Peer Guardian rewrite for ipset v6

[redhat27]

[EDIT] The script evolved quite a bit and moved to my git repo

Use

BLOCKLIST_INDEXES="2 11"

for peerguardian implementation

 

[amigohd]

ipset v6:
ipset v6.29: Error in line 3: Syntax error: IP address or IP/cidr must be specified: 1.2.4.0-1.2.4.255

 

[redhat27]

Thanks for testing it. Can you try one more time? I updated the script in the 1st post.

 

[amigohd]

now it is working fine with ipset v6. thank you.
but it's not possible to run it another time (i.e as cron job):

ipset v6.29: Error in line 8: Element cannot be added to the set: it's already added

 

[redhat27]

I'm assuming that you are getting that error on the second run, right?

Can you post:

grep Bluetack /tmp/syslog.log
and
iptables -Lv | grep Bluetack

Thanks again for testing

 

[amigohd]

Mar 8 15:58:08 Firewall: /jffs/scripts/peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 3621 entries
Mar 8 16:53:11 Firewall: /jffs/scripts/peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 4098 entries
Mar 8 19:01:59 Firewall: peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 4909 entries
Mar 8 19:02:19 Firewall: peerguardian2.sh: Loaded peer guardian BluetackLevel1 blocklist with 3709 entries


iptables: No chain/target/match by that name.

 

[redhat27]

iptables: No chain/target/match by that name

My bad its iptables -L -v | grep Bluetack

It is odd that you have such low counts on the entries. I have:
Mar 7 22:42:58 Firewall: /jffs/scripts/peer-guardian.sh: Loaded peer guardian BluetackLevel1 blocklist with 207820 entries
Mar 7 22:45:17 Firewall: /jffs/scripts/peer-guardian.sh: Loaded peer guardian BluetackLevel2 blocklist with 69693 entries

I believe your lists are not loading properly even the first time. You may have been bit by this "bug"

Can anyone here suggest a fix for ipset v6 restore on large entries in IP1-IP2 range formats

 

[redhat27]

FYI found this...

 

[amigohd]

too bad I am not really a unix/linux guy. as long as there is no simple plug&play/copy&paste solution I will deactivate the peerguardian script

 

[redhat27]

I reworked the script to work with IP ranges (updated 1st post). It now converts IP ranges to CIDR. It creates 2 sets: One for single IPs, and one for CIDRs. All that awk processing made it slow (takes a long time to create the ipset restore list) Other than that, it should be good. I'm planning to work on something more generic, whereby you can load any blocklist from iblocklist.com

 

[redhat27]

Temporarily deleted 1st thread... work in progress

 

[redhat27]

Reinstated peerguardian functionality here

 

[Isildur]

Hey, thanks for the script.
I saw you added blacklist and whitelist files, are you going to implement this functionality shortly?

 

[swetoast]

its already functioning. all you have to do is follow the instructions in the post

 

[redhat27]

@swetoast the whitelist is already functioning in iblocklist-loader. The blacklist is going to be supported soon. In fact I'm going to upload a new version in the next few minutes

 

[redhat27]

@Isildur I just now uploaded a version2 and version3 of the script with a lot of extra configuration ability: Blocklists, allowlists, blacklist domains and whitelist domains, and also control inbound, outbound or both traffic. I think it may be best to keep this options separate from the original script as it may confuse some users with all those added options

 

[Isildur]

@redhat27 Hey, I have one concern related to blacklist/whitelist functionality: it does lookup to get underlying resource ip and blocks|allows it, but there is a situation when some resource has load balancing of some sort and gives different ip from time to time, probably it would be better to block it by hostname too, but I'm not sure whether router version of iptables supports that and how it affects performance:

iptables -I INPUT -p tcp --dport 80 -m string --string "Host: blacklisted.com" --algo bm -j DROP

 

[redhat27]

it does lookup to get underlying resource ip

It gets all the IPs returned ly nslookup (if you do nslookup login.live.com or nslookup yahoo.com) you'll see that there are multiple IPs returned. All of the IPs get loaded to the ipset. So at the time when the actual dns call is being made, the IP to which that dns resolves to, should already be in the ipset.

The problem with adding directly to iptable rules is that if the number of hostnames increase, it'll degrade the router performance.

BTW, a small request: If the discussion is not specific to peer-guardian, lets continue the discussion on the iblocklist-loader thread