Xentrk
Part of the Furniture
I made edits to the ipset script example on https://github.com/RMerl/asuswrt-merlin/wiki/. This was done to add check for arm or mips syntax for ipset.
I also give credit for revisions I noted on the malware-filter script on the same github page and for syntax on the script written by @sobored04 on post #100 on http://www.snbforums.com/threads/malware-filter-bad-host-ipset.35423/page-5.
I am not a scripting expert by any means. Please test and offer suggestions. I am unable to test on a mips router because....I don't own one
I also give credit for revisions I noted on the malware-filter script on the same github page and for syntax on the script written by @sobored04 on post #100 on http://www.snbforums.com/threads/malware-filter-bad-host-ipset.35423/page-5.
I am not a scripting expert by any means. Please test and offer suggestions. I am unable to test on a mips router because....I don't own one
Code:
#!/bin/sh
# Loading ipset modules
ipset -v | grep -i "v4" > /dev/null 2>&1
if [ $? -eq 0 ]; then
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
else
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
fi
# Preparing folder to cache downloaded files
IPSET_LISTS_DIR=/jffs/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Different routers got different iptables syntax
case $(uname -m) in
armv7l)
MATCH_SET='--match-set'
;;
mips)
MATCH_SET='--set'
;;
esac
# Block traffic from Tor nodes
if [ "$(ipset --swap TorNodes TorNodes 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]
then
ipset -N TorNodes iphash
[ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
do
ipset -A TorNodes $IP
done
fi
[ -z "$(iptables-save | grep TorNodes)" ] && iptables -I INPUT -m set $MATCH_SET TorNodes src,dst -j DROP
# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]
then
ipset -N BlockedCountries nethash
for country in pk cn ru br mx co pl in
do
[ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/countries/$country.zone
for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
do
ipset -A BlockedCountries $IP
done
done
fi
[ -z "$(iptables-save | grep BlockedCountries)" ] && iptables -I INPUT -m set $MATCH_SET BlockedCountries src,dst -j DROP
# Block Microsoft telemetry spying servers
if [ "$(ipset --swap MicrosoftSpyServers MicrosoftSpyServers 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]
then
ipset -N MicrosoftSpyServers iphash
for IP in 23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 \
65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 \
65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71 \
65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 \
131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 \
134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 \
191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
do
ipset -A MicrosoftSpyServers $IP
done
fi
[ -z "$(iptables-save | grep MicrosoftSpyServers)" ] && iptables -I FORWARD -m set $MATCH_SET MicrosoftSpyServers dst -j DROP
Last edited:
