Privacy Filter (Another IPSET Script)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

swetoast

Guest
Hi Everyone, I'm back with another IPSET for your firewall this time around its for blocking Telemetry and some Android Rootkit along with Shodan.io Scanners. For official installatins instructions and more information please consult the wiki about the information.

NOTE: for all users running iblocklist-loader.sh will be ineligible for support since redhat has incorporated telemetry block along with shodan.io block this makes privacy-filter incompatible so either run his script or my script dont run both will add incompatible check to debugtool.

To see if the firewall rule is working use the following command:

ipv4
Code:
iptables -L -v | grep "privacy-filter_ipv4" | awk '{print "Privacy Filter (ipv4) Blocked: " $1 " packets", $2 " is the size of the transmission"}'
ipv6
Code:
ip6tables -L -v | grep "privacy-filter_ipv6" | awk '{print "Privacy Filter (ipv6) Blocked: " $1 " packets", $2 " is the size of the transmission"}'
How to test if an ip is on the list before reporting that this filter is blocking unwanted sources.

Code:
ipset test [set] [ip]

example:
ipset test privacy-filter_ipv4 43.2.5.45
and to investigate what entry is causing it, well that takes time but remove 10 sources at the time and re-run the script then narrow it down to the offending source.
 
Last edited:

tomsk

Very Senior Member
if [ ! -f $dnsmasq_cfg ] || [ "$(grep privacy-filter $dnsmasq_cfg)" = "" ]; then
I don't quite get this line ..... maybe I'm reading it wrong. For me it says
" if the dnsmasq.conf.add file doesn't exist OR privacy-filter doesn't turn up in a search of dnsmasq.conf.add" then... the next bit. Is that what is meant to test...if so isn't it going to be true all the time?
 

swetoast

Guest
it checks if the file is there then it adds to the file thats basically what it does :) then it adds the content to the file and sets it to 127.0.0.1
 

tomsk

Very Senior Member
it checks if the file is there then it adds to the file thats basically what it does :) then it adds the content to the file and sets it to 127.0.0.1
I dont understand why you do the file check and in the next line delete it anyway.
Then you create it again when you append all the server entries.
Code:
rm -f $dnsmasq_cfg
    for i in `cat $path/privacy-filter.list`;
do
    echo "server=/$i/127.0.0.1#1919" >> $dnsmasq_cfg
done
Dont get me wrong...not being critical at all...just trying to understand the code.. told you i was dumb :)
 

Nutz2U2

Occasional Visitor
Hi to Everyone,

Wish to thank ALL the boys and girls who made this script workable.

Works like a charm ;).
 

Xentrk

Part of the Furniture
Hi @swetoast,

For preliminary testing purposes, I copied your script to a file called privacy-filter. When running it, I get two error messages:

Code:
[email protected]:/jffs/scripts# ./privacy-filter
cat: can't open '/opt/var/cache/privacy-filter/privacy-filter.list': No such file or directory

Done.
cat: can't open '/opt/var/cache/privacy-filter/privacy-filter.txt': No such file or directory
If I create the privacy-filter directory and privacy.list and .txt files, the error message goes away. But I have no values in the .list or .txt file. A dnsmasq.conf.add file does not get created. I need your help in getting this to work. Thanks again for your help!

EDIT:
Code:
lsmod | grep "xt_set"
xt_set                  2964  4
ip_set                 18113  3 xt_set,ip_set_hash_ip,ip_set_hash_net
The Done. response appears to come from this command:
Code:
service restart_dnsmasq
 
Last edited:

visortgw

Senior Member
Hi @swetoast,

For preliminary testing purposes, I copied your script to a file called privacy-filter. When running it, I get two error messages:

Code:
[email protected]:/jffs/scripts# ./privacy-filter
cat: can't open '/opt/var/cache/privacy-filter/privacy-filter.list': No such file or directory

Done.
cat: can't open '/opt/var/cache/privacy-filter/privacy-filter.txt': No such file or directory
If I create the privacy-filter directory and privacy.list and .txt files, the error message goes away. But I have no values in the .list or .txt file. A dnsmasq.conf.add file does not get created. I need your help in getting this to work. Thanks again for your help!

EDIT:
Code:
lsmod | grep "xt_set"
xt_set                  2964  4
ip_set                 18113  3 xt_set,ip_set_hash_ip,ip_set_hash_net
The Done. response appears to come from this command:
Code:
service restart_dnsmasq
Post #1 shows you how to initially populate the privacy.list and .txt files.
 

tomsk

Very Senior Member
A dnsmasq.conf.add file does not get created. I need your help in getting this to work. Thanks again for your help!
The dnsmasq.conf.add file gets deleted every time you run the script and it only gets recreated by the cat command if there is actually something to append.
Code:
rm -f $dnsmasq_cfg
    for i in `cat $path/privacy-filter.list`;
do
    echo "server=/$i/127.0.0.1#1919" >> $dnsmasq_cfg
done
as @visortgw mentions, the privacy-filter.list file will have to be populated with at least one domain.
 

tomsk

Very Senior Member
[ "$(grep privacy-filter $dnsmasq_cfg)" = "" ]
I know I'm not the sharpest tool in the shed when it comes to code...but this bit of the script just doesn't make sense to me.
The dnsmasq.conf.add file will be checked for the string "privacy-filter" with grep and the statement will be true if nothing is found. The dnsmasq.conf.add file should contain a load of lines with server=/some.host.com/127.0.0.1#1919 type entries..... there will never be a time where grep will find "privacy-filter" so it will always be true...... what am i missing? is "" not interpreted in the way i think?
 

swetoast

Guest
yepp thats a typo gonna fix it that should read "server=.*" then it should be -e for regexp still its not a major flaw :p sloppy on my part hence why i have the community to correct me :D

been awhile since i wrote that script just updated with my ipset checking system think my plan was to have a commented line in the dnsmasq.add file
 

Xentrk

Part of the Furniture
Post #1 shows you how to initially populate the privacy.list and .txt files.
Doh! I re-read it and see I have to create the files and save it with the data as you state. For some reason, I thought it was similar to the malware-filter script and was going to populate those files for me.

Many Thanks! Sending you my gratitude from the Land of Smiles.
 

tomsk

Very Senior Member
yepp thats a typo gonna fix it that should read "server=.*" then it should be -e for regexp still its not a major flaw :p sloppy on my part hence why i have the community to correct me :D

been awhile since i wrote that script just updated with my ipset checking system think my plan was to have a commented line in the dnsmasq.add file
would it make sense to check for each entry in the dnsmasq.conf.add file and only append it if it doesn't exist... would save you having to delete and recreate it every time to avoid duplicates.. perhaps throw something like this in your "for i in" loop
Code:
[ "$(grep $i $dnsmasq_cfg)" = "" ]
Would make it safer if some other script had written a dnsmasq.conf.add too (play nice with others policy)
 
Last edited:

swetoast

Guest
Revision 2 posted in opening post

Changes are proper detection if privacy filter is already loaded in dnsmasq

So what it does now is to check if there is an add file then it checks if there is a server= present in the real dnsmasq if there isnt then it adds privacy filter to the dnsmasq file.

Edit: seems i found a bug with grep with this revision
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617183

also getting this message so ill see if there is another way to do it.
 
Last edited:

swetoast

Guest
bump to revision 3 to get around the grep bug added a bell sign to dnsmasq with the title #privacy-filter that the script checks for then adds if its not added
 

tomsk

Very Senior Member
would it be better to do the alterations to dnsmasq.conf with a .postconf script?
not sure this would even work.. but alter the top of your script to something like this...

Code:
dnsmasq_cfg=/jffs/scripts/dnsmasq.postconf

if [ ! -f $dnsmasq_cfg ]; then
                for i in `cat $path/privacy-filter.list`
                do echo "pc_append server=/$i/127.0.0.1#1919" >> $dnsmasq_cfg; done
                service restart_dnsmasq
                logger -s -t privacy-filter was added to $dnsmasq_cfg; fi
               
        else    for i in `cat $path/privacy-filter.list`
        if      [ "$(grep $i $dnsmasq_cfg)" = "" ]
        then    do echo "pc_append server=/$i/127.0.0.1#1919" >> $dnsmasq_cfg; done
                service restart_dnsmasq
                logger -s -t privacy-filter was added to $dnsmasq_cfg
        fi
fi
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top