Malware Filter / bad host IPSET

[tomsk]

iptables: No chain/target/match by that name

does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....

 

[swetoast]

doesnt have to have a value to work. all i want to do with the ipset is create a rule and looking at the logs after that i succeeded in doing that its not my fault that ipset 4 sux

 

[shooter40sw]

does it help if you make an OPTIONAL='' in your case statement for mips? Maybe the ipset command doesn't like the $OPTIONAL with no value....

where do I change this, which line? If there is any more testing let me know

 

[tomsk]

where do I change this, which line? If there is any more testing let me know

I was suggesting it here

mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
    OPTIONAL=''

But @swetoast reckons it won't make a difference.... was just a guess on my part

 

[shooter40sw]

I was suggesting it here

mips)
    MATCH_SET='--set'                             # Value for Mips Routers
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='−X'
    OPTIONAL=''

But @swetoast reckons it won't make a difference.... was just a guess on my part

I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachabl

 

[tomsk]

I just runned the script again, and it does not give me the error, so it must be only when it has a fresh reboot, and it gave me no errors, but it did duplicate iptables entry, so It looks like every time the script will run with cru it will keep adding lines to it

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    7   420 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachabl

Well you won't get the error because the -q option before the -A in SYNTAX stands for "quiet" (shoot the messenger) , you can try removing the -q and seeing if the error comes back if you want to test it. As @swetoast mentioned , as long as the command works, thats the main thing. Just knowing the error is there just bugs the hell out of me though ..hehe

 

[swetoast]

it should remove the duplicate entry since i use octopus advice and deleted existing rule before adding it again..

and i the optional empty syntax works and gives no errors then i can add it just dont think its nessary

 

[swetoast]

revision 5 is on the wiki, enjoy and too all other update

 

[swetoast]

thinking of scraping the detection for ipset since i got 2 systems at the moment with something much simpler cause all i need to know if its running ipset 4 or ipset 6 and that i can do with this

#!/bin/sh
case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)
echo "this is running version 6"
;;
4)
echo "this is running version 4"
;;
esac

instead of that whole other mess

 

[swetoast]

Would look something like this

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                       
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                             
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

 

[swetoast]

untested

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

 

[shooter40sw]

Hi there!, your last update broke the script for me, the rev 6, that says untested, did not test out the wiki one yet, you tell me!

/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>] 299.74K   259KB/s   in 1.2s
/opt/var/cache/malware-filter/malware-list. 100%[===========================================================================================>]   8.22K  --.-KB/s   in 0.1s
ipset v4.5: -N requires setname and settype
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.
Bad argument `malware-update'
Try `ipset -H' or 'ipset --help' for more information.

untested

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "version: \w" | grep -oE "[0-9]") in
6)  # value for ipset version 6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
    MATCH_SET='--match-set'                      
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'
;;
4)  # value for ipset version 4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
    MATCH_SET='--set'                            
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    path=/opt/var/cache/malware-filter
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
    fi
else
    path=/opt/var/cache/malware-filter
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

 

[swetoast]

bah

ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"

what does that line return ?

 

[shooter40sw]

Nothing at all

e-filter# ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"
/malware-filter#

bah

ipset -v | grep -oE "version: \w" | grep -oE "[0-9]"

what does that line return ?

 

[swetoast]

ok so the detection is broken thats why it doesnt work

 

[swetoast]

#!/bin/sh
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) echo "this is running version 6"
;;
*v4) echo "this is running version 4"
;;
esac

try that it should return its running version 4

 

[shooter40sw]

Yes thats the result of the script version 4

#!/bin/sh
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) echo "this is running version 6"
;;
*v4) echo "this is running version 4"
;;
esac

try that it should return its running version 4

 

[swetoast]

Then this should work, its more streamlined less lines more action

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''   

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

 

[shooter40sw]

Great!
It gives me the same error from early, but the script is working, and it keeps having the detail that it piles up in the iptables

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable
    3   180 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           set malware-filter src,dst reject-with icmp-port-unreachable

r/cache/malware-filter/blockip.sh
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter/ip_set.ko': File exists
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 159.99K   275KB/s   in 0.6s

/opt/var/cache/malware-filter/malwa     [ <=>                                                                 ]   2.34K  --.-KB/s   in 0.001s
/opt/var/cache/malware-filter/malwa     [  <=>                                                                ]  10.51K  26.9KB/s   in 0.4s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]  17.00K  --.-KB/s   in 0.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>] 304.79K   270KB/s   in 1.1s
/opt/var/cache/malware-filter/malwa 100%[====================================================================>]   8.32K  --.-KB/s   in 0.1s
iptables: No chain/target/match by that name
system: Malware Filter loaded 35962 unique ip addresses.

Then this should work, its more streamlined less lines more action

#!/bin/sh
# Original script by swetoast. Updates by Neurophile & Octopus.
# Revision 6

path=/opt/var/cache/malware-filter                      # Set your path here
regexp=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`         # Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers

    MATCH_SET='--match-set'
    HASH='hash:ip'
    SYNTAX='add'
    SWAPPED='swap'
    DESTROYED='destroy'
    OPTIONAL='family inet hashsize 2048 maxelem 65536'

     ipsetv=6
     lsmod | grep "xt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
     do
          insmod $module
     done
;;

*v4) # Value for Mips Routers

    MATCH_SET='--set'
    HASH='iphash'
    SYNTAX='-q -A'
    SWAPPED='-W'
    DESTROYED='--destroy'
    OPTIONAL=''  

     ipsetv=4
     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
     for module in ip_set ip_set_nethash ip_set_iphash ipt_set
     do
          insmod $module
     done
;;
esac

get_list () {
        mkdir -p $path
        wget -q --show-progress -i $path/malware-filter.list -O $path/malware-list.pre
        cat $path/malware-list.pre | grep -oE "$regexp" | sort -u >$path/malware-filter.txt
 }

run_ipset () {

get_list

ipset -L malware-filter >/dev/null 2>&1
if [ $? -ne 0 ]; then
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    ipset -N malware-filter $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-filter $i ; done
fi
else
    ipset -N malware-update $HASH $OPTIONAL
    for i in `cat $path/malware-filter.txt`; do nice -n 12 ipset $SYNTAX malware-update $i ; done
    ipset $SWAPPED malware-update malware-filter
    ipset $DESTROYED malware-update
fi

iptables-save | grep malware-filter > /dev/null 2>&1 || \
iptables -D FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
iptables -I FORWARD -m set $MATCH_SET malware-filter src,dst -j REJECT
logger -s -t system "Malware Filter loaded $(cat $path/malware-filter.txt | wc -l) unique ip addresses."
}

run_ipset
exit $?

 

[swetoast]

ill look into that during the week see if i cant improve upon it but its working so thats atleast some good news