search

mtchang / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

[Feature Request] IPSet Support #786

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I would love to see something like IPSet implemented into this firmware. 
Currently I am being attacked by a random botnet of some sort attacking from 
thousands of random IP's/Ports obviously looking for whatever they can 
find/gain access to.

My best solution at the moment for a perm ban list is to scan the syslog for 
dropped IP's from iptables on a daily cronjob.

Code - http://pastebin.com/LLdqF1L2

Now from my experience this works perfectly fine except for when the list grows 
over the 800ish mark and the CPU maxes out at %100 for a few minutes processing 
the rules and miniupnpd starts throwing out erros. Having something like IPSet 
implemented would allow thousands of IPs to be banned from a list much more 
efficently without a significant performance hit like the traditional IPTables 
method and I think would be a great addition to this firmware along with a GUI 
addition for the less SSH friendly users.

I also believe the Asuswrt-Merlin firmware has done this recently for the 
similar N66* and AC66* routers along with the IPSet package being added to the 
Entware repo. Thanks in advance

Original issue reported on code.google.com by c_u_late...@hotmail.com on 28 Mar 2013 at 3:19

GoogleCodeExporter commented 9 years ago

Original comment by andy.pad...@gmail.com on 28 Mar 2013 at 6:23

GoogleCodeExporter commented 9 years ago 
I successfully added ipset to firmware - kernel modules (ipset already included 
in kernel 3.0.x) and ipset utility. No needed entware package.

Original comment by andy.pad...@gmail.com on 30 Mar 2013 at 9:10

GoogleCodeExporter commented 9 years ago 
Great to hear. I'd be more then happy to test it all out when it goes live on 
the git repo and do some preformance comparisons. Thanks again

Original comment by c_u_late...@hotmail.com on 31 Mar 2013 at 4:46

GoogleCodeExporter commented 9 years ago 
If your interested I have written two scripts, one using the old IPTables 
method and one using IPSet to compare performance for real world examples and 
could be useful for others wanting to learn how to make the most out of IPSet. 

IPTables Method - http://pastebin.com/UX1uTFsa

IPSet Method - http://pastebin.com/gTpkiRWw

Original comment by c_u_late...@hotmail.com on 31 Mar 2013 at 7:27

GoogleCodeExporter commented 9 years ago 
There seems to be some build issues with IPSet at the moment. Here's a log from 
my Linux Mint build setup. 

http://pastebin.com/gwxZuijJ

Original comment by c_u_late...@hotmail.com on 1 Apr 2013 at 2:53

GoogleCodeExporter commented 9 years ago 
Fixed .gitignore in last commit. Before call make, please call make clean in 
dir user/ipset

Original comment by andy.pad...@gmail.com on 1 Apr 2013 at 10:23

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
I have allso this same issue, random IPs try to have acces to my homenetwork. 
Can you give me a easy to follow guide how to add this feature to my rt-n56u. 
Thx for your time.

Original comment by nony...@gmail.com on 4 Apr 2013 at 10:45

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Feel free to use the script I made to automate the process using IPSet. Make 
sure you have entware installed along with a text editor your familiar with.

1) Edit "/opt/bin/update_iptables.sh" so it looks like the following. (Notice 
the extra lines)
http://pastebin.com/gxYdrMQM

2) Now save the code from the link below to "/opt/bin/firewall". 
http://pastebin.com/RQAaPjwS

After doing do you can run the script in SSH or the admin GUI by running the 
following commands.

"firewall"            # <-- Bans All IP's
"firewall ban"        # <-- Adds Entry To Blacklist
"firewall unban"      # <-- Remove Single IP From Blacklist
"firewall unbanall"   # <-- Unbans All IP's In Blacklist
"firewall removeall"  # <-- Delete All Entries From Blacklist
"firewall scan"       # <-- Scans Syslog For Dropped Entries

Hope this helps.

Original comment by c_u_late...@hotmail.com on 4 Apr 2013 at 12:27

GoogleCodeExporter commented 9 years ago 
Also don't forget to uncomment (Or add if they are missing) the following lines 
from /etc/storage/started_script.sh

modprobe ip_set
modprobe ip_set_hash_ip
modprobe ip_set_hash_net
modprobe ip_set_bitmap_ip
modprobe ip_set_list_set
modprobe xt_set

Original comment by c_u_late...@hotmail.com on 4 Apr 2013 at 12:30

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Now I have found and modified opt/bin/update_iptables.sh

But steps after that are too hard for me... Help?

Original comment by nony...@gmail.com on 4 Apr 2013 at 8:05

GoogleCodeExporter commented 9 years ago 
To edit the files above I suggest using the editor nano. To install nano do the 
following in SSH..

opkg update
opkg upgrade
opkg install nano

To edit the files mentioned above you can use the following command and just 
replacing the file path. Hope this helps, google can be a good start for first 
time linux users to help with the basics.

nano -w "/opt/bin/firewall"

Original comment by c_u_late...@hotmail.com on 5 Apr 2013 at 8:36

GoogleCodeExporter commented 9 years ago 
Me again.

### /etc/storage/started_script.sh      <-- Cronjob Adding For Daily Scan       
   #
### /opt/bin/update_iptables.sh         <-- Execute blacklist Script On Startup 
   #
### /opt/bin/firewall                   <-- Blacklists IP's From 
/opt/etc/ipblock  #

I have succesfully done all these steps, but in Putty i get this:

/opt/home/admin # firewall
-sh: firewall: Permission denied

What have I done wrong?

Original comment by nony...@gmail.com on 5 Apr 2013 at 11:43

GoogleCodeExporter commented 9 years ago 
In SSH type "chmod +x /opt/bin/firewall"

Original comment by c_u_late...@hotmail.com on 5 Apr 2013 at 12:37

GoogleCodeExporter commented 9 years ago 
thanks alot! Now i have banned succesfully few ips...

Original comment by nony...@gmail.com on 5 Apr 2013 at 1:16

GoogleCodeExporter commented 9 years ago 
How can I add some Ip addres or IP ranges to "Allow allways list"?

Original comment by nony...@gmail.com on 7 Apr 2013 at 7:04

GoogleCodeExporter commented 9 years ago 
For anyone interested, using the IPSet method above causes no noticeable 
performance degradation and is much more efficient then using purely IPTables. 
Currently I have around 90,000 (and counting) blocking IP's from using the 
script above to block a large botnet attacking my home IP. 

Previously adding a banned list of IPs would start to cause issues at around 
800+ IP's with multiple services, as you can see this is a thing of the past.

Thanks again for adding IPSet and hopefully this helps others besides myself.

Here's a speedtest on the 5GHZ band (the router is also located on a different 
floor so the range on this thing is great)

http://speedtest.net/result/2640163542.png

Original comment by c_u_late...@hotmail.com on 14 Apr 2013 at 2:03