What's new

Privacy Filter (Another IPSET Script)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

First, thanks for all of the work on this!

I've installed the script on my AC66U and works great, with one possible glitch (which is likely my error). When I ping some of the urls on the block list (such as df.telemetry.microsoft.com) from a client, the ping times out as expected. However, the packets/bytes REJECT count (from the iptables -vnL FORWARD command) doesn't increment upwards while the counts for the 3rd to last (NSFW) and last line do (table below). For other urls such as a-0001.a-msedge.net, the ping is blocked and the pkts/bytes counter increments upwards as expected.

Given that the pings are being blocked, is it safe to assume I have privacy-filter working correctly?

Code:
ain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 1503 77944 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
5025K 4206M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0          
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
12823  912K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
12823  912K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
 
I just followed the instructions on GitHub for this script. It doesn't create the privacy-filter.list file and privacy-filter_ipv4_raw.part.....without creating them and populating privacy-filter.list with old data from last build it wouldn't start. Couldn't find the two files I just mentioned. Just a heads up the instructions are not complete. By the way this is a great format for this page.
 
@jayten if the numbers on this line increases everytime you ping your perfectly fine.
Code:
1503 77944 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
 
@Xentrk that might be releated :)
@sfx2000 rule it out so fast might be when it tries to fetch ip addresses in traceroute, might be trying the wrong interface

hehe i personally use secure shell for Chrome :D
 
@swetoast I ran that dos2unix command and now I get this line when trying to start it from command prompt right after the dos2unix command.


ASUSWRT-Merlin RT-AC68U 380.65-4 Wed Mar 29 04:40:14 UTC 2017
@Lil_Kitty:/tmp/home/root# dos2unix /jffs/scripts/privacy-fil
ter
@Lil_Kitty:/tmp/home/root# cd /jffs/scripts
@Lil_Kitty:/jffs/scripts# ./privacy-filter
ipset v6.29: Null-valued element, cannot be stored in a hash type of set
system: Privacy Filter (ipv4) loaded 33 unique ip addresses that will be rejected from contacting your router.
@Lil_Kitty:/jffs/scripts#

left out the user specific info
 
well it loaded something so the big question is are you running other scripts like ab-solutions etc ?

how does this look

ipset -L privacy-filter_ipv4
 
well it loaded something so the big question is are you running other scripts like ab-solutions etc ?

how does this look

ipset -L privacy-filter_ipv4


Output is as follows:
Using username "".

ASUSWRT-Merlin RT-AC68U 380.65-4 Wed Mar 29 04:40:14 UTC 2017
@Lil_Kitty:/tmp/home/root# ipset -L privacy-filter_ipv4
Name: privacy-filter_ipv4
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8776
References: 1
Members:
85.25.43.94
188.138.9.50
23.219.88.107
134.170.58.189
71.6.167.142
198.20.69.74
216.117.2.180
195.22.26.248
66.240.236.119
71.6.135.131
104.131.0.69
204.79.197.204
198.20.99.130
204.79.197.201
204.79.197.209
93.120.27.62
82.221.105.6
66.240.192.138
65.52.108.74
85.25.103.50
71.6.165.200
198.20.70.114
114.80.68.223
204.79.197.200
204.79.197.211
204.79.197.206
204.79.197.210
209.126.110.38
204.79.197.208
82.221.105.7
198.20.69.98
71.6.158.166
204.79.197.203
@Lil_Kitty:/tmp/home/root#

That command seems to run without error.
I have absolution and dnscrypt running on this router.
 
guessing ab-solution is blocking most of the list i got and resolving em into 127.0.0.1 and the ones that slipps thru are blocked by mine.

i might have a bug when i sort out localhost pingbacks and thats what giving the ipset v6.29: Null-valued element, cannot be stored in a hash type of set line

so all and all your fine, it runs as intended.

gonna take a peek at it once im feeling better still got the flu an a fever
 
guessing ab-solution is blocking most of the list i got and resolving em into 127.0.0.1 and the ones that slipps thru are blocked by mine.

i might have a bug when i sort out localhost pingbacks and thats what giving the ipset v6.29: Null-valued element, cannot be stored in a hash type of set line

so all and all your fine, it runs as intended.

gonna take a peek at it once im feeling better still got the flu an a fever

Thank you sir for the prompt reply and explanation! Cheers!
 
rewrote OP with more relevant info based on all the rewrites on the wiki and added info about AB-Solution and blocking so that it doesn't cause confusion.
 
@swetoast

Unfortunately, the packet and bytes columns in this line do not always increase when I ping some of the URLs on the block list (e.g. df.telemetry.microsoft.com), though my client machine shows the pings being rejected.
Code:
ping df.telemetry.microsoft.com
PING df.telemetry.microsoft.com (65.52.100.7) 56(84) bytes of data.
^C
--- df.telemetry.microsoft.com ping statistics ---
14 packets transmitted, 0 received, 100% packet loss, time 13103ms

I assume there isn't much of a delay between pinging and the reject counts increasing (I am checking this, but need everyone on my network to turn of their Windows computers!).
 
It just occurred to me there is one difference...I was connected to the router remotely thru a VPN connection. I will try to run the script when I am physically onsite tomorrow to see if the same thing happens.
I went to the school this morning. I ran the privacy-filter script and got the same usage message for traceroute. So, the VPN connection was not the root cause. The script is working though. I find it strange that I have three routers with the same FW and similar setup and this is the only one that outputs the usage message. I would not spend any time on it since it works, unless others start reporting this anomaly as well.
 
@jayten , tnx for the contribution, and yes the client machines should not be able to ping or communicate again the one liner i posted shows if the filter works or not.

@Xentrk im really scratching my head over this cause so far your the only one with this issue, try the command manually see if it acts the same way think im gonna rework this with nslookup instead like redhat27 did plus with nslookup i can get more server addresses but that is something for next revision.
 
Last edited:
Thank you sir for the prompt reply and explanation! Cheers!
Hey @swetoast my logs show 33 protected addresses by privacy filter and it is not growing as a matter of fact it's down to 32 protected. In a space of 12 hours. Is this normal? Is it updating itself or how do I know conclusively?
 
those figures will change from day to day since when the script checks a server might be down or not reponding.. perfectly normal
 
those figures will change from day to day since when the script checks a server might be down or not reponding.. perfectly normal
Thanks again for quick and informative information!

Sent from my SM-N910W8 using Tapatalk
 
Code:
those figures will change from day to day since when the script checks a server might be down or not reponding.. perfectly norma

I think this was the issue I was running into. Also, it appears that the ip addresses for the websites in the block list change rather frequently (probably this is well known and I'm behind the curve).

@swetoast - again, thanks for all of your help, and hope you feel better soon!
 
those figures will change from day to day since when the script checks a server might be down or not reponding.. perfectly normal

Hi there! Another 12 hours and privacy filter only protecting my router from 33 addresses. Router has been up now for 4 days. Is there a way to manually run the update portion of the script to see if server connection is the issue?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top