What's new

What command use ARM ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

octopus

Part of the Furniture
iptables-save is not working with ARM processors what should I use instead?
I'm trying to get my ip_set script working.

if [ -z "$(iptables-save | grep Hammer)" ]



Octopus
 
Last edited:
iptables --help
 
iptables --help

Yes i have looked there but it all about command chain / option chain.
iptables-save is command to save iptables rule applied to chain.
There is similar script as we can find in Merlins wiki.

<snip>
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set --set BlockedCountries src -j DROP
<snip>

Merlin can you show me where in sourcecode firewall is, to rt-ac68u,
Maby I can find answere there.

THANKS !

Octopus
 
Last edited:
iptables-save is not part of the firmware, regardless of the platform.
 
iptables-save is not part of the firmware, regardless of the platform.

Rmerlin, what command do you use when saving in firewall in ARM ?

Reading ipnumber from IPSET_LISTS_DIR=/jffs/ipset_lists/

Script i'm trying to work is as this:
#!/bin/sh

lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done

IPSET_LISTS_DIR=/jffs/ipset_lists/

#
if [ "$(ipset --swap Hammer_ips Hammer_ips 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N Hammer_ips iphash #Create a new user-defined chain
for item in $(cat $IPSET_LISTS_DIR/Hammer.lst)
do
ipset -A Hammer_ips $item #Append to chain
done
fi

if [ -z "$(iptables-save | grep Hammer)" ] # -z = Zero counters in chain or all chains
then
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j DROP
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j LOG --log-prefix '[BLOCK HAMMER] :' --log-tcp-options --log-ip-options

fi

Getting this error:

iptables-save is not included in the firmware.


iptables -vnL gives this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set Hammer_ips src,dst
 
Last edited:
iptables-save is not part of the firmware, regardless of the platform.

Really? I've been using it on my RT-N66U.

Code:
# ls -l /usr/sbin/ipt*
-rwxr-xr-x    1 admin    root         50024 Mar  7 02:05 /usr/sbin/iptables
lrwxrwxrwx    1 admin    root             8 Mar  7 02:05 /usr/sbin/iptables-restore -> iptables
lrwxrwxrwx    1 admin    root             8 Mar  7 02:05 /usr/sbin/iptables-save -> iptables

# iptables-save -t mangle
# Generated by iptables-save v1.3.8 on Mon Mar 31 15:27:35 2014
*mangle
:PREROUTING ACCEPT [6124671:497674238]
:INPUT ACCEPT [4009635:246775981]
:FORWARD ACCEPT [2017312:245774638]
:OUTPUT ACCEPT [3683128:377857672]
:POSTROUTING ACCEPT [5575883:618899223]
-A PREROUTING -d 82.2.xxx.yyy -i ! eth0 -j MARK --set-mark 0xd001
COMMIT
# Completed on Mon Mar 31 15:27:35 2014
 
Really? I've been using it on my RT-N66U.

Code:
# ls -l /usr/sbin/ipt*
-rwxr-xr-x    1 admin    root         50024 Mar  7 02:05 /usr/sbin/iptables
lrwxrwxrwx    1 admin    root             8 Mar  7 02:05 /usr/sbin/iptables-restore -> iptables
lrwxrwxrwx    1 admin    root             8 Mar  7 02:05 /usr/sbin/iptables-save -> iptables

# iptables-save -t mangle
# Generated by iptables-save v1.3.8 on Mon Mar 31 15:27:35 2014
*mangle
:PREROUTING ACCEPT [6124671:497674238]
:INPUT ACCEPT [4009635:246775981]
:FORWARD ACCEPT [2017312:245774638]
:OUTPUT ACCEPT [3683128:377857672]
:POSTROUTING ACCEPT [5575883:618899223]
-A PREROUTING -d 82.2.xxx.yyy -i ! eth0 -j MARK --set-mark 0xd001
COMMIT
# Completed on Mon Mar 31 15:27:35 2014

Hm, odd. I guess Asus forgot to symlink it on the ARM platform (since it uses a different version of iptables).
 
I relly don't know why I get rules twice, LOG, DROP. (Had Echo commad, removed it's working)
But have to wait and se if's blocking hammers.

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMER] :"
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMER] :"
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst
This code working from build 374_41_0 fixed iptables-save

Code:
#!/bin/sh

lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iphash
do
insmod $module
done


IPSET_LISTS_DIR=/jffs/ipset_lists/

#HAMMER
if [ "$(ipset --swap Hammer_ips Hammer_ips 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N Hammer_ips iphash
for item in $(cat $IPSET_LISTS_DIR/Hammer.lst)
do
ipset -A Hammer_ips $item
   done
fi
if [ -z "$(iptables-save | grep Hammer)" ]
then
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j DROP
iptables -I INPUT -m set --match-set Hammer_ips src,dst -j LOG --log-prefix '[HAMMER] :' --log-tcp-options --log-ip-options
fi
Working just fine now:
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   253 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[HAMMER]"
    4   253 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst
 
Last edited:
I got answere relly fast, have blocket one in my hammer list.
Isn't double DROP and LOG because I have src and dst rule ?
EDIT: removed "Echo" then it works !

Code:
Apr  5 15:48:01 kernel: [BLOCK HAMMER] :IN=eth0 OUT= MAC=e0:3f:49:ee:0c:e0:fc:99:47:ca:63:00:08:00 SRC=198.20.70.114 DST=xx.xx.192.105 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=40685 PROTO=TCP SPT=24164 DPT=80 WINDOW=58195 RES=0x00 SYN URGP=0 
Apr  5 15:48:01 kernel: [BLOCK HAMMER] :IN=eth0 OUT= MAC=e0:3f:49:ee:0c:e0:fc:99:47:ca:63:00:08:00 SRC=198.20.70.114 DST=xx.xx.192.105 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=40685 PROTO=TCP SPT=24164 DPT=80 WINDOW=58195 RES=0x00 SYN URGP=0
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    40 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
    1    40 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst LOG flags 6 level 4 prefix "[BLOCK HAMMER] :"
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Hammer_ips src,dst
 
Last edited:
ip tables

Should I revert back to 374_41 to implement iptables or can it work with the current build?
 
I uploaded my syslog, getting these in my logs.

Thats just the firewall doing its job and blocking IP's portscanning etc, completely unrelated as this is an old thread to-do with a missing iptables command.
 
It's include a working way to block spammers to reach you router, with saving hammers ipnumber in a txt file (hammer-lst)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top