Menu
What's new
By:
Filters Better Search

Peer Guardian rewrite for ipset v6

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

redhat27

redhat27

Very Senior Member
[EDIT] The script evolved quite a bit and moved to my git repo

Use
Code: 
BLOCKLIST_INDEXES="2 11"
for peerguardian implementation
 
Last edited:
ipset v6:
ipset v6.29: Error in line 3: Syntax error: IP address or IP/cidr must be specified: 1.2.4.0-1.2.4.255
 
Thanks for testing it. Can you try one more time? I updated the script in the 1st post.
 
now it is working fine with ipset v6. thank you.
but it's not possible to run it another time (i.e as cron job):

ipset v6.29: Error in line 8: Element cannot be added to the set: it's already added
 
I'm assuming that you are getting that error on the second run, right?

Can you post:

grep Bluetack /tmp/syslog.log
and
iptables -Lv | grep Bluetack

Thanks again for testing
 
Mar 8 15:58:08 Firewall: /jffs/scripts/peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 3621 entries
Mar 8 16:53:11 Firewall: /jffs/scripts/peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 4098 entries
Mar 8 19:01:59 Firewall: peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 4909 entries
Mar 8 19:02:19 Firewall: peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 3709 entries


iptables: No chain/target/match by that name.
 
amigohd said:
iptables: No chain/target/match by that name
Click to expand...
My bad its iptables -L -v | grep Bluetack

It is odd that you have such low counts on the entries. I have:
Mar 7 22:42:58 Firewall: /jffs/scripts/peer-guardian.sh: Loaded peer guardian BluetackLevel1 blocklist with 207820 entries
Mar 7 22:45:17 Firewall: /jffs/scripts/peer-guardian.sh: Loaded peer guardian BluetackLevel2 blocklist with 69693 entries

I believe your lists are not loading properly even the first time. You may have been bit by this "bug"

Can anyone here suggest a fix for ipset v6 restore on large entries in IP1-IP2 range formats
 
too bad I am not really a unix/linux guy. as long as there is no simple plug&play/copy&paste solution I will deactivate the peerguardian script
 
I reworked the script to work with IP ranges (updated 1st post). It now converts IP ranges to CIDR. It creates 2 sets: One for single IPs, and one for CIDRs. All that awk processing made it slow (takes a long time to create the ipset restore list) Other than that, it should be good. I'm planning to work on something more generic, whereby you can load any blocklist from iblocklist.com
 
Hey, thanks for the script.
I saw you added blacklist and whitelist files, are you going to implement this functionality shortly?
 
@Isildur I just now uploaded a version2 and version3 of the script with a lot of extra configuration ability: Blocklists, allowlists, blacklist domains and whitelist domains, and also control inbound, outbound or both traffic. I think it may be best to keep this options separate from the original script as it may confuse some users with all those added options
 
@redhat27 Hey, I have one concern related to blacklist/whitelist functionality: it does lookup to get underlying resource ip and blocks|allows it, but there is a situation when some resource has load balancing of some sort and gives different ip from time to time, probably it would be better to block it by hostname too, but I'm not sure whether router version of iptables supports that and how it affects performance:
Code: 
iptables -I INPUT -p tcp --dport 80 -m string --string "Host: blacklisted.com" --algo bm -j DROP
 
Isildur said:
it does lookup to get underlying resource ip
Click to expand...
It gets all the IPs returned ly nslookup (if you do nslookup login.live.com or nslookup yahoo.com) you'll see that there are multiple IPs returned. All of the IPs get loaded to the ipset. So at the time when the actual dns call is being made, the IP to which that dns resolves to, should already be in the ipset.

The problem with adding directly to iptable rules is that if the number of hostnames increase, it'll degrade the router performance.

BTW, a small request: If the discussion is not specific to peer-guardian, lets continue the discussion on the iblocklist-loader thread
 
Last edited:
You must log in or register to reply here.

Similar threads

K
Need help with Transmission in OpenWRT.
Replies
3
Views
174
slidermike
S
G
amtm Intermittent connection resets when checking for or downloading script updates
Replies
2
Views
304
grim42
G
johndoe85
Tutorial How to install Wireproxy on your Asus-Merlin Router
Replies
0
Views
957
johndoe85
johndoe85
Wallifur
Bugs in WireGuard config UI
Replies
18
Views
2K
ZebMcKayhan
Z
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
3 4 5
Replies
97
Views
14K
RMerlin
RMerlin

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 795 (members: 11, guests: 784)
Top