Help with setting blocklists on an AC68U

[dandle]

Hi

I'v been researching on setting up IP Blocklists on the AC68U router. Initially I was using this site;

https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

But I couldn't get it to work. After much searching apparently the syntax is outdated on that link?

I came across this topic https://www.snbforums.com/threads/using-ipset-revisited.32817/ which seemed very helpful. However I still couldn't get it to work.

I was seeing;

insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: 'ip_set_nethash.ko': module not found
insmod: 'ip_set_iphash.ko': module not found
insmod: 'ipt_set.ko': modul
Try `iptables -h' or 'iptables --help' for more information.

I would appreciate if someone could help me step by step with the process or if there is a more up to date syntax I should be using to get this to work. BTW, I'm kind of a noob at this

Much appreciated.

 

[tomsk]

Hi

I'v been researching on setting up IP Blocklists on the AC68U router. Initially I was using this site;

https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

But I couldn't get it to work. After much searching apparently the syntax is outdated on that link?

I came across this topic https://www.snbforums.com/threads/using-ipset-revisited.32817/ which seemed very helpful. However I still couldn't get it to work.

I was seeing;

insmod: can't insert '/lib/modules/2.6.36.4brcmarm/kernel/net/netfilter/ipset/ip_set.ko': File exists
insmod: 'ip_set_nethash.ko': module not found
insmod: 'ip_set_iphash.ko': module not found
insmod: 'ipt_set.ko': modul
Try `iptables -h' or 'iptables --help' for more information.

I would appreciate if someone could help me step by step with the process or if there is a more up to date syntax I should be using to get this to work. BTW, I'm kind of a noob at this

Much appreciated.

The modules you need to load depends on router type and firmware... have a look here
https://www.snbforums.com/threads/malware-filter-bad-host-ipset.35423/
The beginning of this script shows how to detect the correct ipset version.

 

[swetoast]

half of those script are written for the old syntax and needs updating mine is the only one so far thats updated, i could add privacy-filter also to the list

 

[tomsk]

half of those script are written for the old syntax and needs updating.

Yup indeed.. but if he follows the thread he will get the idea. The wiki has the latest now right?

 

[swetoast]

yeah if he knows how to script and knows iptables syntax then yepp he is able to figure it out, and malware-filter is the latest on the wiki

added a note about the scripts only supporting older IPSET syntax seems to be alot of questions about scripts here on the forum lately

 

[tomsk]

@dandle i found this article quite useful when i was learning ipset
http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset
it will give you a general feel of what you can do with ipsets...but once again the syntax is not updated

If you just type "ipset" ( without the quotes) at the command line you will get an output indicating your ipset version

tOmsK@RT-AC68U-4690:/tmp/home/root# ipset
ipset v6.29: No command specified.
Try `ipset help' for more information.
tOmsK@RT-AC68U-4690:/tmp/home/root#

In my case you can see my ipset is version 6

the malware script uses the grep command to see if this output contains v4 or v6 and the uses the case statement to load the appropriate modules

 

[dandle]

Thanks guys for the helpful replies so far!

I've been looking at the links and I'm happy to be learning something new each day in regards to syntax and commands etc however a lot it still flies over my head.

@tomsk. I typed ipset while SShed and the output I get is the same as yours. v6.29.

Would be great to get a step by step process of this

 

[tomsk]

Would be great to get a step by step process of this

The best advice i could give is to look at others peoples scripts, doesn't matter if they are good or bad, pull them apart and try to see what they are doing. You can type --help for most commands into the command line to see the options and switches etc... failing that you can also google them...you're usually only a couple of clicks away from a man page or tutorial of some sort. Sooner or later it all starts to come together. And I have to say theres a fantastic knowledgeable community here that will help you out if you get truly stuck.

 

[dandle]

Thanks for the reply and advice tomsk.

Since purchasing the router, I've been doing a lot of research on syntax and command lines within the forum and general Google searching but I feel you need to have a solid understanding of how all of this works to really make sense of it. I can say I know the most basics and I have been doing some trial and error but I would like to avoid messing around and experimenting too much in case I really break something and then create a headache for myself. As mentioned in my first post the link I used outlined step by step where to place the files and what to name them however it seems the syntax was perhaps not right for my ipset version? If perhaps I can get some help with using the syntax more for my version I reckon that will push me in the right direction.

 

[tomsk]

As mentioned in my first post the link I used outlined step by step where to place the files and what to name them however it seems the syntax was perhaps not right for my ipset version?

Your first post shows that your script was trying to load the modules for ipset version 4 and as you have already discovered your router is using version 6. So you have the choice of writing a script directly for your ipset version or have the script detect it for you. You can use this portion of @swetoast malware script to detect the ipset version and load the modules. His script also sets variables for use in iptables rules later on in the script depending on the ipset version too.

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL='' 

    ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

 

[dandle]

Thanks

So would I need to include the above syntax you have posted and replace the portion in @swetoast script from "# Create the malware-filter (primary) if does not exists" upwards?

 

[swetoast]

Which script is it that you want to convert? that might make it easier to help you

 

[Martineau]

If perhaps I can get some help with using the syntax more for my version I reckon that will push me in the right direction.

IPSET v4.5 manual
http://man.cx/ipset(8)

IPSET v6.5 manual
http://ipset.netfilter.org/ipset.man.html

e.g. example of how to create an IPSET using v6.5 based on original IPSET v4.5 syntax
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-26#post-292469

 

[swetoast]

tnx Martineau we got good examples already

 

[Martineau]

tnx Martineau we got good examples already

'Good' is relative.

 

[dandle]

Which script is it that you want to convert? that might make it easier to help you

Well I had this in mind
#!/bin/sh

# Original script by swetoast. Updates by Neurophile.

# SET CONFIG
path=/jffs/filters
#path for malware filter files
# END CONFIG

# SET VARIBLES
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
# END VARIBLES

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iptreemap ipt_set; do
insmod $module
done

# Different routers got different iptables syntax
case $(uname -m) in
armv7l)
MATCH_SET='--match-set'
;;
mips)
MATCH_SET='--set'
;;
esac

# Create the malware-filter (primary) if does not exists
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep 'Unknown set')" != "" ]; then
ipset -N malware-filter iphash
for IP in $(cat $path/malware-filter.txt)
do
ipset -A malware-filter $IP
done

fi
[ -z "$(iptables-save | grep malware-filter)" ] && iptables -I FORWARD -m set $MATCH_SET malware-filter dst -j DROP

exit $?

To be honest I'm not too fussed about the script. All I'm looking for is something that will work with the different types of blocklist txt for my ipset version. If you have a script that perhaps is more suitable then I would use that. I know I'm trying to cut corners but I honestly wish I had the time to really study all of this and soak the knowledge in.

Another question mark is how many scripts do I need specifically? In that link I posted in the opening post, he has 3 different scripts. Are they all necessary?

 

[swetoast]

lol that is one mangled version of my malware-blocker where did u get that from ?

latest revision of that script is on the wiki

https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#malware-filter

study that if you want a peerguardian you can take the parts where it download the rules then applies em but keep the detection for what IPSET version it uses etc.

 

[swetoast]

basically what you need in order for then scripts that dont work on the wiki is

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'

    ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

then you need to tweak some of the IPSET commands in the script

 

[dandle]

I see. So if I want Peerguardian to work I just replace the ipset4 parameter with the above code you have posted?

You mentioned tweaking some of the ipset commands in the script. Can you give an example please?

 

[swetoast]

well if its peerguaridan then you need to rip out

lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iptreemap ipt_set; do
    insmod $module
done

case $(uname -m) in
  armv7l)
    MATCH_SET='--match-set'
    ;;
  mips)
    MATCH_SET='--set'
    ;;
esac

and replace that with my stuff

and then replace entries like this

ipset --create BluetackLevel1 iptreemap && \

with something like this

ipset -N BluetackLevel1 $HASH && \

in order for it to work its all trial and error and consult the pages @Martineau posted if you get stuck.

Good luck and have fun