DD-WRT :: View topic - Optware Question - Updating packages & asiablock

Optware Question - Updating packages & asiablock

DD-WRT Forum Index -> Broadcom SoC based Hardware

Goto page 1, 2 Next

View previous topic :: View next topic

Author

Message

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Mon Dec 26, 2011 3:18 Post subject: Optware Question - Updating packages & asiablock

Quote:

login as: root
DD-WRT v24-sp2 mega (c) 2011 NewMedia-NET GmbH
Release: 12/20/11 (SVN revision: 18024)
Enhanced with OTRW

Router Model Linksys WRT350N

Is there a list of commands to update single packages?

Currently I noticed this when updating optware:

Quote:

Successfully terminated.
Package siproxd (0.8.0+06May2011-1) installed in /opt/ is up to date.
Nothing to be done
Successfully terminated.
/opt/usr/sbin/pixelserv: Text file busy
--2011-12-25 22:15:08-- http://wd.mirmana.com/S95watchprinter
Resolving wd.mirmana.com... 212.123.145.69
Connecting to wd.mirmana.com|212.123.145.69|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 871 [application/octet-stream]
Saving to: `/opt/etc/init.d/S95watchprinter'

100%[======================================>] 871 --.-K/s in 0.003s

2011-12-25 22:15:08 (273 KB/s) - `/opt/etc/init.d/S95watchprinter' saved [871/871]

And I want to make sure that that service is updated after I am done.

I have been noticing that asiablock is not working correctly and not blocking access to my webserver for any country listed in the spam list for asiablock. I have tried several proxies and they all seem to allow access to my webserver.

Optware was working fine before I went to go update to 18024, now I can't seem to get it working.

Could anyone help me resolve this issue?

I also seem to be getting this message everytime I go to change the state of the asiablock service:

sh: /tmp/etc/config/asia.prewall: Permission denied

If I manually run the sh script, it doesn't give me a permission denied error, and I get the following results:
http://pastebin.com/SR2sphzG

However, asiablock still fails to work afterwards. A Brazillian proxy still allows me access to my webserver.

My current firewall script is below:

Quote:

wanf=`nvram get wan_iface`
iptables -I INPUT 2 -p tcp -i $wanf --dport 1:1024 -j asia
iptables -I INPUT 3 -p tcp -i $wanf --dport 5900:5910 -j asia
iptables -I INPUT 4 -p tcp -i $wanf --dport 5800 -j asia
iptables -I FORWARD 3 -i $wanf -p tcp --dport 1:1024 -j asia
iptables -I FORWARD 4 -i $wanf -p tcp --dport 5900:5910 -j asia
iptables -I FORWARD 5 -p tcp -i $wanf --dport 5800 -j asia

Sponsor

zoomlink
DD-WRT User

Joined: 08 May 2011
Posts: 221

Posted: Mon Dec 26, 2011 5:52 Post subject:

Please got to /opt/etc and make sure all iptable scripts i.e.iptables.birma, iptables.asia, etc. all have the following as the first line:

#!/bin/sh

If that does not work, try

#!/opt/bin/bash

And give it another try.

Keep in mind that it may be necessary to disable the service linked to the iptable script before editing the script.

For example, do a service asiablock stop before you go and edit iptables.asia.

basmaf
DD-WRT Guru

Joined: 24 Feb 2011
Posts: 1074

Posted: Mon Dec 26, 2011 10:27 Post subject:

Changes in busybox require a change in the scripts

Believe its disussed somewhere in the optware thread can't recall who provide the fix.

Stop asiablock
cd into /opt/etc
Delete iptables.asia & iptables.asia.rules

You need to edit /opt/etc/init.d/S95asiablock

Edit the following line:

Code:

echo -e "# bof" >${SPAMfilepath}

into:

Code:

echo -e "#!/bin/sh" >${SPAMfilepath}
echo -e "# bof" >>${SPAMfilepath}

Start asiablock.

BM..

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Mon Dec 26, 2011 14:25 Post subject:

That did resolve the permission issue on the shell script, however, I don't believe that the firewall is actively working, as I am testing the webserver with my VPS in Canada, and I am still able to access the service.

This is what it is doing from time to time:

You notice that it works fine one time (in that the connection fails), however, then asiablock begins to fail and allows connections to pass through.

This was tested on a Canadian IP Address, and a UK IP Address. Both of which are blocked.

zoomlink
DD-WRT User

Joined: 08 May 2011
Posts: 221

Posted: Mon Dec 26, 2011 16:54 Post subject:

Ok Basmaf has the more permanent and elegant fix. I was on a bit too much eggnog.

Please make sure you have Stophammer and Stophack enabled as well.

Since I poked around on this.... even after editing the S95asiablock script, when I issue the command 'service asiablock stop' I still get this:

sh: /tmp/etc/config/asia.prewall: Permission denied

Basmaf, do you have any idea on why I still get this permission denied error?

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Mon Dec 26, 2011 17:42 Post subject:

zoomlink wrote:

Stophack and stophammer are both enabled:

Code:

root@operator:~# service
Service: named (/opt/etc/init.d/S09named) disabled
Service: xinetd (/opt/etc/init.d/S10xinetd)
Service: usbmount (/opt/etc/init.d/S30usbmount) disabled
Service: automount (/opt/etc/init.d/S35automount)
Service: reloc_syslog (/opt/etc/init.d/S40relocate_syslog) disabled
Service: pixelserv (/opt/etc/init.d/S45pixelserv)
Service: portmap (/opt/etc/init.d/S55portmap) disabled
Service: unfsd (/opt/etc/init.d/S56unfsd) disabled
Service: zabbix (/opt/etc/init.d/S70zabbix) disabled
Service: lighttpd (/opt/etc/init.d/S80lighttpd) disabled
Service: pound (/opt/etc/init.d/S80pound) disabled
Service: samba (/opt/etc/init.d/S80samba) disabled
Service: vlighttpd (/opt/etc/init.d/S80vlighttpd) disabled
Service: kaid (/opt/etc/init.d/S85kaid) disabled
Service: asterisk (/opt/etc/init.d/S90asterisk) disabled
Service: nzbget (/opt/etc/init.d/S90nzbget) disabled
Service: transmission (/opt/etc/init.d/S90transmission) disabled
Service: fixtables (/opt/etc/init.d/S94fixtables)
Service: stophammer (/opt/etc/init.d/S94stophammer)
Service: asiablock (/opt/etc/init.d/S95asiablock)
Service: birmablock (/opt/etc/init.d/S95birmablock)
Service: twonky (/opt/etc/init.d/S95twonky) disabled
Service: watchprinter (/opt/etc/init.d/S95watchprinter) disabled
Service: worldblock (/opt/etc/init.d/S95worldblock) disabled
Service: siproxd (/opt/etc/init.d/S98siproxd) disabled
Service: stophack (/opt/etc/init.d/S98stophack)

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Tue Dec 27, 2011 7:02 Post subject:
Bump. Would like to figure out what has changed since going from the older version of optware package to this new version, to the point that it wont filter correctly anymore.

basmaf
DD-WRT Guru

Joined: 24 Feb 2011
Posts: 1074

Posted: Tue Dec 27, 2011 8:48 Post subject:

zoomlink wrote:

Basmaf, do you have any idea on why I still get this permission denied error?

Did you reboot?
Will check the script tonight

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Wed Dec 28, 2011 6:44 Post subject:

basmaf wrote:

zoomlink wrote:

Basmaf, do you have any idea on why I still get this permission denied error?

Did you reboot?
Will check the script tonight

I rebooted the router a couple times, waiting about 30 minutes between test & reboots

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Sun Jan 01, 2012 4:01 Post subject:
Bump, would really like some help in getting asiablock to work properly.

hannibal_bill
DD-WRT Novice

Joined: 18 Dec 2010
Posts: 20

Posted: Sun Jan 01, 2012 9:30 Post subject:

A wise man once said:

frater wrote:

INPUT is for controlling traffic going to the router itself. FORWARD is for traffic passing the router (incoming & outgoing)

The INPUT chain is ONLY for services that RUN on DD-WRT.

so if your web server is on your lan and also ports 5800:5910 are forwarded to your lan, what about this:

Code:

wanf=`nvram get wan_iface`
iptables -I INPUT 2 -i $wanf -p tcp --dport 20:1024 -j asia
iptables -I FORWARD 2 -i $wanf -p tcp --dport 20:1024 -j asia
iptables -I FORWARD 2 -i $wanf -p tcp --dport 5800:5910 -j asia

that input rule is unnecessary if you are not running services on ddwrt on ports 20-1024...
_________________
Asus WL-500W
eko dd-wrt.v24-17084_NEWD-2_big + OTRW

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Tue Jan 03, 2012 0:51 Post subject:
What I have shouldn't completely ignore one or the other though, if it is setup how it is. It should loosen the load on the router, yes, however I don't see how that will prevent it from blocking things if my current firewall rule hasn't worked at all.

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Wed Jan 04, 2012 2:48 Post subject:
Bump Tried the above firewall command, but it is still failing to block services.

GH0
DD-WRT User

Joined: 05 Dec 2008
Posts: 249

Posted: Thu Jan 05, 2012 1:49 Post subject:

Bump.

Still need some assistance in getting asiablock to work correctly.

I know that the IPTables are being loaded:

Code:

root@operator:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5060
DROP udp -- anywhere 239.255.255.0/24 udp dpt:upnp
logdrop 0 -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/S YN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT gre -- 10.10.10.0/24 anywhere
asia tcp -- anywhere anywhere tcp dpts:ftp-data:1 024
asia tcp -- anywhere anywhere tcp dpts:5800:5910
asia tcp -- anywhere anywhere tcp dpt:5800
asia tcp -- anywhere anywhere tcp dpt:https
asia tcp -- anywhere anywhere tcp dpt:ftp
asia tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- 10.10.10.0/24 anywhere tcp dpt:1723
logreject tcp -- anywhere anywhere tcp WEBSTR match co ntent 15
logaccept tcp -- anywhere 10.10.10.252 tcp dpt:5900
logaccept udp -- anywhere 10.10.10.252 udp dpt:5900
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:37777
logaccept udp -- anywhere 10.10.10.223 udp dpt:37777
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:58846
logaccept udp -- anywhere 10.10.10.223 udp dpt:58846
logaccept tcp -- anywhere Ubuntu tcp dpt:https
logaccept udp -- anywhere Ubuntu udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:https
logaccept udp -- anywhere 10.10.10.254 udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:www
logaccept udp -- anywhere 10.10.10.254 udp dpt:www
logaccept 0 -- anywhere Airave
logaccept 0 -- anywhere anywhere state NEW
logdrop 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DROPasia (14291 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[asia DROP] : '
DROP 0 -- anywhere anywhere

Chain DROPbirma (5 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning t cp-options ip-options prefix `[birma DROP] : '
DROP 0 -- anywhere anywhere

Chain SPAMasia (1 references)
target prot opt source destination
DROPasia 0 -- 112.0.0.0/5 anywhere

root@operator:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5060
DROP udp -- anywhere 239.255.255.0/24 udp dpt:upnp
logdrop 0 -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
nologdrop 0 -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
invalid 0 -- anywhere anywhere state INVALID
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT gre -- 10.10.10.0/24 anywhere
asia tcp -- anywhere anywhere tcp dpts:ftp-data:1024
asia tcp -- anywhere anywhere tcp dpts:5800:5910
asia tcp -- anywhere anywhere tcp dpt:5800
asia tcp -- anywhere anywhere tcp dpt:https
asia tcp -- anywhere anywhere tcp dpt:ftp
asia tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- 10.10.10.0/24 anywhere tcp dpt:1723
logreject tcp -- anywhere anywhere tcp WEBSTR match content 15
logaccept tcp -- anywhere 10.10.10.252 tcp dpt:5900
logaccept udp -- anywhere 10.10.10.252 udp dpt:5900
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:37777
logaccept udp -- anywhere 10.10.10.223 udp dpt:37777
logaccept tcp -- anywhere 10.10.10.223 tcp dpt:58846
logaccept udp -- anywhere 10.10.10.223 udp dpt:58846
logaccept tcp -- anywhere Ubuntu tcp dpt:https
logaccept udp -- anywhere Ubuntu udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:https
logaccept udp -- anywhere 10.10.10.254 udp dpt:https
logaccept tcp -- anywhere 10.10.10.254 tcp dpt:www
logaccept udp -- anywhere 10.10.10.254 udp dpt:www
logaccept 0 -- anywhere Airave
logaccept 0 -- anywhere anywhere state NEW
logdrop 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DROPasia (14291 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[asia DROP] : '
DROP 0 -- anywhere anywhere

Chain DROPbirma (5 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[birma DROP] : '
DROP 0 -- anywhere anywhere

Chain SPAMasia (1 references)
target prot opt source destination
DROPasia 0 -- 112.0.0.0/5 anywhere
DROPasia 0 -- 120.0.0.0/6 anywhere
DROPasia 0 -- 110.0.0.0/7 anywhere
DROPasia 0 -- 124.0.0.0/7 anywhere
DROPasia 0 -- 202.0.0.0/7 anywhere
DROPasia 0 -- 210.0.0.0/7 anywhere
DROPasia 0 -- 218.0.0.0/7 anywhere
DROPasia 0 -- softbank220000000000.bbtec.net/7 anywhere
DROPasia 0 -- 42.0.0.0/7 anywhere
DROPasia 0 -- ppp-net.infoweb.ne.jp/7 anywhere
DROPasia 0 -- 60.0.0.0/7 anywhere
DROPasia 0 -- 1.0.0.0/8 anywhere
DROPasia 0 -- 101.0.0.0/8 anywhere
DROPasia 0 -- softbank126000000000.bbtec.net/8 anywhere
DROPasia 0 -- 133.0.0.0/8 anywhere
DROPasia 0 -- 180.0.0.0/8 anywhere
DROPasia 0 -- 222.0.0.0/8 anywhere
DROPasia 0 -- 25.0.0.0/8 anywhere
DROPasia 0 -- 39.0.0.0/8 anywhere
DROPasia 0 -- 47.0.0.0/8 anywhere
DROPasia 0 -- 53.0.0.0/8 anywhere
DROPasia 0 -- 57.0.0.0/8 anywhere
DROPasia 0 -- 106.128.0.0/9 anywhere
DROPasia 0 -- 153.128.0.0/9 anywhere
DROPasia 0 -- 177.0.0.0/9 anywhere
DROPasia 0 -- 182.128.0.0/9 anywhere
DROPasia 0 -- 183.128.0.0/9 anywhere
DROPasia 0 -- 187.0.0.0/9 anywhere
DROPasia 0 -- ip-189-0-0-0.user.vivozap.com.br/9 anywhere
DROPasia 0 -- 002128000000.mbb.telenor.dk/9 anywhere
DROPasia 0 -- 200.128.0.0/9 anywhere
DROPasia 0 -- 201-0-0-0.dsl.telesp.net.br/9 anywhere
DROPasia 0 -- 223.0.0.0/9 anywhere
DROPasia 0 -- 27.128.0.0/9 anywhere
DROPasia 0 -- 49.0.0.0/9 anywhere
DROPasia 0 -- host86-128-0-0.range86-128.btcentralplus.com/9 anywhere
DROPasia 0 -- AClermont-Ferrand-651-1-49-net.w90-0.abo.wanadoo.fr/9 anywhere
DROPasia 0 -- 106.64.0.0/10 anywhere
DROPasia 0 -- 0.0-128-109.adsl-dyn.isp.belgacom.be/10 anywhere
DROPasia 0 -- 14.128.0.0/10 anywhere
DROPasia 0 -- 150.0.0.0/10 anywhere
DROPasia 0 -- 175.192.0.0/10 anywhere
DROPasia 0 -- 176.128.0.0/10 anywhere
DROPasia 0 -- 182.64.0.0/10 anywhere
DROPasia 0 -- 183.0.0.0/10 anywhere
DROPasia 0 -- 186.192.0.0/10 anywhere
DROPasia 0 -- 189.128.0.0/10 anywhere
DROPasia 0 -- 197.0.0.0/10 anywhere
DROPasia 0 -- 2.64.0.0.mobile.tre.se/10 anywhere
DROPasia 0 -- 223.192.0.0/10 anywhere
DROPasia 0 -- 31.64.0.0/10 anywhere
DROPasia 0 -- 36.128.0.0/10 anywhere
DROPasia 0 -- 36.64.0.0/10 anywhere
DROPasia 0 -- pa49-192-0-0.pa.vic.optusnet.com.au/10 anywhere
DROPasia 0 -- 77.128.0.0/10 anywhere

root@operator:~#

barryware
DD-WRT Guru

Joined: 26 Jan 2008
Posts: 13049
Location: Behind The Reset Button

Posted: Thu Jan 05, 2012 13:47 Post subject:

frater gave me this some time ago when he was helping me debug asiablock.

as you can see, the order of things in the command line is diff. I am also blocking everything, not just specific ports. Frater also warned me about this due to the load it will put on the router.

wanf=`nvram get wan_iface`
iptables -I INPUT 2 -p tcp -i $wanf -j asia
iptables -I FORWARD 1 -i $wanf -j asia
_________________
[Moderator Deleted] Shocked

Goto page 1, 2 Next

Display posts from previous:

Page 1 of 2

DD-WRT Forum Index -> Broadcom SoC based Hardware

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Log in

Optware Question - Updating packages & asiablock

Quick Links

Log in