380.61 on RT-N66U firewall-start issue

[Alejandro]

Hello every one
Just updated to v380.61 on my RT-N66U.
I had a custom script under /jffs/scripts/firewall-start that has been running and starting upon boot up without issues.

Today after the upgrade, the IPTABLES rules in the script did not load.

I ran the script manually, and got the following:

admin@x.x.x.x:/jffs/scripts ./firewall-start
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists

something that I have never gotten before.

the script run successfully and the rules are added to IPTABLES

however it does not work from a boot or reboot. it has to be manually run.

Any ideas?

 

[RMerlin]

"File exists" usually means the module is already loaded, so you cannot insert it a second time.

 

[Alejandro]

Thank you RMerlin.

Nothing has changed with-in the firewall-start script and it has been running without issues for a good while.
This "Module already loaded" issue only started after the upgrade to 380.61

also:
IPTABLE rules do not load upon reboot
IPTABLE rules only load if I run the firewall-start script manually

Like I said, none of the above was an issue before the upgrade to 380.61.

Thanks.

This is the relevant code in the script

# Loading ipset modules                                                                   
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do                                                       
    insmod $module                                       
done

 

[RMerlin]

Thank you RMerlin.

Nothing has changed with-in the firewall-start script and it has been running without issues for a good while.
This "Module already loaded" issue only started after the upgrade to 380.61

also:
IPTABLE rules do not load upon reboot
IPTABLE rules only load if I run the firewall-start script manually

Like I said, none of the above was an issue before the upgrade to 380.61.

Thanks.

This is the relevant code in the script

# Loading ipset modules                                                                  
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do                                                      
    insmod $module                                      
done

Do your module insert into init-start or services-start instead, to ensure it only gets done once. It's possible you never noticed the problem before because firewall-start simply wasn't executed multiple times.

 

[Fitz Mutch]

Nothing has changed with-in the firewall-start script and it has been running without issues for a good while.

I copied that script too. Maybe try modprobe instead of insmod to suppress the message? Give it shot...

#!/bin/sh

# load ipset modules
for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do
  /sbin/lsmod | /bin/grep -F $module > /dev/null 2>&1 || /sbin/modprobe $module
done

 

[shooter40sw]

hi guys, what command should I use to verify that the ipset rules are loaded_ I do the iptables -L but I dont seem to see anything blocked, I using the malware script form the asus merlin wiki on the ipset rules.
Thanks

 

[john9527]

also:
IPTABLE rules do not load upon reboot
IPTABLE rules only load if I run the firewall-start script manually

Classic symptom of having edited the file and saving in DOS/WIN format instead of Linux. Run

dos2unix /jffs/scripts/firewall-start

EDIT: Other possibility is that the larger code of 380.61 has partially corrupted the jffs space on the N66. Only fix for this is to reformat jffs and restore from backup.

 

[john9527]

I do the iptables -L

Use
iptables -nvL

 

[sfx2000]

Classic symptom of having edited the file and saving in DOS/WIN format instead of Linux

Quick hint - use Notepad++ - it can do those conversions nicely...

It's free and pretty awesome - if you're on a Mac - try TextWrangler from the folks over at BBEdit...

 

[shooter40sw]

Use
iptables -nvL

Thanks but even if I start de script manually they dont get loaded, I run the iptables command and there is nothing there and in the log nothing,
Any tips?
In understand that there is a match-set that must be in the input chain bu nothing about it is there or in any other part of the iptables output

10 414 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
113K 30M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
575 29749 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
20073 2832K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
44044 11M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
3 1170 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp !type 8

./malwarefilter.sh
/mnt/sda1/adblocking/malware-list.p 100%[=====================================================================>] 156.97K 252KB/s in 0.6s
/mnt/sda1/adblocking/malware-list.p [ <=> ] 2.33K --.-KB/s in 0.006s
/mnt/sda1/adblocking/malware-list.p [ <=> ] 9.97K 52.3KB/s in 0.2s
/mnt/sda1/adblocking/malware-list.p 100%[=====================================================================>] 16.93K --.-KB/s in 0.1s
/mnt/sda1/adblocking/malware-list.p 100%[=====================================================================>] 7.98K

EDIT:
Looks like something is wrong with the malware script, testing the peerguardian V3 it does give me an output on the iptables

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set BluetackLevel1 src,dst