What's new

Privacy Filter (Another IPSET Script)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@spanjap can you modify your post and use codetag around the script ?
makes it so much easier to read,

Check out the git version and try that one on and see if it works for you removed alot of unneeded parts used only essential parts
 
Last edited:
I tested the git version and it's working. When the firewall-start script is rerun the blockades are still working.
Thank you very much for your help.
 
rev 16 is up (see op)

changelog:
  • peristant firewall rules
  • rewrote ipset part
  • minor fixes and tweaks
 
I successfully updated two AC88U routers with version 17. On the third AC88U router, I get the following busybox output that I did not get on the other two (included first line of verbose output):

Code:
+ cat /jffs/privacy-filter.list
+ /opt/bin/xargs -P 10 -n 5 -I {} sh -c traceroute -4 {} | head -1 >> /tmp/privacy-filter_ipv4_raw.part
BusyBox v1.25.1 (2017-03-10 00:31:38 EST) multi-call binary.

Usage: traceroute [-46FIlnrv] [-f 1ST_TTL] [-m MAXTTL] [-q PROBES] [-p PORT]
        [-t TOS] [-w WAIT_SEC] [-g GATEWAY] [-s SRC_IP] [-i IFACE]
        [-z PAUSE_MSEC] HOST [BYTES]

Trace the route to HOST

        -4,-6   Force IP or IPv6 name resolution
        -F      Set don't fragment bit
        -I      Use ICMP ECHO instead of UDP datagrams
        -l      Display TTL value of the returned packet
        -n      Print numeric addresses
        -r      Bypass routing tables, send directly to HOST
        -v      Verbose
        -f N    First number of hops (default 1)
        -m N    Max number of hops
        -q N    Number of probes per hop (default 3)
        -p N    Base UDP port number used in probes
                (default 33434)
        -s IP   Source address
        -i IFACE Source interface
        -t N    Type-of-service in probe packets (default 0)
        -w SEC  Time to wait for a response (default 3)
        -g IP   Loose source route gateway (8 max)

version 16 outputs the same busybox message. I am curious to know why it happened on one and not the other two. All three are running 380.65_2. Thank you.
 
Last edited:
I get this on my RT-AC5300

Code:
Usage: traceroute [-46FIlnrv] [-f 1ST_TTL] [-m MAXTTL] [-q PROBES] [-p PORT]
        [-t TOS] [-w WAIT_SEC] [-g GATEWAY] [-s SRC_IP] [-i IFACE]
        [-z PAUSE_MSEC] HOST [BYTES]

Trace the route to HOST

        -4,-6   Force IP or IPv6 name resolution
        -F      Set don't fragment bit
        -I      Use ICMP ECHO instead of UDP datagrams
        -l      Display TTL value of the returned packet
        -n      Print numeric addresses
        -r      Bypass routing tables, send directly to HOST
        -v      Verbose
        -f N    First number of hops (default 1)
        -m N    Max number of hops
        -q N    Number of probes per hop (default 3)
        -p N    Base UDP port number used in probes
                (default 33434)
        -s IP   Source address
        -i IFACE Source interface
        -t N    Type-of-service in probe packets (default 0)
        -w SEC  Time to wait for a response (default 3)
        -g IP   Loose source route gateway (8 max)
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
hostip: invalid option -- 'n'
hostip: invalid option -- 'n'
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
hostip: invalid option -- 'n'
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
hostip: invalid option -- 'n'
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
sh: syntax error: unexpected "("
hostip: invalid option -- 'n'
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
sh: syntax error: unexpected ")"
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-filter_ipv4
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
sh: syntax error: unexpected "("
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
sh: syntax error: unexpected ")"
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
[name does not exist]
ipset v6.29: No command specified: unknown argument privacy-update_ipv4
Try `ipset help' for more information.
sh: syntax error: unexpected "("
sh: syntax error: unexpected ")"
ipset v6.29: No command specified: unknown argument privacy-update_ipv6
Try `ipset help' for more information.
grep: v[0-9]: No such file or directory
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
[name does not exist]
sh: syntax error: unexpected "do"
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
ipset v6.29: No command specified: unknown argument privacy-filter_ipv6
Try `ipset help' for more information.
grep: v[0-9]: No such file or directory
sh: syntax error: unexpected ")"
sh: syntax error: unexpected "("
sh: syntax error: unexpected "("
sh: syntax error: unexpected "("
[name does not exist]
hostip: invalid option -- 'n'
sh: syntax error: unexpected "("
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]
[name does not exist]


system: Privacy Filter (ipv4) loaded 0 unique ip addresses.

But it seems to be working at least some of it.


Code:
mike@RT-AC5300:/jffs/privacy-filter# blockstats
    7   326 DROP       all  --  any    any     anywhere             anywhere             match-set CustomBlock src
  710 46645 DROP       all  --  any    any     anywhere             anywhere             match-set BlockedCountries src
   16   928 DROP       all  --  any    any     anywhere             anywhere             match-set TorNodes src
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set BruteForceLogins src
    0     0 REJECT     all  --  any    any     anywhere             anywhere             match-set privacy-filter_ipv4 src,dst reject-with icmp-port-unreachable
  331 16832 DROP       all  --  any    any     anywhere             anywhere             match-set MicrosoftSpyServers dst
mike@RT-AC5300:/jffs/privacy-filter#
 
k, wait up a minute here i need more info here

xentrk do you have entware installed ?

mikelees2 your looks messed up try this dos2unix /jffs/privacy-filter
I don't understand?
 
xentrk do you have entware installed ?

Yes, entware is installed on all routers. I saw a package called LFT that is "sort of a traceroute but much faster"....I installed it and looked at the options. There would need to be some coding changes made to the script though..
 
Last edited:
creates empty file
It looks like you need to create the file again. If you transferred the file, it may have appended Ctrl-M characters at the end of each line. They look like ^M. On your client, make sure you check the ASCII mode to prevent this. Following is my example from MobaXTerm.

upload_2017-3-28_23-26-38.png
 
It looks like you need to create the file again. If you transferred the file, it may have appended Ctrl-M characters at the end of each line. They look like ^M. On your client, make sure you check the ASCII mode to prevent this. Following is my example from MobaXTerm.

View attachment 8890
Or simply use dos2unix.
 
creates empty file

The reason it created an empty file is that you were probably not in the same directory as the script? But when I try, I get an error
Code:
No such file or directory
So something emptied the file out?
Try
Code:
dos2unix /jffs/scripts/privacy-filter

or
Code:
cd /jffs/scripts
dos2unix privacy-filter

Then, there is the file privacy-filter.list in /jffs directory. That may also have DOS characters. Check both.
 
Last edited:
I created with nano then pasted in from post. Then ran
chmod +x /jffs/privacy-filter/privacy-filter

Could it be that I am running this with firewall-start?

It is a separate script though.
 
YAY! I think i got it. Thank you @Xentrk & @swetoast. I screwed up Sorry.

Great job on the filters.
 
Last edited:
Hi everyone

been working on the wiki while i was sick (didnt have anything better to do) so there is some changes coming up new versions of my script will be posted on my github or if i want testing done ill post here in the thread this is so the wiki will become easier to grasp so there is less confusion over ipset versions and how to deploy the scripts on your home router.

https://www.snbforums.com/threads/cleaning-up-the-wiki.38338/
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset
https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions
 
Hi everyone

been working on the wiki while i was sick (didnt have anything better to do) so there is some changes coming up new versions of my script will be posted on my github or if i want testing done ill post here in the thread this is so the wiki will become easier to grasp so there is less confusion over ipset versions and how to deploy the scripts on your home router.

https://www.snbforums.com/threads/cleaning-up-the-wiki.38338/
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset
https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions
Thanks @swetoast. I appreciate your contributions to the community. I've learned a lot from your work. I hope you get well soon.

I am curious to know what you find out why I got the traceroute usage message on the third router I installed the updated version of privacy-filter. Same router and FW versions as the other two. Despite the message, it appears to be working.
 
nope havent gotten any wiser at all on that been twisting my head around that issue gonna pm you later and we can investigate further

and thx on the comments on the documentation let me know if anything is missing or out of order.
 
nope havent gotten any wiser at all on that been twisting my head around that issue gonna pm you later and we can investigate further

and thx on the comments on the documentation let me know if anything is missing or out of order.
It just occurred to me there is one difference...I was connected to the router remotely thru a VPN connection. I will try to run the script when I am physically onsite tomorrow to see if the same thing happens.
 
ipset is nice for incoming - but I always worry about outgoing connections - and this is where DNS based solutions along with ipset can work hand-in-hand...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top