What's new

Privacy Filter (Another IPSET Script)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mind just giving me a print out of hostip from your distro ?

hostip --help
This is from V23E1...dnscrypt updated to 1.9.4
Code:
admin@AC68P-06650:/tmp/home/root# hostip -V
hostip v1.9.4
admin@AC68P-06650:/tmp/home/root# hostip -h
Usage: hostip [-6] [-r resolver_ip[:port]] host_name
  -6, --ipv6: ask for AAAA records
  -h, --help: show usage
  -r, --resolver-address=<ip>: the resolver IP address
  -V, --version: show version number

Example: hostip www.example.com
 
Code:
# hostip -V
hostip v1.9.1
# hostip --help
Usage: hostip [-6] [-r resolver_ip[:port]] host_name
  -6, --ipv6: ask for AAAA records
  -h, --help: show usage
  -r, --resolver-address=<ip>: the resolver IP address
  -V, --version: show version number

Example: hostip www.example.com

same but lesser version from entware so i think its just on or two domains that didnt resolve or hes using an older list that had alot of dead domains, @zyxmon mind updating hostip ?
 
Is there any way to make this script report to sys log the fact that it's started and running?
 
Hey @swetoast send or post your PayPal.me/ link I would like to send a few bucks!


Edit: Figured it out cash on the way!
 
Last edited:
This is from V23E1...dnscrypt updated to 1.9.4
Code:
admin@AC68P-06650:/tmp/home/root# hostip -V
hostip v1.9.4
admin@AC68P-06650:/tmp/home/root# hostip -h
Usage: hostip [-6] [-r resolver_ip[:port]] host_name
  -6, --ipv6: ask for AAAA records
  -h, --help: show usage
  -r, --resolver-address=<ip>: the resolver IP address
  -V, --version: show version number

Example: hostip www.example.com

Yep John!, i figured it out and run an opkg remove hostip. The entware version was 1.9.1 and the V22 version you included is 1.9.0

Still don't want to upgrade to v23 because of the OpenVPN 2.4 upgrade .... i should check the upgrade is not going to mess up with my ovpn clients

Code:
admin@RT-N66U:/jffs/scripts# hostip

Usage: hostip [-6] [-r resolver_ip[:port]] host_name

  -6, --ipv6: ask for AAAA records

  -h, --help: show usage

  -r, --resolver-address=<ip>: the resolver IP address

  -V, --version: show version number


Example: hostip www.example.com


admin@RT-N66U:/jffs/scripts# hostip -V

hostip v1.9.0

Still the same problem [name does not exist]

Probably something with xargs and hostip. The script only adds one ip and ignores the rest of the privacy-filter.list. If i hostip some random hostnames from the privacy-filter.list everything looks good. I'm going to see what happens more in detail.

BTW thanks to John for the fork! and swetoast and contribs for the script :)
 
Thrown some bucks to swetoast :). Also John send me your paypal so i can send some more bucks to your cause!
 
Code:
run_ipv4_block () {
if [ -f /tmp/privacy-filter_ipv4_sorted.part ]; then rm /tmp/privacy-filter_ipv4_sorted.part; fi
    if [ -z "$(which hostip)" ]; then
        if [ -z "$(which /opt/bin/xargs)" ]
            then cat $blocklist | xargs -n 5 -I {} sh -c "traceroute -4 {} | head -1 >> "/tmp/privacy-filter_ipv4_raw.part""
            else cat $blocklist | /opt/bin/xargs -P 10 -n 5 -I {} sh -c "traceroute -4 {} | head -1 >> "/tmp/privacy-filter_ipv4_raw.part""; fi
                 cat /tmp/privacy-filter_ipv4_raw.part | grep -oE "$regexp_v4" >> /tmp/privacy-filter_ipv4_presort.part
else    if [ -z "$(which /opt/bin/xargs)" ]
            then cat $blocklist | xargs -n 5 -I {} sh -c "hostip {} >> "/tmp/privacy-filter_ipv4.prelist""
            else cat $blocklist | /opt/bin/xargs -P 10 -n 5 -I {} sh -c "hostip {} >> "/tmp/privacy-filter_ipv4.prelist""; fi
        fi

I think i found something wrong with xargs/traceroute arguments. If i execute

Code:
 cat $blocklist | xargs -n 5 -I {} sh -c "traceroute -4 {} | head -1 >> "/tmp/privacy-filter_ipv4_raw.part""

I get the error:

'raceroute: bad address 'a.rad.msn.com
'raceroute: bad address 'a-0001.a-msedge.net
'raceroute: bad address 'a-0002.a-msedge.net
'raceroute: bad address 'a-0003.a-msedge.net
'raceroute: bad address 'a-0004.a-msedge.net
'raceroute: bad address 'a-0005.a-msedge.net
'raceroute: bad address 'a-0006.a-msedge.net
'raceroute: bad address 'a-0007.a-msedge.net
'raceroute: bad address 'a-0008.a-msedge.net
'raceroute: bad address 'a-0009.a-msedge.net
'raceroute: bad address 'ac3.msn.com
'raceroute: bad address 'aidps.atdmt.com
'raceroute: bad address 'aka-cdn-ns.adtech.de
'raceroute: bad address 'b.ads1.msn.com
'raceroute: bad address 'b.rad.msn.com
'raceroute: bad address 'bs.serving-sys.com
'raceroute: bad address 'c.atdmt.com
'raceroute: bad address 'c.msn.com
'raceroute: bad address 'choice.microsoft.com
'raceroute: bad address 'choice.microsoft.com.nsatc.net

If i do the same in my osx laptop i get good results.

To put it simple:

This
Code:
cat privacy-filter.list | xargs -n1 traceroute
does not work in the router but works in osx

I'm going to mess with the xargs params
 
Found the problem!

The privacy-filter.list file downloaded was not properly encoded (CRLF)

Now i have the ipset privacy-filter_ipv4 populated correctly
 
Found the problem!

The privacy-filter.list file downloaded was not properly encoded (CRLF)

Now i have the ipset privacy-filter_ipv4 populated correctly
It is based upon how you downloaded the file. Simply run "dos2unix filename" from the command line on the router.
 
@visortgw yeah, i tried that but i don't know why it didn't work. The thing is that if i delete the privacy-filter.list, the script downloads it again without the unix CRLF encoding ... weird ...
 
Hey guys awesome and thx for the beers tonight you guys rock and ive thrown all the supporters into the scripts :D
 
I had the same problem as bayern1975 that the blocking didn't seem to work.

I got this information from the following page:
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset


Note that every time you do something on the web UI or through your [android app] (https://play.google.com/store/apps/details?id=com.asus.aihome) to control your router that affects reloading the firewall rules, /jffs/scripts/firewall-start will be called, so the iptables rules that are defined outside will be wiped out. To reinstate the rules as defined by this script, you'd need to add this to your existing /jffs/scripts/firewall-start:

Code:
# Reinstate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    BruteForceLogins|TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done



I also use this script and I changed the MicroSpyServers line to :
privacy-filter_ipv4) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
I could use this line because it is already in the privacy-filter so I deleted it in the IPSET list from above


Code:
# Reinitiate the ipset rules if they have been created already
[ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set'
for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do
  case $ipSet in
    AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;;
    BruteForceLogins|TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;;
    privacy-filter_ipv4) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
    *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;;
  esac
done

Now the privacy-filter_ipv4 always works.

I hope this helps and is correct.
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top