Yet another malware block script using ipset (v4 and v6)

[Xentrk]

I downloaded it with no problems last night on two routers using the wget in the OP and I have ab-solution installed. This was my first time. This script runs fast. I am impressed.

 

[jack901]

so it is ok to put in services-start from previous nessages , will try that for router reboots so it loads.
I am not having any slow downloads at all:
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (41014) and YAMalwareBlockCIDR (5141) in 27 seconds

thanks all

 

[eclp]

If this script is active on my router, the translator software "iTranslate" will be disabled or no longer working on (all my iDevices under iOS 10.3.1. If I disable your script or in Cellular mode, the tool will work immediately.

 

[Jack Yaz]

Dropbox syncing broken too

 

[shooter40sw]

For now on this script only blocking tor and proxys, and I use the ya-malware-block also, no issues, I upgraded merlins firmware and factory restored and setup everything from 0, the slowness issues yesterday was my ISP so both scripts are running fast and working like they should

 

[Jack Yaz]

This script still seems to block out my UI. How do I test my internal IP against the list?

 

[thelonelycoder]

This script still seems to block out my UI. How do I test my internal IP against the list?

$(nvram get lan_ipaddr)

 

[Jack Yaz]

I mean, test against the lists pulled in via ya-malware, I'm aware of my own LAN IPs...

I think I have resolved, moving it from firewall-start (which it had been in before) to services-start seems *touch wood* to be behaving

 

[Adamm]

Some blacklists contain "unrouteable" IP's. I pm'd Redhat the workaround I use to filter these

 

[redhat27]

Thanks @Adamm I've uploaded a new script in github. Please download as per OP

Here is a small shell function that you can put in your /jffs/configs/profile.add

You'll need to install paste (opkg install coreutils-paste)

For ipset-v4:

cl() { # Check IP against ipset lists
  if [ -z "$1" ]; then
    echo "Specify IP to check through ipset lists. Exiting."
  else
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
    for TestList in $( (iptables -L -t raw && iptables -L) | grep " set" | tr -s ' ' | cut -d' ' -f7 | paste -s); do
      ipset -q --test $TestList $1 && echo -e "$1 found in ${GREEN}${TestList}${NC}" || echo -e "$1 not found in ${RED}${TestList}${NC}"
    done
  fi
}

For ipset v6:

cl() { # Check IP against ipset lists
  if [ -z "$1" ]; then
    echo "Specify IP to check through ipset lists. Exiting."
  else
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
    for TestList in $( (iptables -L -t raw && iptables -L) | grep "match-set" | tr -s ' ' | cut -d' ' -f7 | paste -s); do
      ipset -q test $TestList $1 && echo -e "$1 found in ${GREEN}${TestList}${NC}" || echo -e "$1 not found in ${RED}${TestList}${NC}"
    done
  fi
}

EDIT: ipset-v6 may need some tweaking, I can't test at this moment, try it and let me know if it works for you


You can then check an IP is present in any of your ipsets (from all the scripts, not just this one):
Source your profile, or re-login to your router and issue:

cl <IP>

 

[Jack Yaz]

I changed the function name (personal pref), but it seems to work. Just need to update to new blocklist tomorrow!

Having said that, it doesnt seem to include the sets from blocklist loadeR?

 

[redhat27]

it doesnt seem to include the sets from blocklist loadeR?

It should include all your ipsets that are referenced in your firewall. Which lists from the iblocklist-loader were you expecting? Run the loader script and check syslog to see if the lists were loaded

 

[Jack Yaz]

Ok so if i run blocklist loader manually they all load. But then i lose dns. If i use it in services-start some load but not all. I suspect dnscrypt is playing a part in this. Are you able to test?

 

[redhat27]

But then i lose dns

That is odd. See if your external dns server IP is in any of the loaded lists with this shell function. You can always whitelist your dns: Just assign your dns server ip to your "my_dns" domain in /jffs/configs/host.add and then whitelist that domain (my_dns)

 

[Jack Yaz]

That is odd. See if your external dns server IP is in any of the loaded lists with this shell function. You can always whitelist your dns: Just assign your dns server ip to your "my_dns" domain in /jffs/configs/host.add and then whitelist that domain (my_dns)

Will give it a go next time it happens. This reboot seems to be more stable. I did check against the lists and no matches, but I'll see how I get on

 

[redhat27]

If you are using dnscrypt, then check if 127.0.0.1 is there in any of those lists. Do not use that list for now then.

Edit: also check your router internal IP (example 192.168.1.1 or similar)

 

[Jack Yaz]

I found it, the bloody Bogon list happened to be blocking a lot of sites (even TfL!), removed that set and ta-dah. Sorry for wasting time, it was only after nslookup was returning addresses I realised DNS was fine.

 

[Jack Yaz]

Love the ip finder, https://pentest-tools.com wouldn't load, its in YAMalwareBlock2IP! Now I need to read documentation on how to whitelist.

 

[tonysamson]

Hi all,

Pardon my ignorance. Hope you can help enlighten me on this subject.

How is a "malware block script" any different with the Firewall option in the Asus Router?

 

[Gitsum]

So what happens when a blacklisted site is blocked? Is there a warning page or just an error?