iptables --help
iptables-save is not part of the firmware, regardless of the platform.
#!/bin/sh
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
IPSET_LISTS_DIR=/jffs/ipset_lists/
#
if [ "$(ipset --swap Hammer_ips Hammer_ips 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N Hammer_ips iphash #Create a new user-defined chain
for item in $(cat $IPSET_LISTS_DIR/Hammer.lst)
do
ipset -A Hammer_ips $item #Append to chain
done
fi
if [ -z "$(iptables-save | grep Hammer)" ] # -z = Zero counters in chain or all chains
then
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j DROP
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j LOG --log-prefix '[BLOCK HAMMER] :' --log-tcp-options --log-ip-options
fi
iptables-save is not included in the firmware.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
iptables-save is not part of the firmware, regardless of the platform.
# ls -l /usr/sbin/ipt*
-rwxr-xr-x 1 admin root 50024 Mar 7 02:05 /usr/sbin/iptables
lrwxrwxrwx 1 admin root 8 Mar 7 02:05 /usr/sbin/iptables-restore -> iptables
lrwxrwxrwx 1 admin root 8 Mar 7 02:05 /usr/sbin/iptables-save -> iptables
# iptables-save -t mangle
# Generated by iptables-save v1.3.8 on Mon Mar 31 15:27:35 2014
*mangle
:PREROUTING ACCEPT [6124671:497674238]
:INPUT ACCEPT [4009635:246775981]
:FORWARD ACCEPT [2017312:245774638]
:OUTPUT ACCEPT [3683128:377857672]
:POSTROUTING ACCEPT [5575883:618899223]
-A PREROUTING -d 82.2.xxx.yyy -i ! eth0 -j MARK --set-mark 0xd001
COMMIT
# Completed on Mon Mar 31 15:27:35 2014
Really? I've been using it on my RT-N66U.
Code:# ls -l /usr/sbin/ipt* -rwxr-xr-x 1 admin root 50024 Mar 7 02:05 /usr/sbin/iptables lrwxrwxrwx 1 admin root 8 Mar 7 02:05 /usr/sbin/iptables-restore -> iptables lrwxrwxrwx 1 admin root 8 Mar 7 02:05 /usr/sbin/iptables-save -> iptables # iptables-save -t mangle # Generated by iptables-save v1.3.8 on Mon Mar 31 15:27:35 2014 *mangle :PREROUTING ACCEPT [6124671:497674238] :INPUT ACCEPT [4009635:246775981] :FORWARD ACCEPT [2017312:245774638] :OUTPUT ACCEPT [3683128:377857672] :POSTROUTING ACCEPT [5575883:618899223] -A PREROUTING -d 82.2.xxx.yyy -i ! eth0 -j MARK --set-mark 0xd001 COMMIT # Completed on Mon Mar 31 15:27:35 2014
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMER] :"
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMER] :"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
#!/bin/sh
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iphash
do
insmod $module
done
IPSET_LISTS_DIR=/jffs/ipset_lists/
#HAMMER
if [ "$(ipset --swap Hammer_ips Hammer_ips 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N Hammer_ips iphash
for item in $(cat $IPSET_LISTS_DIR/Hammer.lst)
do
ipset -A Hammer_ips $item
done
fi
if [ -z "$(iptables-save | grep Hammer)" ]
then
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j DROP
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j LOG --log-prefix '[HAMMER] :' --log-tcp-options --log-ip-options
fi
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 253 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[HAMMER]"
4 253 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
Apr 5 15:48:01 kernel: [BLOCK HAMMER] :IN=eth0 OUT= MAC=e0:3f:49:ee:0c:e0:fc:99:47:ca:63:00:08:00 SRC=198.20.70.114 DST=xx.xx.192.105 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=40685 PROTO=TCP SPT=24164 DPT=80 WINDOW=58195 RES=0x00 SYN URGP=0
Apr 5 15:48:01 kernel: [BLOCK HAMMER] :IN=eth0 OUT= MAC=e0:3f:49:ee:0c:e0:fc:99:47:ca:63:00:08:00 SRC=198.20.70.114 DST=xx.xx.192.105 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=40685 PROTO=TCP SPT=24164 DPT=80 WINDOW=58195 RES=0x00 SYN URGP=0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
I uploaded my syslog, getting these in my logs.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!