Author
Message
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Mon Dec 26, 2011 3:18 Post subject: Optware Question - Updating packages & asiablock
Quote: login as: root
DD-WRT v24-sp2 mega (c) 2011 NewMedia-NET GmbH
Release: 12/20/11 (SVN revision: 18024)
Enhanced with OTRW
Router Model Linksys WRT350N
Is there a list of commands to update single packages?
Currently I noticed this when updating optware:
Quote:
Successfully terminated.
Package siproxd (0.8.0+06May2011-1) installed in /opt/ is up to date.
Nothing to be done
Successfully terminated.
/opt/usr/sbin/pixelserv: Text file busy
--2011-12-25 22:15:08-- http://wd.mirmana.com/S95watchprinter
Resolving wd.mirmana.com... 212.123.145.69
Connecting to wd.mirmana.com|212.123.145.69|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 871 [application/octet-stream]
Saving to: `/opt/etc/init.d/S95watchprinter'
100%[======================================>] 871 --.-K/s in 0.003s
2011-12-25 22:15:08 (273 KB/s) - `/opt/etc/init.d/S95watchprinter' saved [871/871]
And I want to make sure that that service is updated after I am done.
I have been noticing that asiablock is not working correctly and not blocking access to my webserver for any country listed in the spam list for asiablock. I have tried several proxies and they all seem to allow access to my webserver.
Optware was working fine before I went to go update to 18024, now I can't seem to get it working.
Could anyone help me resolve this issue?
I also seem to be getting this message everytime I go to change the state of the asiablock service:
sh: /tmp/etc/config/asia.prewall: Permission denied
If I manually run the sh script, it doesn't give me a permission denied error, and I get the following results:
http://pastebin.com/SR2sphzG
However, asiablock still fails to work afterwards. A Brazillian proxy still allows me access to my webserver.
My current firewall script is below:
Quote:
wanf=`nvram get wan_iface`
iptables -I INPUT 2 -p tcp -i $wanf --dport 1:1024 -j asia
iptables -I INPUT 3 -p tcp -i $wanf --dport 5900:5910 -j asia
iptables -I INPUT 4 -p tcp -i $wanf --dport 5800 -j asia
iptables -I FORWARD 3 -i $wanf -p tcp --dport 1:1024 -j asia
iptables -I FORWARD 4 -i $wanf -p tcp --dport 5900:5910 -j asia
iptables -I FORWARD 5 -p tcp -i $wanf --dport 5800 -j asia
Back to top
Sponsor
zoomlink DD-WRT User Joined: 08 May 2011 Posts: 221
Posted: Mon Dec 26, 2011 5:52 Post subject:
Please got to /opt/etc and make sure all iptable scripts i.e.iptables.birma, iptables.asia, etc. all have the following as the first line:
#!/bin/sh
If that does not work, try
#!/opt/bin/bash
And give it another try.
Keep in mind that it may be necessary to disable the service linked to the iptable script before editing the script.
For example, do a service asiablock stop before you go and edit iptables.asia.
Back to top
basmaf DD-WRT Guru Joined: 24 Feb 2011 Posts: 1074
Posted: Mon Dec 26, 2011 10:27 Post subject:
Changes in busybox require a change in the scripts
Believe its disussed somewhere in the optware thread can't recall who provide the fix.
Stop asiablock
cd into /opt/etc
Delete iptables.asia & iptables.asia.rules
You need to edit /opt/etc/init.d/S95asiablock
Edit the following line:
Code: echo -e "# bof" >${SPAMfilepath}
into:
Code: echo -e "#!/bin/sh" >${SPAMfilepath}
echo -e "# bof" >>${SPAMfilepath}
Start asiablock.
BM..
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Mon Dec 26, 2011 14:25 Post subject:
That did resolve the permission issue on the shell script, however, I don't believe that the firewall is actively working, as I am testing the webserver with my VPS in Canada, and I am still able to access the service.
This is what it is doing from time to time:
You notice that it works fine one time (in that the connection fails), however, then asiablock begins to fail and allows connections to pass through.
This was tested on a Canadian IP Address, and a UK IP Address. Both of which are blocked.
Back to top
zoomlink DD-WRT User Joined: 08 May 2011 Posts: 221
Posted: Mon Dec 26, 2011 16:54 Post subject:
Ok Basmaf has the more permanent and elegant fix. I was on a bit too much eggnog.
Please make sure you have Stophammer and Stophack enabled as well.
Since I poked around on this.... even after editing the S95asiablock script, when I issue the command 'service asiablock stop' I still get this:
sh: /tmp/etc/config/asia.prewall: Permission denied
Basmaf, do you have any idea on why I still get this permission denied error?
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Mon Dec 26, 2011 17:42 Post subject:
zoomlink wrote: Ok Basmaf has the more permanent and elegant fix. I was on a bit too much eggnog.
Please make sure you have Stophammer and Stophack enabled as well.
Since I poked around on this.... even after editing the S95asiablock script, when I issue the command 'service asiablock stop' I still get this:
sh: /tmp/etc/config/asia.prewall: Permission denied
Basmaf, do you have any idea on why I still get this permission denied error?
Stophack and stophammer are both enabled:
Code:
root@operator:~# service
Service: named (/opt/etc/init.d/S09named) disabled
Service: xinetd (/opt/etc/init.d/S10xinetd)
Service: usbmount (/opt/etc/init.d/S30usbmount) disabled
Service: automount (/opt/etc/init.d/S35automount)
Service: reloc_syslog (/opt/etc/init.d/S40relocate_syslog) disabled
Service: pixelserv (/opt/etc/init.d/S45pixelserv)
Service: portmap (/opt/etc/init.d/S55portmap) disabled
Service: unfsd (/opt/etc/init.d/S56unfsd) disabled
Service: zabbix (/opt/etc/init.d/S70zabbix) disabled
Service: lighttpd (/opt/etc/init.d/S80lighttpd) disabled
Service: pound (/opt/etc/init.d/S80pound) disabled
Service: samba (/opt/etc/init.d/S80samba) disabled
Service: vlighttpd (/opt/etc/init.d/S80vlighttpd) disabled
Service: kaid (/opt/etc/init.d/S85kaid) disabled
Service: asterisk (/opt/etc/init.d/S90asterisk) disabled
Service: nzbget (/opt/etc/init.d/S90nzbget) disabled
Service: transmission (/opt/etc/init.d/S90transmission) disabled
Service: fixtables (/opt/etc/init.d/S94fixtables)
Service: stophammer (/opt/etc/init.d/S94stophammer)
Service: asiablock (/opt/etc/init.d/S95asiablock)
Service: birmablock (/opt/etc/init.d/S95birmablock)
Service: twonky (/opt/etc/init.d/S95twonky) disabled
Service: watchprinter (/opt/etc/init.d/S95watchprinter) disabled
Service: worldblock (/opt/etc/init.d/S95worldblock) disabled
Service: siproxd (/opt/etc/init.d/S98siproxd) disabled
Service: stophack (/opt/etc/init.d/S98stophack)
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Tue Dec 27, 2011 7:02 Post subject:
Bump. Would like to figure out what has changed since going from the older version of optware package to this new version, to the point that it wont filter correctly anymore.
Back to top
basmaf DD-WRT Guru Joined: 24 Feb 2011 Posts: 1074
Posted: Tue Dec 27, 2011 8:48 Post subject:
zoomlink wrote: Basmaf, do you have any idea on why I still get this permission denied error?
Did you reboot?
Will check the script tonight
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Wed Dec 28, 2011 6:44 Post subject:
basmaf wrote: zoomlink wrote: Basmaf, do you have any idea on why I still get this permission denied error?
Did you reboot?
Will check the script tonight
I rebooted the router a couple times, waiting about 30 minutes between test & reboots
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Sun Jan 01, 2012 4:01 Post subject:
Bump, would really like some help in getting asiablock to work properly.
Back to top
hannibal_bill DD-WRT Novice Joined: 18 Dec 2010 Posts: 20
Posted: Sun Jan 01, 2012 9:30 Post subject:
A wise man once said:
frater wrote: INPUT is for controlling traffic going to the router itself. FORWARD is for traffic passing the router (incoming & outgoing)
The INPUT chain is ONLY for services that RUN on DD-WRT.
so if your web server is on your lan and also ports 5800:5910 are forwarded to your lan, what about this:
Code: wanf=`nvram get wan_iface`
iptables -I INPUT 2 -i $wanf -p tcp --dport 20:1024 -j asia
iptables -I FORWARD 2 -i $wanf -p tcp --dport 20:1024 -j asia
iptables -I FORWARD 2 -i $wanf -p tcp --dport 5800:5910 -j asia
that input rule is unnecessary if you are not running services on ddwrt on ports 20-1024... _________________ Asus WL-500W
eko dd-wrt.v24-17084_NEWD-2_big + OTRW
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Tue Jan 03, 2012 0:51 Post subject:
What I have shouldn't completely ignore one or the other though, if it is setup how it is.
It should loosen the load on the router, yes, however I don't see how that will prevent it from blocking things if my current firewall rule hasn't worked at all.
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Wed Jan 04, 2012 2:48 Post subject:
Bump
Tried the above firewall command, but it is still failing to block services.
Back to top
GH0 DD-WRT User Joined: 05 Dec 2008 Posts: 249
Posted: Thu Jan 05, 2012 1:49 Post subject:
Bump.
Still need some assistance in getting asiablock to work correctly.
I know that the IPTables are being loaded:
Code:
root@operator:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5060
DROP udp -- anywhere 239.255.255.0/24 udp dpt:upnp
logdrop 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/S YN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT gre -- 10.10.10.0/24 anywhere
asia tcp -- anywhere anywhere tcp dpts:ftp-data:1 024
asia tcp -- anywhere anywhere tcp dpts:5800:5910
asia tcp -- anywhere anywhere tcp dpt:5800
asia tcp -- anywhere anywhere tcp dpt:https
asia tcp -- anywhere anywhere tcp dpt:ftp
asia tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- 10.10.10.0/24 anywhere tcp dpt:1723
logreject tcp -- anywhere anywhere tcp WEBSTR match co ntent 15
logaccept tcp -- anywhere 10.10.10.252 tcp dpt:5900
logaccept udp -- anywhere 10.10.10.252 udp dpt:5900
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:37777
logaccept udp -- anywhere 10.10.10.223 udp dpt:37777
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:58846
logaccept udp -- anywhere 10.10.10.223 udp dpt:58846
logaccept tcp -- anywhere Ubuntu tcp dpt:https
logaccept udp -- anywhere Ubuntu udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:https
logaccept udp -- anywhere 10.10.10.254 udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:www
logaccept udp -- anywhere 10.10.10.254 udp dpt:www
logaccept 0 -- anywhere Airave
logaccept 0 -- anywhere anywhere state NEW
logdrop 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DROPasia (14291 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[asia DROP] : '
DROP 0 -- anywhere anywhere
Chain DROPbirma (5 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[birma DROP] : '
DROP 0 -- anywhere anywhere
Chain SPAMasia (1 references)
target prot opt source destination
DROPasia 0 -- 112.0.0.0/5 anywhere
root@operator:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5060
DROP udp -- anywhere 239.255.255.0/24 udp dpt:upnp
logdrop 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT gre -- 10.10.10.0/24 anywhere
asia tcp -- anywhere anywhere tcp dpts:ftp-data:1024
asia tcp -- anywhere anywhere tcp dpts:5800:5910
asia tcp -- anywhere anywhere tcp dpt:5800
asia tcp -- anywhere anywhere tcp dpt:https
asia tcp -- anywhere anywhere tcp dpt:ftp
asia tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- 10.10.10.0/24 anywhere tcp dpt:1723
logreject tcp -- anywhere anywhere tcp WEBSTR match content 15
logaccept tcp -- anywhere 10.10.10.252 tcp dpt:5900
logaccept udp -- anywhere 10.10.10.252 udp dpt:5900
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:37777
logaccept udp -- anywhere 10.10.10.223 udp dpt:37777
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:58846
logaccept udp -- anywhere 10.10.10.223 udp dpt:58846
logaccept tcp -- anywhere Ubuntu tcp dpt:https
logaccept udp -- anywhere Ubuntu udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:https
logaccept udp -- anywhere 10.10.10.254 udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:www
logaccept udp -- anywhere 10.10.10.254 udp dpt:www
logaccept 0 -- anywhere Airave
logaccept 0 -- anywhere anywhere state NEW
logdrop 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DROPasia (14291 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[asia DROP] : '
DROP 0 -- anywhere anywhere
Chain DROPbirma (5 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[birma DROP] : '
DROP 0 -- anywhere anywhere
Chain SPAMasia (1 references)
target prot opt source destination
DROPasia 0 -- 112.0.0.0/5 anywhere
DROPasia 0 -- 120.0.0.0/6 anywhere
DROPasia 0 -- 110.0.0.0/7 anywhere
DROPasia 0 -- 124.0.0.0/7 anywhere
DROPasia 0 -- 202.0.0.0/7 anywhere
DROPasia 0 -- 210.0.0.0/7 anywhere
DROPasia 0 -- 218.0.0.0/7 anywhere
DROPasia 0 -- softbank220000000000.bbtec.net/7 anywhere
DROPasia 0 -- 42.0.0.0/7 anywhere
DROPasia 0 -- ppp-net.infoweb.ne.jp/7 anywhere
DROPasia 0 -- 60.0.0.0/7 anywhere
DROPasia 0 -- 1.0.0.0/8 anywhere
DROPasia 0 -- 101.0.0.0/8 anywhere
DROPasia 0 -- softbank126000000000.bbtec.net/8 anywhere
DROPasia 0 -- 133.0.0.0/8 anywhere
DROPasia 0 -- 180.0.0.0/8 anywhere
DROPasia 0 -- 222.0.0.0/8 anywhere
DROPasia 0 -- 25.0.0.0/8 anywhere
DROPasia 0 -- 39.0.0.0/8 anywhere
DROPasia 0 -- 47.0.0.0/8 anywhere
DROPasia 0 -- 53.0.0.0/8 anywhere
DROPasia 0 -- 57.0.0.0/8 anywhere
DROPasia 0 -- 106.128.0.0/9 anywhere
DROPasia 0 -- 153.128.0.0/9 anywhere
DROPasia 0 -- 177.0.0.0/9 anywhere
DROPasia 0 -- 182.128.0.0/9 anywhere
DROPasia 0 -- 183.128.0.0/9 anywhere
DROPasia 0 -- 187.0.0.0/9 anywhere
DROPasia 0 -- ip-189-0-0-0.user.vivozap.com.br/9 anywhere
DROPasia 0 -- 002128000000.mbb.telenor.dk/9 anywhere
DROPasia 0 -- 200.128.0.0/9 anywhere
DROPasia 0 -- 201-0-0-0.dsl.telesp.net.br/9 anywhere
DROPasia 0 -- 223.0.0.0/9 anywhere
DROPasia 0 -- 27.128.0.0/9 anywhere
DROPasia 0 -- 49.0.0.0/9 anywhere
DROPasia 0 -- host86-128-0-0.range86-128.btcentralplus.com/9 anywhere
DROPasia 0 -- AClermont-Ferrand-651-1-49-net.w90-0.abo.wanadoo.fr/9 anywhere
DROPasia 0 -- 106.64.0.0/10 anywhere
DROPasia 0 -- 0.0-128-109.adsl-dyn.isp.belgacom.be/10 anywhere
DROPasia 0 -- 14.128.0.0/10 anywhere
DROPasia 0 -- 150.0.0.0/10 anywhere
DROPasia 0 -- 175.192.0.0/10 anywhere
DROPasia 0 -- 176.128.0.0/10 anywhere
DROPasia 0 -- 182.64.0.0/10 anywhere
DROPasia 0 -- 183.0.0.0/10 anywhere
DROPasia 0 -- 186.192.0.0/10 anywhere
DROPasia 0 -- 189.128.0.0/10 anywhere
DROPasia 0 -- 197.0.0.0/10 anywhere
DROPasia 0 -- 2.64.0.0.mobile.tre.se/10 anywhere
DROPasia 0 -- 223.192.0.0/10 anywhere
DROPasia 0 -- 31.64.0.0/10 anywhere
DROPasia 0 -- 36.128.0.0/10 anywhere
DROPasia 0 -- 36.64.0.0/10 anywhere
DROPasia 0 -- pa49-192-0-0.pa.vic.optusnet.com.au/10 anywhere
DROPasia 0 -- 77.128.0.0/10 anywhere
root@operator:~#
Back to top
barryware DD-WRT Guru Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Thu Jan 05, 2012 13:47 Post subject:
frater gave me this some time ago when he was helping me debug asiablock.
as you can see, the order of things in the command line is diff. I am also blocking everything, not just specific ports. Frater also warned me about this due to the load it will put on the router.
wanf=`nvram get wan_iface`
iptables -I INPUT 2 -p tcp -i $wanf -j asia
iptables -I FORWARD 1 -i $wanf -j asia _________________[Moderator Deleted]
Back to top