it is already in the firmware (for ipset6)I installed mc, and the package was downloaded from the arm repository.
However i just remove ipset4 using the command you suggested.
Now I'm running the script and seem it is running,
Code:admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# ./malware-block.sh insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists /opt/var/cache/malware-filter/malware-list.tmp 59%[=====================================================================> ] 96.00K --.-KB/s in 31s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 160.31K 278KB/s in 0.6s /opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 2.12K --.-KB/s in 0s /opt/var/cache/malware-filter/malware-list.tmp [ <=> ] 10.88K --.-KB/s in 0.03s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 15.20K 14.6KB/s in 1.0s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 27.24K 174KB/s in 0.2s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 57.96K --.-KB/s in 0.07s /opt/var/cache/malware-filter/malware-list.tmp 100%[=====================================================================================================================>] 19.09K --.-KB/s in 0.001s adding ipset rule to firewall this will take time. system: Malware Filter loaded 19813 unique ip addresses. admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin# /usr/sbin/iptables -L FORWARD -v -n Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set malware-filter src,dst reject-with icmp-port-unreachable 712 42176 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU 13054 3520K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 logdrop all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0 0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 1178 76864 NSFW all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT 1178 76864 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/bin#
I didn't install ipset4 package, it was installed automatically by the installation of entware.
I have an other question to which I need an answer, how can I set the script so that start on boot of the router.
I thought to add the script in /jffs/scripts but it does not run on boot start.
The other solution I thought is to add the scritp in admin@RT-AC68U:/tmp/mnt/sda1/entware-ng.arm/etc/init.d
What is the correct way?
#!/bin/sh
/jffs/scripts/malware-block
# Schedule the malware-block to run every day at 11:45am/pm
cru a malware-filter "45 11,23 * * * /jffs/scripts/malware-block"
#!/bin/sh
# Author: Toast
# Contributers: Octopus, Tomsk, Neurophile, jimf, spalife
# Testers: shooter40sw
# Revision 14
path=/opt/var/cache/malware-filter # Set your path here
retries=3 # Set number of tries here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"` # Dont change this value
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
MATCH_SET='--match-set'
HASH='hash:ip'
SYNTAX='add'
SWAPPED='swap'
DESTROYED='destroy'
OPTIONAL='family inet hashsize 2048 maxelem 65536'
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
;;
*v4) # Value for Mips Routers
MATCH_SET='--set'
HASH='iphash'
SYNTAX='-q -A'
SWAPPED='-W'
DESTROYED='--destroy'
OPTIONAL=''
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
;;
esac
get_source () {
url=https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list
if [ ! -f $path/malware-filter.list ]
then wget $url -O $path/malware-filter.list; fi }
check_path () {
if [ ! -d "$path" ]; then
path='/tmp'
echo "path is not found using $path using as failover"
check_failover
else check_failover; fi }
check_failover () {
if [ ! -d "$path" ]; then
echo "failed to set failover path"
exit 1
else get_source; fi }
get_source () {
mkdir -p $path
wget -q --tries=$retries --show-progress -i $path/malware-filter.list -O $path/malware-list.tmp
awk '!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/' $path/malware-list.tmp > $path/malware-list.pre
cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.blocklist
if [ -f $path/malware-list.tmp ]; then rm $path/malware-list.tmp; fi
if [ -f $path/malware-list.pre ]; then rm $path/malware-list.pre; fi
}
run_ipset () {
check_path
echo "adding ipset rule to firewall this will take time."
ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
nice -n 2 ipset -N malware-filter $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.blocklist nice -n 2 ipset $SYNTAX malware-filter PARAM
else cat $path/malware-filter.blocklist | xargs -I {} ipset $SYNTAX malware-filter {}; fi
fi
else
nice -n 2 ipset -N malware-update $HASH $OPTIONAL
if [ -f /opt/bin/xargs ]; then
/opt/bin/xargs -P10 -I "PARAM" -n1 -a $path/malware-filter.blocklist nice -n 2 ipset $SYNTAX malware-update PARAM
else cat $path/malware-filter.blocklist | xargs -I {} ipset $SYNTAX malware-update {}; fi
nice -n 2 ipset $SWAPPED malware-update malware-filter
nice -n 2 ipset $DESTROYED malware-update
fi
iptables -L | grep malware-filter > /dev/null 2>&1
if [ $? -ne 0 ]; then
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
else
nice -n 2 iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
nice -n 2 iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
fi
}
run_ipset
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.blocklist | wc -l) unique ip addresses."
exit $?
@myname how did you end up with ipset4 on that model ? did you have an old /jffs/ that was from another brand or something ? or was it and old jffs from before it got updated ?
Hello Cedarhillguy, installng entware, there is a script services-start, I added the line pointing to my scrips malware-block.sh, and I solved.The wiki at: https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset gives the recommended method for starting it on boot using merlin firmware. You need to create/edit the /jffs/scripts/services-start script.
Here is a sample of my services-start, which runs the malware-block script and schedules it to run & update every day at 11:45am & pm.
Code:#!/bin/sh /jffs/scripts/malware-block # Schedule the malware-block to run every day at 11:45am/pm cru a malware-filter "45 11,23 * * * /jffs/scripts/malware-block"
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!