Malware Filter / bad host IPSET

[swetoast]

but its easy to fix all you have to do is delete the follwing parts

iptables-save | grep -q "Malware-Filter" ||
iptables-save | grep -q "Malware-Range-Filter" ||

and theoretically it should work

 

[swetoast]

but i also see this comment

use tomato or dd-wrt versions of iptables.

so whats available on ddwrt ?

 

[redhat27]

but its easy to fix all you have to do is delete the follwing parts

iptables-save | grep -q "Malware-Filter" ||
iptables-save | grep -q "Malware-Range-Filter" ||

and theoretically it should work

It would keep adding the iptables rule over and over again on each run of the script if you remove that part. Perhaps it would be better to substitute iptables-save with iptables -L on the dd-wrt router

 

[swetoast]

yeah probly hard for me to know since i dont have a ddwrt router next good question is how to detect if it is a ddwrt then just make a case string

 

[redhat27]

No, I mean that iptables-save can be replaced with iptables -L for all cases, it should work for dd-wrt as well.
If you want to check specifically for DD-WRT routers, you can look for some identifying text in (slash)proc(slash)version for example (forum is not allowing the / character with those words)

 

[swetoast]

tnx

 

[Xentrk]

I created an issue with @zyxmon . Let me see what he says.

https://github.com/Entware-for-kernel-3x/Entware-ng-3x/issues/15

I can do some more searching to see how others fixed the issue. I tried one of the suggested fixes last night but still had issues.

 

[Xentrk]

but i also see this comment
use tomato or dd-wrt versions of iptables.
so whats available on ddwrt ?

The suggested resolution will not work for dd-wrt because the version that comes with dd-wrt is also incomplete and is an older version when compared to what is on entware.

 

[Xentrk]

No, I mean that iptables-save can be replaced with iptables -L for all cases, it should work for dd-wrt as well.
If you want to check specifically for DD-WRT routers, you can look for some identifying text in (slash)proc(slash)version for example (forum is not allowing the / character with those words)

Here is the output of cat "slash"proc"slash"version

Linux version 4.4.12 (root@nmndev) (gcc version 5.3.0 (OpenWrt GCC 5.3.0 r48868) ) #883 SMP Fri Jun 3 13:48:18 CEST 2016

I got a security alert when trying to use a slash inside the code quote. That is a new one.

 

[Xentrk]

No, I mean that iptables-save can be replaced with iptables -L for all cases, it should work for dd-wrt as well.
If you want to check specifically for DD-WRT routers, you can look for some identifying text in (slash)proc(slash)version for example (forum is not allowing the / character with those words)

Replacing iptables-save with iptables -L worked! No errors.

 

[swetoast]

so there is your resolution just change that line added it to the wiki so it may benefit others

 

[Xentrk]

so there is your resolution just change that line added it to the wiki so it may benefit others

That was the fix. Getting your scripts to work on DD-WRT has exposed some if it's issues and has made me appreciate ASUS Merlin Firmware that much more. The issues seem to be carried over into the entware iptables package as well. In addition to the iptables-save error, I get this error when running blockstats:

ip6tables v1.4.21: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

ipset is another utility not on DD-WRT. Even though I installed ipset from entware, I had to side load xp_set from a forum posting on DD-WRT forum to get it working. Then, I have to insmod /jffs/usr/lib/modules/xt_set.ko in the router start-up script. It was rewarding when I got it all to work though. I have found that crontab if flaky and access restrictions is broken. I have had to script work arounds as a result.

Whenever I see someone with an ASUS router who wants to flash to DD-WRT, I have to cringe.

 

[swetoast]

DD-WRT was great 10 years ago.. today not so much

 

[Csection]

Hi, Toast!
I d/led the new script and ran it and I got the following error, "Iptables V1.4.14: unknown option "-m".
What needs to be changed?

 

[Csection]

Hi, Toast!
I d/led the new script and ran it and I got the following error, "Iptables V1.4.14: unknown option "-m".
What needs to be changed?

Never mind the above error. I found the problem. It was from my copying the file, but I did get a msg., "Syntacs error: '241.10.143.81' is invalid as a number".

 

[Xentrk]

Never mind the above error. I found the problem. It was from my copying the file, but I did get a msg., "Syntacs error: '241.10.143.81' is invalid as a number".

I had the same problem after I updated.
delete /jffs/malware-filter.list file. Then rerun the script. Or, copy https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list into /jffs/malware-filter.list and rerun.

 

[Csection]

I had the same problem after I updated.
delete /jffs/malware-filter.list file. Then rerun the script. Or, copy https://gitlab.com/swe_toast/malware-filter/raw/master/malware-filter.list into /jffs/malware-filter.list and rerun.

Thanks!
That worked!

 

[Csection]

Malware-filter is running for me, but I have been reading this thread.
I can't find the wiki for this script.
Should I change the "Iptables-save" to "Iptables -L" on my Asus-Merlin?

 

[redhat27]

Should I change the "Iptables-save" to "Iptables -L"

No need unless you are getting an error. Changing it would not alter the behavior. Users of dd-wrt do not have iptables-save, so that was a workaround. BTW the wiki is here

 

[redhat27]

I get this error when running blockstats

I am guessing that you use ipset v6. You can change the alias to be

alias blockstats='iptables -L -v | sed "2q;d"; iptables -L -v | grep "match-set"'

That would give stats on your ipv4 blocklists, there are a very few ipv6 blocklists and I don't think you are using any of those as you do not have ip6tables