Menu
What's new
By:
Filters Better Search

Yet another malware block script using ipset (v4 and v6)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Out of curiousity, what would happen if I amended the script to drop on src and dst, rather than just src?
 
Jack Yaz said:
Out of curiousity, what would happen if I amended the script to drop on src and dst, rather than just src?
Click to expand...
I think it may be redundant to have both src,dst since the block is on the PREROUTING chain of the raw table.

I would welcome a comment from @Adamm or @kvic or anyone who can comment more definitively.
 
redhat27 said:
I think it may be redundant to have both src,dst since the block is on the PREROUTING chain of the raw table.

I would welcome a comment from @Adamm or @kvic or anyone who can comment more definitively.
Click to expand...

Yeah its not needed. Packets being blocked sourcing from those IP's is all you need.
 
Quick questions.

How do you select which level you are wanting to use ? Also I wanted to add the updater script to my Init-start but I have no Init-Start file in my JFFS/Scripts location do I first need to creat a Init-Start File and add the updater script to it ?

Cheers.
 
I reinstall the script since i was on previous version, delete the .url_list before all was smooth :
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (65536), YAMalwareBlock3IP (30978) and YAMalwareBlockCIDR (8731) in 30 seconds

Problem is i added some extra set of ipsets and even if i reload the script the result is as above as it doesn't work properly.

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_emd.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_ats.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_fsa.ipset
etc
 
Kim Puleston said:
Quick questions.

How do you select which level you are wanting to use ? Also I wanted to add the updater script to my Init-start but I have no Init-Start file in my JFFS/Scripts location do I first need to creat a Init-Start File and add the updater script to it ?

Cheers.
Click to expand...
The default is Level1 thru Level3 blocking. Level4 is disabled by default as it has a lot of false positives. You can choose to block even less. Just remove what you want blocked or not blocked from the
/jffs/ipset_lists/ya-malware-block.url_list file. This file is not redownloaded on each run of the script, and allows for manual editing. If you want the default sources, then just delete this file, and the script will download the default one from github.

Also, I would advise to run this at the end of services-start (for a one time run) or better yet, schedule this in cron as the sources are dynamic. See OP for details.
 
steelskinz said:
I reinstall the script since i was on previous version, delete the .url_list before all was smooth :
Loaded sets YAMalwareBlock1IP (65535), YAMalwareBlock2IP (65536), YAMalwareBlock3IP (30978) and YAMalwareBlockCIDR (8731) in 30 seconds

Problem is i added some extra set of ipsets and even if i reload the script the result is as above as it doesn't work properly.

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_emd.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_ats.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_exp.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/hphosts_fsa.ipset
etc
Click to expand...
All of the FireHOL lists are already aggregated. See their site for details as to what each of their Levels block. The OP has a link to each level
 
redhat27 said:
The default is Level1 thru Level3 blocking. Level4 is disabled by default as it has a lot of false positives. You can choose to block even less. Just remove what you want blocked or not blocked from the
/jffs/ipset_lists/ya-malware-block.url_list file. This file is not redownloaded on each run of the script, and allows for manual editing. If you want the default sources, then just delete this file, and the script will download the default one from github.

Also, I would advise to run this at the end of services-start (for a one time run) or better yet, schedule this in cron as the sources are dynamic. See OP for details.
Click to expand...

That is great thanks, all set up now and I have this as a cron job in Init-start for the future :) Here is to better security
 
Kim Puleston said:
That is great thanks, all set up now and I have this as a cron job in Init-start for the future :) Here is to better security
Click to expand...
Note: I forgot to mention that you can do both too (both in services-start and in cron) That way you are covered in the time interval your router has booted and cron has not run yet. A lot of us here keep rebooting our routers often as they try new stuff ;), so it may be more appropriate for them, actually.

EDIT: Updated the OP again to clarify some of the questions you had.
 
Last edited:
Jack Yaz said:
Out of curiousity, what would happen if I amended the script to drop on src and dst, rather than just src?
Click to expand...

If redhat27 read your mind correctly, your intended change will be redundant. lol

redhat27 said:
I think it may be redundant to have both src,dst since the block is on the PREROUTING chain of the raw table.
Click to expand...

Jack Yaz raises a good point though. I don't see how your script blocks outgoing traffic as you advertised in post #1. In your tests, it actually blocks? I think you need one more line in the for loop with "--match-set ... dst"
 
kvic said:
I don't see it but I guess you've to twist the meaning of "block" a bit...
Click to expand...
admin@RT-AC66R-D700:/tmp/home/root# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=23.019 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=22.858 ms
64 bytes from 8.8.8.8: seq=2 ttl=58 time=23.938 ms
64 bytes from 8.8.8.8: seq=3 ttl=58 time=22.553 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 22.553/23.092/23.938 ms

admin@RT-AC66R-D700:/tmp/home/root# ipset -N Test iphash
admin@RT-AC66R-D700:/tmp/home/root# ipset -A Test 8.8.8.8
admin@RT-AC66R-D700:/tmp/home/root# iptables -t raw -I PREROUTING -m set --set Test src -j DROP
admin@RT-AC66R-D700:/tmp/home/root# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

admin@RT-AC66R-D700:/tmp/home/root# ipset -X Test
ipset v4.5: Set is in use, operation not permitted
admin@RT-AC66R-D700:/tmp/home/root# iptables -t raw -D PREROUTING -m set --set Test src -j DROP
admin@RT-AC66R-D700:/tmp/home/root# ipset -X Test
admin@RT-AC66R-D700:/tmp/home/root#
 
kvic said:
If redhat27 read your mind correctly, your intended change will be redundant. lol



Jack Yaz raises a good point though. I don't see how your script blocks outgoing traffic as you advertised in post #1. In your tests, it actually blocks? I think you need one more line in the for loop with "--match-set ... dst"
Click to expand...
That's correct, it blocks pgl.yoyo.org, for example, one of the hosts file providers.
 
You must log in or register to reply here.

Similar threads

A
Helt needed with the yet another antimalware script for the Asus wrt.
Replies
4
Views
548
amnesia
A
MON@H Rasta
Tutorial Using TOR to unblock sites blocked by ISP on [Fork] Asuswrt-Merlin 374 LTS
Replies
14
Views
4K
Vas99
V
mkaand
Tutorial [TUTORIAL] Domain (Policy) based routing with ipset and dnsmaq
Replies
4
Views
4K
mkaand
mkaand
P
IPSET rule keeps disappearing on AC68U
Replies
4
Views
789
peraburek
P
Diamond67
Problem with USB Flash Drive containing Swap File and Entware, no Swap File found after cold boot
2
Replies
25
Views
4K
Diamond67
Diamond67
Similar threads
Thread starter Title Forum Replies Date
D Yet another question about VLANs (any HowTo recommended?) Asuswrt-Merlin 24
S Transfer files to another device (raspi) in the same network Asuswrt-Merlin 3
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
S Another DNS Director clarification Asuswrt-Merlin 1
Smokindog Might be ready to give AiMesh another look Asuswrt-Merlin 8
D Connecting to internet via another router Asuswrt-Merlin 10
Swistheater Malware /jffs/updater script. Asuswrt-Merlin 167

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 963 (members: 25, guests: 938)
Top