What's new

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I downloaded it with no problems last night on two routers using the wget in the OP and I have ab-solution installed. This was my first time. This script runs fast. I am impressed.
 
so it is ok to put in services-start from previous nessages , will try that for router reboots so it loads.
I am not having any slow downloads at all:
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (41014) and YAMalwareBlockCIDR (5141) in 27 seconds

thanks all
 
If this script is active on my router, the translator software "iTranslate" will be disabled or no longer working on (all my iDevices under iOS 10.3.1. If I disable your script or in Cellular mode, the tool will work immediately.
 
For now on this script only blocking tor and proxys, and I use the ya-malware-block also, no issues, I upgraded merlins firmware and factory restored and setup everything from 0, the slowness issues yesterday was my ISP so both scripts are running fast and working like they should
 
I mean, test against the lists pulled in via ya-malware, I'm aware of my own LAN IPs...:)

I think I have resolved, moving it from firewall-start (which it had been in before) to services-start seems *touch wood* to be behaving
 
Some blacklists contain "unrouteable" IP's. I pm'd Redhat the workaround I use to filter these
 
Thanks @Adamm I've uploaded a new script in github. Please download as per OP

Here is a small shell function that you can put in your /jffs/configs/profile.add

You'll need to install paste (opkg install coreutils-paste)

For ipset-v4:
Code:
cl() { # Check IP against ipset lists
  if [ -z "$1" ]; then
    echo "Specify IP to check through ipset lists. Exiting."
  else
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
    for TestList in $( (iptables -L -t raw && iptables -L) | grep " set" | tr -s ' ' | cut -d' ' -f7 | paste -s); do
      ipset -q --test $TestList $1 && echo -e "$1 found in ${GREEN}${TestList}${NC}" || echo -e "$1 not found in ${RED}${TestList}${NC}"
    done
  fi
}

For ipset v6:
Code:
cl() { # Check IP against ipset lists
  if [ -z "$1" ]; then
    echo "Specify IP to check through ipset lists. Exiting."
  else
    GREEN='\033[0;32m'
    RED='\033[0;31m'
    NC='\033[0m' # No Color
    for TestList in $( (iptables -L -t raw && iptables -L) | grep "match-set" | tr -s ' ' | cut -d' ' -f7 | paste -s); do
      ipset -q test $TestList $1 && echo -e "$1 found in ${GREEN}${TestList}${NC}" || echo -e "$1 not found in ${RED}${TestList}${NC}"
    done
  fi
}

EDIT: ipset-v6 may need some tweaking, I can't test at this moment, try it and let me know if it works for you


You can then check an IP is present in any of your ipsets (from all the scripts, not just this one):
Source your profile, or re-login to your router and issue:

cl <IP>
 
Last edited:
I changed the function name (personal pref), but it seems to work. Just need to update to new blocklist tomorrow!

upload_2017-5-13_23-15-23.png


Having said that, it doesnt seem to include the sets from blocklist loadeR?
 
it doesnt seem to include the sets from blocklist loadeR?
It should include all your ipsets that are referenced in your firewall. Which lists from the iblocklist-loader were you expecting? Run the loader script and check syslog to see if the lists were loaded
 
Ok so if i run blocklist loader manually they all load. But then i lose dns. If i use it in services-start some load but not all. I suspect dnscrypt is playing a part in this. Are you able to test?
 
But then i lose dns
That is odd. See if your external dns server IP is in any of the loaded lists with this shell function. You can always whitelist your dns: Just assign your dns server ip to your "my_dns" domain in /jffs/configs/host.add and then whitelist that domain (my_dns)
 
That is odd. See if your external dns server IP is in any of the loaded lists with this shell function. You can always whitelist your dns: Just assign your dns server ip to your "my_dns" domain in /jffs/configs/host.add and then whitelist that domain (my_dns)
Will give it a go next time it happens. This reboot seems to be more stable. I did check against the lists and no matches, but I'll see how I get on
 
If you are using dnscrypt, then check if 127.0.0.1 is there in any of those lists. Do not use that list for now then.

Edit: also check your router internal IP (example 192.168.1.1 or similar)
 
I found it, the bloody Bogon list happened to be blocking a lot of sites (even TfL!), removed that set and ta-dah. Sorry for wasting time, it was only after nslookup was returning addresses I realised DNS was fine.
 
Hi all,

Pardon my ignorance. Hope you can help enlighten me on this subject.

How is a "malware block script" any different with the Firewall option in the Asus Router?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top