Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Malware Filter / bad host IPSET

Discussion in 'Asuswrt-Merlin' started by kobejo34, Oct 27, 2016.

  1. kobejo34

    kobejo34 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    5
    Hello,

    I am trying to block outbound connects to know bad host from my LAN/ Wireless. I am running the script located below and have the below firewall rules so it looks to be working. Any know what else to check?

    Running this script under the heading "Malware Filter"

    https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

    Firewall Rule

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst
    256K 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
    33 3014 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    433 22328 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
    92238 7445K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0


    Install script seems to work

    admin@rt-:/jffs/scripts# sh -x firewall-start
    + path=/jffs/filters
    + echo \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
    + regexp=\b([0-9]{1,3}\.){3}[0-9]{1,3}\b
    + lsmod
    + grep ipt_set
    + uname -m
    + MATCH_SET=--set
    + ipset --swap malware-filter malware-filter
    + grep Unknown set
    + [ != ]
    + ipset --destroy malware-update
    + echo -e -N malware-update iphash\n
    + get_update
    + mkdir -p /jffs/filters
    + wget -q --show-progress -i /jffs/filters/malware-filter.list -O /jffs/filters/malware-list.pre
    + nice ipset --restore
    + nice sed s/^/-A malware-update /
    /jffs/filters/malware-list.pre 100%[====================================================================>] 158.12K 753KB/s in 0.2s
    /jffs/filters/malware-list.pre [ <=> ] 2.28K --.-KB/s in 0.002s
    /jffs/filters/malware-list.pre [ <=> ] 10.21K --.-KB/s in 0.1s
    /jffs/filters/malware-list.pre 100%[====================================================================>] 17.06K --.-KB/s in 0.02s
    /jffs/filters/malware-list.pre 100%[====================================================================>] 92.21K --.-KB/s in 0.1s
    + cat /jffs/filters/malware-list.pre
    + grep -oE \b([0-9]{1,3}\.){3}[0-9]{1,3}\b
    + sort -u
    + echo -e \nCOMMIT\n
    + nice ipset --swap malware-update malware-filter
    + nice ipset --destroy malware-update
    + exit 0
     
  2. Fitz Mutch

    Fitz Mutch Regular Contributor

    Joined:
    May 27, 2016
    Messages:
    173
    Try pinging any malware IP address, to see if it's working. Look at the Iptables packet and byte counters, to verify that your ipset match rule is working.
    Code:
    /usr/sbin/iptables -L FORWARD -v -n
    
     
  3. kobejo34

    kobejo34 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    5
    Yes thank you I have a ping running. and they are being accepted. The iptables command came back with ACCEPT thats weird. Looks like there are matches but they are ACCEPTED

    [email protected]:/jffs/scripts# /usr/sbin/iptables -L FORWARD -v -n
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    79939 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
    0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
    0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
    18 1318 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    178 9139 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
    22091 1732K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
     
  4. Fitz Mutch

    Fitz Mutch Regular Contributor

    Joined:
    May 27, 2016
    Messages:
    173
    The DROP rule seems to be missing at the top of your FORWARD chain. I saw it in your previous post, but not this one. The "pkts" and "bytes" columns are what you want to be looking at for the DROP rule. You will know that the rule is matching packets when you see those 2 numbers increasing.
    Code:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst
     
  5. kobejo34

    kobejo34 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    5
    Seems like the scripts writes it that way

    done
    [ -z "$(iptables-save | grep malware-filter)" ] && iptables -I FORWARD -m set $MATCH_SET malware-filter dst -j DROP
    fi


    Im clueless how to change it.
     
  6. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    What router and programversion do you use? (don't say laters)
     
  7. kobejo34

    kobejo34 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    5

    Asus RT-AC66R Merlin 380.62
     
  8. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    okey ipsat have been updated, not sure about RT-AC66 tho.

    Try to change:
    Code:
    # Loading ipset modules
    lsmod | grep "ipt_set" > /dev/null 2>&1 || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set
    do
        insmod $module
    done
    To

    Code:
    # Load ipset modules
    ipset -v | grep -i "v4" > /dev/null 2>&1                                    
    if [ $? -eq 0 ]; then                                                                  
           # old ipset                                                          
       ipsetv=4                                                            
       lsmod | grep "ipt_set" > /dev/null 2>&1 || \                        
       for module in ip_set ip_set_nethash ip_set_iphash ipt_set            
       do                                                                  
           insmod $module                                              
       done                                                                
        else                                                                        
      
        # new ipset                                                
       ipsetv=6                                                    
       lsmod | grep "xt_set" > /dev/null 2>&1 || \                
       for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set  
       do                                                          
           insmod $module                                      
       done                                                        
    fi                   
    http://www.snbforums.com/threads/fo...ilable-v18e3-v19b4.18914/page-209#post-278253
     
    Last edited: Oct 28, 2016
  9. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,860
    Location:
    Canada
    ipset version is only upgraded in 380.63, and it's only for ARM models. RT-N66U and RT-AC66U are staying on 4.x due to their Jurassic kernel.
     
  10. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    okey i was unsure about that. sorry
     
  11. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    @octopus mind changing if that works for you on the wiki ?
     
  12. kobejo34

    kobejo34 New Around Here

    Joined:
    Oct 24, 2016
    Messages:
    5
    Well it does say drop now but the script does have some errors perhaps from IPv6 maybe but the traffic is still allowed to ping out.

    [email protected]:/jffs/scripts# /usr/sbin/iptables -L FORWARD -v -n
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 set malware-filter dst
    156K 30M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
    11 907 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
    0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
    14 966 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    586 29690 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
    56251 4685K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0


    insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
    + insmod ip_set_nethash
    + insmod ip_set_iphash
    insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set_iphash.ko': File exists
    + insmod ipt_set
    insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ipt_set.ko': File exists
     
  13. kanetaker

    kanetaker Occasional Visitor

    Joined:
    Jan 20, 2016
    Messages:
    14
    When i install the script i have a problem with this message:
    + nice ipset --swap malware-update malware-filter
    ipset v6.29: Sets cannot be swapped: the second set does not exist
    + exit 1
    Someone knows how to resolve it?

    I have the programversion 380.65 alpha2 on my arm rt-ac68u
     
  14. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
  15. kanetaker

    kanetaker Occasional Visitor

    Joined:
    Jan 20, 2016
    Messages:
    14
    Is the same script that i have installed on the partition /jffs/scripts/firewall-start, and when i executed it i have this message, ipset v6.29: Sets cannot be swapped: the second set does not exist
    i copy and paste the script, and i don't know if i have to change something before execute it.
     
  16. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    yeah im getting the same so ill investigate and update once ive fixed it
     
  17. kanetaker

    kanetaker Occasional Visitor

    Joined:
    Jan 20, 2016
    Messages:
    14
    [email protected]:/jffs/scripts# ./firewall-start
    /opt/var/cache/malw 100%[=====================>] 159.60K 230KB/s in 0.7s
    /opt/var/cache/malw [ <=> ] 2.34K --.-KB/s in 0.001s
    /opt/var/cache/malw [ <=> ] 10.47K --.-KB/s in 0.04s
    /opt/var/cache/malw 100%[=====================>] 17.00K 111KB/s in 0.2s
    /opt/var/cache/malw 100%[=====================>] 193.50K 192KB/s in 1.0s
    ipset v6.29: Sets cannot be swapped: the second set does not exist
     
  18. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    ipset v6.29: Change to this:
    Code:
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 |grep -E 'Unknown set | The set with the given name does not exist')" != "" ]; then
    Start modules with this:
    Code:
    lsmod | grep "xt_set" > /dev/null 2>&1 || \
    for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
        do
        insmod $module
    done
    
     
  19. swetoast

    swetoast Very Senior Member

    Joined:
    Apr 12, 2016
    Messages:
    527
    So this is my cleanup feel free to go thru it and suggest improvements and please change on the wiki and not just post to this thread.

    also added a link for mirai blocklist on the wiki

    Code:
    #!/bin/sh
    
    # Original script by swetoast. Updates by Neurophile & Octopus.
    
    # SET CONFIG
    path=/opt/var/cache/malware-filter  #path for malware filter files
    # END CONFIG
    
    # SET VARIBLES
    regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
    # END VARIBLES
    
    #Load ipset modules
    
    ipset -v | grep -i "v4" > /dev/null 2>&1
    if [ $? -eq 0 ]; then
         # old ipset
         ipsetv=4
         lsmod | grep "ipt_set" > /dev/null 2>&1 || \
         for module in ip_set ip_set_nethash ip_set_iphash ipt_set
         do
              insmod $module
         done
    else
         # new ipset
         ipsetv=6
         lsmod | grep "xt_set" > /dev/null 2>&1 || \
         for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
         do
              insmod $module
         done
    fi
    
    #Different routers got different iptables syntax
    case $(uname -m) in
    armv7l)
        MATCH_SET='--match-set'
    ;;
    mips)
        MATCH_SET='--set'
    ;;
    esac
    
    # Get lists
    get_list () {
            mkdir -p $path
            wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
            cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
     }
    
    run_ipset () {
    
    get_list
    ipset --destroy malware-filter > /dev/null 2>&1 # destroy the old rules to get new ones.
    
    # Create ip set
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
      ipset -N malware-filter iphash
    fi
    
    # Apply iptables rule
    iptables-save | grep malware-filter > /dev/null 2>&1 || \
      iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j DROP
    }
    
    run_ipset
    exit $?
    
     
    Last edited: Dec 27, 2016
  20. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    806
    Just a suggestion: in FORWARD chain use REJECT that prevent DROP wait out timing and drop after n-seconds.
    Code:
     iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
     

Share This Page