:: ipBLOCKer :: Category blocking using iptables and ipsets

[steelskinz]

J'ai remarqué qu'il y avait des Francais sur le forum snb il y a quelques temps..

 

[spalife]

J'ai remarqué qu'il y avait des Francais sur le forum snb il y a quelques temps..

Les oiseaux volent dans toutes les directions

 

[spalife]

no, I am not french....

Poslano z mojega EVA-L09 z uporabo Tapatalk

se opravičujem

 

[thelonelycoder]

Les oiseaux volent dans toutes les directions

I believe @RMerlin is at the minimum bilingual.

 

[spalife]

I believe @RMerlin is at the minimum bilingual.

I thought (he/she) was an alien

 

[thelonelycoder]

I thought (he/she) was an alien

A Wizard?

 

[spalife]

ipBLOCKer Version 1.1 available now.

See Post #1 & Post #2 for Changelog and Upgrade Instructions

 

[bayern1975]

ipBLOCKer Version 1.1 available now.

See Post #1 & Post #2 for Changelog and Upgrade Instructions

will try this new version if i still have problems when router reboot....

 

[spalife]

will try this new version if i still have problems when router reboot....

Go through the upgrade instructions and do backup your
system.

It addresses your router restart issue specifically.

After you restart your router assuming you have
not uninstalled anything and have saved files in
the refresh folder go to ipBLOCKer and
use the option synch_all

 

[bayern1975]

no luck for me with this script...I very like it but I have to remove it....probably this script not working just for me.....thanks anyway to author for helping me to solve my problem....

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[Odkrys]

no luck for me with this script...I very like it but I have to remove it....probably this script not working just for me.....thanks anyway to author for helping me to solve my problem....

Poslano z mojega EVA-L09 z uporabo Tapatalk

All of ipset related scripts in snbforums don't have the init file.

echo "sh /tmp/mnt/sda1/ipBLOCKer/ipBLOCKer.sh setup" >> /jffs/scripts/services-start
echo "sh /tmp/mnt/sda1/ipBLOCKer/ipBLOCKer.sh refresh all" >> /jffs/scripts/services-start

Try rebooting test with this.

 

[spalife]

no luck for me with this script...I very like it but I have to remove it....probably this script not working just for me.....thanks anyway to author for helping me to solve my problem....

Poslano z mojega EVA-L09 z uporabo Tapatalk

Too bad, tested and working for all the situations
router restart => block synch_all (all saved state restored)
firewall restart => system automatically detects restores when invoked

As I have requested you before,
as none of the blocking solutions seem to work for you,
start a new thread maybe a wider audience can help you.

In that thread do post
1. What steps do you take when you restart the router ?
2. Do you eject the usb drive from Admin before rebooting ?
3. How did you partition the USB fat/ext2/ext3/ext4 ?
4. What steps do you take after you restart the router ?

 

[spalife]

All of ipset related scripts in snbforums don't have the init file.

echo "sh /tmp/mnt/sda1/ipBLOCKer/ipBLOCKer.sh setup" >> /jffs/scripts/services-start
echo "sh /tmp/mnt/sda1/ipBLOCKer/ipBLOCKer.sh refresh all" >> /jffs/scripts/services-start

Try rebooting test with this.

The user has some USB issue (i think from his posts)
after the router is restarted,
files seem to be present on the USB but file content is inconsistent across boots.

FYI
ipBLOCKer.sh setup will start the Setup Menu
and wait for user to select or change system configuration.
ipBLOCKer.sh refresh all will refresh all selected categories.

Assuming ipBLOCKer is installed on a USB,
you would have timing issues if the mount is not available
when you invoke the program.

The 1.1 changes specifically address this issues.
A better approach would be to add cron job like below
which takes care of unexpected firewall restarts and
missing firewall rules

# This will check if firewall-rules are missing
# and adds them
30 * * * * . /tmp/mnt/USBDIR/ipBLOCKer/.ipBLOCKer.config; /tmp/mnt/USBDIR/ipBLOCKer/ipBLOCKer.sh synch #ipBLOCKer-synch#

 

[Odkrys]

I am testing it now. Mine is AC1900P.
Scripts doesn't work properly.
It has a problem with Entware-ng's cron package.

ipBLOCKer: Restoring firewall from saved state ....
You (my admin name) are not allowed to use this program (crontab)
See crontab(1) for more information
You (my admin name) are not allowed to use this program (crontab)
See crontab(1) for more information
ipBLOCKer: ERROR: Unable to Create refresh Schedules

Additionally, './ipBLOCKer.sh refresh all' command load saved data, but it doesn't apply the program. (I cut the middle.)

ipBLOCKer: Total Downloaded & Deduplicated IP's: 26651
ipBLOCKer: Total Existing IP's: 26651
ipBLOCKer: Total Downloaded & Deduplicated CIDR's: 949
ipBLOCKer: Total Existing CIDR's: 949
ipBLOCKer: Processing :: tor-exits ::
######################################################################## 100.0%
ipBLOCKer: Total Downloaded & Deduplicated IP's: 6870
ipBLOCKer: Total Existing IP's: 6870
ipBLOCKer: Total Downloaded & Deduplicated CIDR's: 0
ipBLOCKer: Total Existing CIDR's: 0

ipBLOCKer: Total Total
ipBLOCKer: categories IP Hits CIDR Hits
ipBLOCKer: ______________________________________________________________________
ipBLOCKer: spam 0 0 0 0
ipBLOCKer: tor-exits 0 0 0 0
ipBLOCKer: custom 0 0 0 0
ipBLOCKer: white-list 0 0 0 0
ipBLOCKer: ______________________________________________________________________
ipBLOCKer: Grand Totals: 0 0 0 0
ipBLOCKer: ######################################################################
ipBLOCKer:


Option: refresh all .... Done

 

[spalife]

I am testing it now. Mine is AC1900P.
Scripts doesn't work properly.
It has a problem with Entware-ng's cron package.

ipBLOCKer: Restoring firewall from saved state ....
You (my admin name) are not allowed to use this program (crontab)
See crontab(1) for more information
You (my admin name) are not allowed to use this program (crontab)
See crontab(1) for more information
ipBLOCKer: ERROR: Unable to Create refresh Schedules

Additionally, './ipBLOCKer.sh refresh all' command load saved data, but it doesn't apply the program. (I cut the middle.)
ipBLOCKer: Grand Totals: 0 0 0 0
ipBLOCKer: ######################################################################
ipBLOCKer:
Option: refresh all .... Done

Are you on 1.0 or 1.1 ?
You have given me very little information from which to
work with, I can derive the below:

1.
ipBLOCKer starts and see’s that firewall has restarted
and restores firewall from saved state.
I do not know from your posted output whether the router
has restarted too and buckets were restored or not.

2
Tries to schedule refreshes with crontab and informs the user
of the failure with a ERROR message.
ipBLOCKer runs with the current $USER privileges.
It seems the $USER running ipBLOCKer does not have
privileges to access crontab.
Have you followed this guide
https://github.com/Entware-ng/Entware-ng/wiki/Using-Cron
See also @ryzhov_al post #2 in
https://www.snbforums.com/threads/cron-different-to-usual-linux-cron.17088/#post-118335

3.
Your refresh all completed successfully from what i can see
and there were no incremental updates.

4.
However the status contradicts that information
(block status or ipBLOCKer.sh status) which shows
no buckets data is available. Run the below to make sure
that your refresh has a saved state in ipBLOCKer
refresh/folder

Not able to post code send me the contents of categories.txt,
the file listing and sizes of directories refresh and filters
and wc -l refresh/*.save
ipset -L | grep ipBLOCKer | sort

 

[bayern1975]

The user has some USB issue (i think from his posts)
after the router is restarted,
files seem to be present on the USB but file content is inconsistent across boots.

FYI
ipBLOCKer.sh setup will start the Setup Menu
and wait for user to select or change system configuration.
ipBLOCKer.sh refresh all will refresh all selected categories.

Assuming ipBLOCKer is installed on a USB,
you would have timing issues if the mount is not available
when you invoke the program.

The 1.1 changes specifically address this issues.
A better approach would be to add cron job like below
which takes care of unexpected firewall restarts and
missing firewall rules

# This will check if firewall-rules are missing
# and adds them
30 * * * * . /tmp/mnt/USBDIR/ipBLOCKer/.ipBLOCKer.config; /tmp/mnt/USBDIR/ipBLOCKer/ipBLOCKer.sh synch #ipBLOCKer-synch#

where to put this? didn`t find how and where to insert this line in cron?

 

[spalife]

where to put this? didn`t find how and where to insert this line in cron?

you can use cru

cru a ipBLOCKer-synch "30 * * * * . /tmp/mnt/USBDIR/ipBLOCKer/.ipBLOCKer.config; /tmp/mnt/USBDIR/ipBLOCKer/ipBLOCKer.sh synch"

 

[kvic]

You (my admin name) are not allowed to use this program (crontab)
See crontab(1) for more information

ipBLOCKer runs with the current $USER privileges.
It seems the $USER running ipBLOCKer does not have
privileges to access crontab.
Have you followed this guide
https://github.com/Entware-ng/Entware-ng/wiki/Using-Cron
See also @ryzhov_al post #2 in
https://www.snbforums.com/threads/cron-different-to-usual-linux-cron.17088/#post-118335

The issue seems that Entware's '/opt/bin/crontab' looks specifically for user "root". Since "admin" (or anything else) won't match, it complains and quits very early.

If you must run Entware's cron for now (which I actually prefer to), change your GUI login id from "admin" to "root" may do the trick. I haven't tried.

Another workaround is to add user "root" with root privilege. And ssh into your router with this new account and run crontab for editing. I don't like this either. (Any other workaround?)

I think a better fix is for Entware to compile in support for "/opt/etc/cron.allow" and "/opt/etc/cron.deny" which I don't find it in effect with my brief trial.

 

[spalife]

The issue seems that Entware's '/opt/bin/crontab' looks specifically for user "root". Since "admin" (or anything else) won't match, it complains and quits very early.

I think a better fix is for Entware to compile in support for "/opt/etc/cron.allow" and "/opt/etc/cron.deny" which I don't find it in effect with my brief trial.

Have you tried as suggested in the Guide

Check the name of super user on your system. If it's other then root, please fix it at /opt/etc/crontab.
As an example, asuswrt(-merlin) uses admin:

sed -i 's/root/admin/g' /opt/etc/crontab

NOTE:
Since entware has the vixie's version and as
@ rhyzhov_al pointed out $USER needs to be part of the job description
i.e.,
0 * * * * $USER scriptcall

The elegant approach would be to as you say having cron.allow

 

[spalife]

you can use cru

cru a ipBLOCKer-synch "30 * * * * . /tmp/mnt/USBDIR/ipBLOCKer/.ipBLOCKer.config; /tmp/mnt/USBDIR/ipBLOCKer/ipBLOCKer.sh synch"

@bayern1975 in your case you would need to replace
the USBDIR in the above command with sda1

i.e.,

cru d ipBLOCKer-synch

cru a ipBLOCKer-synch "*/30 * * * * . /tmp/mnt/sda1/ipBLOCKer/.ipBLOCKer.config; /tmp/mnt/sda1/ipBLOCKer/ipBLOCKer.sh synch"