Privacy Filter (Another IPSET Script)

Cedarhillguy

New Around Here
Question: Why is the bing search engine bad?
Installed this script, but noticed that one of the addresses "a-0001.a-msedge.net " resolves to the same IP (13.107.21.200) as bing.com, so it blocks the bing search engine. Removed this entry and bing search works again for family members.
 

swetoast

Guest
all of these are safe to delete and i took most of em with the exception from shodan and the android rootkit servers of the wiki, havent had time to go thru em but its nice that you two have so lets delete some of the example list.
 

bayern1975

Very Senior Member
i have firewall-start script with iptables firewall rules for specific port....so, if i add this privacy-filter script i think not working? is this my firewall-start script ok?
Code:
#!/bin/sh

iptables -I FORWARD -p tcp --dport 1244 -j DROP
iptables -I FORWARD -s 95.159.192.0/18 -p tcp --dport 1244 -j ACCEPT
iptables -I FORWARD -s 178.58.0.0/16 -p tcp --dport 1244 -j ACCEPT
iptables -I FORWARD -s 188.196.0.0/14 -p tcp --dport 1244 -j ACCEPT

# Author: Toast
# Contributers: Tomsk
# Revision 9

path=/opt/var/cache/privacy-filter    # Set your path here

# Dont change this value
regexp_v4=`echo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"`
local_v4=`echo "!/(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)/"`
regexp_v6=`echo "^(([0-9a-f]){1,4}:)+(:)?(([0-9a-f]){1,4}:)+(:)?(([0-9a-f]){1,4})"`
local_v6=`echo "!(^(fc00::)"`
# Dont change this value

case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) # Value for ARM Routers
   MATCH_SET='--match-set'
   HASH='hash:ip'
   SYNTAX='add'
   SWAPPED='swap'
   DESTROYED='destroy'
   INET6='family inet6'
   ipsetv=6
    lsmod | grep "xt_set" > /dev/null 2>&1 || \
    for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
    do
         insmod $module
    done
;;
*v4) # Value for Mips Routers
   MATCH_SET='--set'
   HASH='iphash'
   SYNTAX='-q -A'
   SWAPPED='-W'
   DESTROYED='--destroy'
   IPV6=''
    ipsetv=4
    lsmod | grep "ipt_set" > /dev/null 2>&1 || \
    for module in ip_set ip_set_nethash ip_set_iphash ipt_set
    do
         insmod $module
    done
;;
esac

get_source () {
url=https://gitlab.com/swe_toast/privacy-filter/raw/master/privacy-filter.list
if [ ! -f $path/privacy-filter.list ]
then wget $url -O $path/privacy-filter.list; fi }

check_path () {
if [ ! -d "$path" ]; then
     path='/tmp'
     echo "path is not found using $path using as failover"
     check_failover
else check_failover; fi }

check_failover () {
if [ ! -d "$path" ]; then
    echo "failed to set failover path"
    exit 1
else get_source; fi }

run_ipv4_block () {
if [ -f $path/privacy-filter_ipv4.blocklist ]; then rm $path/privacy-filter_ipv4.blocklist; fi
    if [ -z "$(which hostip)" ]; then
        for i in `cat $path/privacy-filter.list`; do traceroute -4 $i | head -1 | grep -oE "$regexp_v4" >> $path/privacy-filter_ipv4.tmplist; done
        else for i in `cat $path/privacy-filter.list`; do hostip $i >> $path/privacy-filter_ipv4.prelist; done fi
    if [ -f $path/privacy-filter_ipv4.tmplist ]; then
       awk $local_v4 $path/privacy-filter_ipv4.tmplist > $path/privacy-filter_ipv4.prelist; fi
       if [ -f $path/privacy-filter_ipv4.prelist ]; then sort -u $path/privacy-filter_ipv4.prelist > $path/privacy-filter_ipv4.blocklist; fi
       if [ -f $path/privacy-filter_ipv4.tmplist ]; then rm $path/privacy-filter_ipv4.tmplist; fi
       if [ -f $path/privacy-filter_ipv4.prelist ]; then rm $path/privacy-filter_ipv4.prelist; fi }

      run_ipv6_block () {
if [ -f $path/privacy-filter_ipv6.blocklist ]; then rm $path/privacy-filter_ipv6.blocklist; fi
    if [ -z "$(which hostip)" ]; then
        for i in `cat $path/privacy-filter.list`; do traceroute -6 $i | head -1 | grep -oE "$regexp_v6" >> $path/privacy-filter_ipv6.tmplist; done
        else for i in `cat $path/privacy-filter.list`; do hostip -6 $i >> $path/privacy-filter_ipv6.prelist; done fi
    if [ -f $path/privacy-filter_ipv6.tmplist ]; then
       awk $local_v6 $path/privacy-filter_ipv6.tmplist > $path/privacy-filter_ipv6.prelist; fi
       if [ -f $path/privacy-filter_ipv6.prelist ]; then sort -u $path/privacy-filter_ipv6.prelist > $path/privacy-filter_ipv6.blocklist; fi
       if [ -f $path/privacy-filter_ipv6.tmplist ]; then rm $path/privacy-filter_ipv6.tmplist; fi
       if [ -f $path/privacy-filter_ipv6.prelist ]; then rm $path/privacy-filter_ipv6.prelist; fi }

      run_ipset_4 () {
ipset -L privacy-filter_ipv4 >/dev/null 2>&1
if [ $? -ne 0 ]; then
   if [ "$(ipset --swap privacy-filter_ipv4 privacy-filter_ipv4 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
   nice ipset -N privacy-filter_ipv4 $HASH
   cat $path/privacy-filter_ipv4.blocklist | xargs -I {} ipset $SYNTAX privacy-filter_ipv4 {}
fi
else
   nice -n 2 ipset -N privacy-update_ipv4 $HASH
   cat $path/privacy-filter_ipv4.blocklist | xargs -I {} ipset $SYNTAX privacy-update_ipv4 {}
   nice -n 2 ipset $SWAPPED privacy-update_ipv4 privacy-filter_ipv4
   nice -n 2 ipset $DESTROYED privacy-update_ipv4
fi
iptables -L | grep privacy-filter_ipv4 > /dev/null 2>&1
if [ $? -ne 0 ]; then
   nice -n 2 iptables -I FORWARD -m set $MATCH_SET privacy-filter_ipv4 src,dst -j REJECT
else
   nice -n 2 iptables -D FORWARD -m set $MATCH_SET privacy-filter_ipv4 src,dst -j REJECT
   nice -n 2 iptables -I FORWARD -m set $MATCH_SET privacy-filter_ipv4 src,dst -j REJECT
fi }

run_ipset_6 () {
ipset -L privacy-filter_ipv6 >/dev/null 2>&1
if [ $? -ne 0 ]; then
   if [ "$(ipset --swap privacy-filter_ipv6 privacy-filter_ipv6 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
   nice ipset -N privacy-filter_ipv6 $HASH $INET6
   cat $path/privacy-filter_ipv6.blocklist | xargs -I {} ipset $SYNTAX privacy-filter_ipv6 {}
fi
else
   nice -n 2 ipset -N privacy-update_ipv6 $HASH $INET6
   cat $path/privacy-filter_ipv6.blocklist | xargs -I {} ipset $SYNTAX privacy-update_ipv6 {}
   nice -n 2 ipset $SWAPPED privacy-update_ipv6 privacy-filter_ipv6
   nice -n 2 ipset $DESTROYED privacy-update_ipv6
fi

iptables -L | grep privacy-filter_ipv6 > /dev/null 2>&1
if [ $? -ne 0 ]; then
   nice -n 2 iptables -I FORWARD -m set $MATCH_SET privacy-filter_ipv6 src,dst -j REJECT
else
   nice -n 2 iptables -D FORWARD -m set $MATCH_SET privacy-filter_ipv6 src,dst -j REJECT
   nice -n 2 iptables -I FORWARD -m set $MATCH_SET privacy-filter_ipv6 src,dst -j REJECT
fi }

run_blocklists () {
run_ipv4_block
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) if [ "$(cat /proc/net/if_inet6 | wc -l)" -gt "0" ]; then run_ipv6_block; fi ;;
esac }

run_ipset () {
run_ipset_4
case $(ipset -v | grep -oE "ipset v[0-9]") in
*v6) if [ "$(cat /proc/net/if_inet6 | wc -l)" -gt "0" ]; then run_ipset_6; fi  ;;
esac }

check_path
run_blocklists
run_ipset

exit $?
 

swetoast

Guest
either store my script as a separate script or it on ITS OWN dont mix and match.

and your issue has been answered in the thread not gonna cover it again on how to check if its working or not.

read the thread!
 

bayern1975

Very Senior Member
so, firewall-start not working with two different scripts inside....just like to know....
 

swetoast

Guest
either use this filter as standalone opt or jffs really doesnt matter to me but dont enter stuff into it else no support.

its in the OP

either a cronjob or as a separate entry in firewall-start

watch iptables -vnL FORWARD | grep privacy

to see if it blocks

FYI its not gonna tick away right away so dont post 10 sec afterwards saying its not working give it day atleast.
 
Last edited:

bayern1975

Very Senior Member
i insert this script....i get this but i do not know if working correct or no?
Code:
ASUSWRT-Merlin RT-AC3200 380.65-0 Fri Feb  3 05:20:08 UTC 2017
[email protected]:/tmp/home/root#  watch iptables -vnL FORWARD | grep privacy
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
 

tomsk

Very Senior Member
i insert this script....i get this but i do not know if working correct or no?
Code:
ASUSWRT-Merlin RT-AC3200 380.65-0 Fri Feb  3 05:20:08 UTC 2017
[email protected]:/tmp/home/root#  watch iptables -vnL FORWARD | grep privacy
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
Try to ping one of the blocked IP ( say ping -c 5 216.117.2.180) and see if the count increases
 

bayern1975

Very Senior Member
Try to ping one of the blocked IP ( say ping -c 5 216.117.2.180) and see if the count increases

i got this: btw, i do not have privacy-filter.list.....i see in script that privacy-filter will automatic install and update?
Code:
[email protected]:/tmp/home/root# ping -c 5 216.117.2.180
PING 216.117.2.180 (216.117.2.180): 56 data bytes

--- 216.117.2.180 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
 

tomsk

Very Senior Member
i got this: btw, i do not have privacy-filter.list.....i see in script that privacy-filter will automatic install and update?
Code:
[email protected]:/tmp/home/root# ping -c 5 216.117.2.180
PING 216.117.2.180 (216.117.2.180): 56 data bytes

--- 216.117.2.180 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Yep...looks like its blocking ok then.... try the same with a good IP (ping -c 5 8.8.8.8) you should get 5 packets received and zero packet loss
 

bayern1975

Very Senior Member
Yep...looks like its blocking ok then.... try the same with a good IP (ping -c 5 8.8.8.8) you should get 5 packets received and zero packet loss
yes i receive 5 packed and zero loss....should we have some logs in syslog? how to check how many times a day, week we get requst to connect from those hostname addresses?
 

tomsk

Very Senior Member
yes i receive 5 packed and zero loss....should we have some logs in syslog? how to check how many times a day, week we get requst to connect from those hostname addresses?
You can do "iptables -L FORWARD -v" and that will show you the packets and bytes that matched the rule... in this case your privacy filter
 

bayern1975

Very Senior Member
i can ping all these hostname in privacy-filter.list? is this normal? I imagined that all this is blocked?

Code:
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
www.msftncsi.com
nametests.com
oyag.lhzbdvm.com
oyag.prugskh.net
oyag.prugskh.com
census1.shodan.io
census2.shodan.io
census3.shodan.io
census4.shodan.io
census5.shodan.io
census6.shodan.io
census7.shodan.io
census8.shodan.io
census9.shodan.io
census10.shodan.io
census11.shodan.io
census12.shodan.io
atlantic.census.shodan.io
pacific.census.shodan.io
rim.census.shodan.io
pirate.census.shodan.io
ninja.census.shodan.io
border.census.shodan.io
burger.census.shodan.io
atlantic.dns.shodan.io
hello.data.shodan.io
 

tomsk

Very Senior Member
i can ping all these hostname in privacy-filter.list? is this normal? I imagined that all this is blocked?

Code:
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
www.msftncsi.com
nametests.com
oyag.lhzbdvm.com
oyag.prugskh.net
oyag.prugskh.com
census1.shodan.io
census2.shodan.io
census3.shodan.io
census4.shodan.io
census5.shodan.io
census6.shodan.io
census7.shodan.io
census8.shodan.io
census9.shodan.io
census10.shodan.io
census11.shodan.io
census12.shodan.io
atlantic.census.shodan.io
pacific.census.shodan.io
rim.census.shodan.io
pirate.census.shodan.io
ninja.census.shodan.io
border.census.shodan.io
burger.census.shodan.io
atlantic.dns.shodan.io
hello.data.shodan.io
where are you pinging from?.... open a command window on a client machine and try.... its a forward rule so it should stop packets passing through the router.
 

visortgw

Very Senior Member
where are you pinging from?.... open a command window on a client machine and try.... its a forward rule so it should stop packets passing through the router.
Also, perform an nslookup for some of the hostnames. Most likely, the hostnames for some on the list are resolving to a local IP. For example, a.ads1.msn.com resolves to my pixelserv server:
Code:
# nslookup a.ads1.msn.com
Server:        192.168.222.1
Address:    192.168.222.1#53

Name:    a.ads1.msn.com
Address: 192.168.222.2
The ping succeeds to the local pixelserv server, not the distant suspect host:
Code:
# ping a.ads1.msn.com
PING a.ads1.msn.com (192.168.222.2): 56 data bytes
64 bytes from 192.168.222.2: icmp_seq=0 ttl=64 time=1.725 ms
64 bytes from 192.168.222.2: icmp_seq=1 ttl=64 time=1.401 ms
64 bytes from 192.168.222.2: icmp_seq=2 ttl=64 time=1.710 ms
64 bytes from 192.168.222.2: icmp_seq=3 ttl=64 time=1.364 ms
64 bytes from 192.168.222.2: icmp_seq=4 ttl=64 time=2.218 ms
64 bytes from 192.168.222.2: icmp_seq=5 ttl=64 time=1.411 ms
^C
--- a.ads1.msn.com ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.364/1.638/2.218/0.298 ms
 

tomsk

Very Senior Member
Also, perform an nslookup on the hostnames. Most likely, the hostnames for some on the list are resolving to a local IP. For example, a.ads1.msn.com resolves to my pixelserv server:
Code:
# nslookup a.ads1.msn.com
Server:        192.168.222.1
Address:    192.168.222.1#53

Name:    a.ads1.msn.com
Address: 192.168.222.2
The ping succeeds to the local pixelserv server, not the distant suspect host:
Code:
# ping a.ads1.msn.com
PING a.ads1.msn.com (192.168.222.2): 56 data bytes
64 bytes from 192.168.222.2: icmp_seq=0 ttl=64 time=1.725 ms
64 bytes from 192.168.222.2: icmp_seq=1 ttl=64 time=1.401 ms
64 bytes from 192.168.222.2: icmp_seq=2 ttl=64 time=1.710 ms
64 bytes from 192.168.222.2: icmp_seq=3 ttl=64 time=1.364 ms
64 bytes from 192.168.222.2: icmp_seq=4 ttl=64 time=2.218 ms
64 bytes from 192.168.222.2: icmp_seq=5 ttl=64 time=1.411 ms
^C
--- a.ads1.msn.com ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.364/1.638/2.218/0.298 ms
This is expected behaviour. ping and nslookup will resolve a domain name through dnsmasq. If dnsmasq has a hosts file redirecting the lookup to where pixelserv is listening , you will see the ping response from pixelserv. Other lookups will make it to the firewall and if they match the rule will be dropped.
 

bayern1975

Very Senior Member
where are you pinging from?.... open a command window on a client machine and try.... its a forward rule so it should stop packets passing through the router.
I tested with putty and inside router network services tool?
 

tomsk

Very Senior Member
I tested with putty and inside router network services tool?
Strange...its working ok for me... i do an nslookup i just get the cached IP from dnsmasq and the ping packets are dropped.

You haven't rebooted the router since you ran this script have you?..... the iptables and ipsets are in ram so they have to be reapplied if so.
 

visortgw

Very Senior Member
Strange...its working ok for me... i do an nslookup i just get the cached IP from dnsmasq and the ping packets are dropped.

You haven't rebooted the router since you ran this script have you?..... the iptables and ipsets are in ram so they have to be reapplied if so.
The same here for certain hosts -- it depends on whether another tool (e.g., AB-Solution) also affects the DNS resolution for the host:
Code:
$  nslookup census1.shodan.io
Server:        192.168.222.1
Address:    192.168.222.1#53

Non-authoritative answer:
Name:    census1.shodan.io
Address: 198.20.69.74

$ ping census1.shodan.io
PING census1.shodan.io (198.20.69.74): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- census1.shodan.io ping statistics ---
 

bayern1975

Very Senior Member
i have no idea what could be wrong.....i will remove this script temporarily.....
EDIT: strange, some hostnames not pinging, some pinging and some redirecting to computer....
Code:
ASUSWRT-Merlin RT-AC3200 380.65-0 Fri Feb  3 05:20:08 UTC 2017
[email protected]:/tmp/home/root# ping -c 5 216.117.2.180
PING 216.117.2.180 (216.117.2.180): 56 data bytes

--- 216.117.2.180 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
[email protected]:/tmp/home/root# ping -c 5 statsfe2.update.microsoft.com.aka
dns.net
PING statsfe2.update.microsoft.com.akadns.net (65.52.108.153): 56 data bytes

--- statsfe2.update.microsoft.com.akadns.net ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
[email protected]:/tmp/home/root# ping -c 5 a-0003.a-msedge.net
PING a-0003.a-msedge.net (204.79.197.203): 56 data bytes
64 bytes from 204.79.197.203: seq=0 ttl=123 time=34.647 ms
64 bytes from 204.79.197.203: seq=1 ttl=123 time=35.167 ms
64 bytes from 204.79.197.203: seq=2 ttl=123 time=34.404 ms
64 bytes from 204.79.197.203: seq=3 ttl=123 time=31.159 ms
64 bytes from 204.79.197.203: seq=4 ttl=123 time=32.140 ms

--- a-0003.a-msedge.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 31.159/33.503/35.167 ms
[email protected]:/tmp/home/root# ping -c 5 a-0002.a-msedge.net
PING a-0002.a-msedge.net (204.79.197.201): 56 data bytes
64 bytes from 204.79.197.201: seq=0 ttl=123 time=36.000 ms
64 bytes from 204.79.197.201: seq=1 ttl=123 time=32.396 ms
64 bytes from 204.79.197.201: seq=2 ttl=123 time=34.940 ms
64 bytes from 204.79.197.201: seq=3 ttl=123 time=34.144 ms
64 bytes from 204.79.197.201: seq=4 ttl=123 time=34.736 ms

--- a-0002.a-msedge.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 32.396/34.443/36.000 ms
[email protected]:/tmp/home/root# ping -c 5 a-0004.a-msedge.net
PING a-0004.a-msedge.net (204.79.197.206): 56 data bytes
64 bytes from 204.79.197.206: seq=0 ttl=122 time=33.530 ms
64 bytes from 204.79.197.206: seq=1 ttl=122 time=32.978 ms
64 bytes from 204.79.197.206: seq=2 ttl=122 time=32.391 ms
64 bytes from 204.79.197.206: seq=3 ttl=122 time=30.240 ms
64 bytes from 204.79.197.206: seq=4 ttl=122 time=33.552 ms

--- a-0004.a-msedge.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 30.240/32.538/33.552 ms
[email protected]:/tmp/home/root# ping -c 5 a.ads1.msn.com
PING a.ads1.msn.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.178 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.104 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.125 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.123 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.109 ms

--- a.ads1.msn.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.104/0.127/0.178 ms
[email protected]:/tmp/home/root# ping -c 5 choice.microsoft.com
PING choice.microsoft.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.199 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.116 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.124 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.120 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.116 ms

--- choice.microsoft.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.116/0.135/0.199 ms
[email protected]:/tmp/home/root# ping -c 5 telecommand.telemetry.microsoft.c
om
PING telecommand.telemetry.microsoft.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.160 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.113 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.111 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.126 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.120 ms

--- telecommand.telemetry.microsoft.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.111/0.126/0.160 ms

these hostnames allways can ping.....
Code:
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top