1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

P2Partisan [v5.14/v6.09] mass IP blocking - peerblock/peerguardian for tomato

Discussion in 'Tomato Firmware' started by rs232, Oct 11, 2013.

  1. rs232

    rs232 Network Guru Member

    Dude you keep asking the same questions... and you're going to get the same answers!
    There's a great guide on the original post. I wrote it so it must me amazing :)
    Just follow it.

    Actually follow the uninstall first then the fresh installation and you're good to go.
     
  2. Spektrat

    Spektrat Reformed Router Member

    Thanks!
    I have read the first post and most of the following. I really can't find the latest version thought.
    I will scroll through again.

    Martin
     
  3. The Master

    The Master Network Guru Member

    New installation:
    Change the INSTALLDIR variable only (second line), of the following script (I'll use /cifs1/ in this example):
    5.x:
    Code:
    #Where should I create the p2partisan directory?
    INSTALLDIR=/cifs1
    #End of configuration ########
    cd $INSTALLDIR
    rm -fR p2partisan
    mkdir p2partisan
    cd p2partisan
    PWD=`pwd`
    # get the script
    wget http://pastebin.com/raw.php?i=eDgM0S5i -O p2partisan.sh
    sed "s#/cifs1/p2partisan#$PWD#g" -i ./p2partisan.sh
    tr -d "\r"< ./p2partisan.sh > ./.temp ; mv ./.temp ./p2partisan.sh
    # get the blacklists
    wget http://pastebin.com/raw.php?i=ARx7NAYz -O blacklists
    tr -d "\r"< ./blacklists > ./.temp ; mv ./.temp ./blacklists
    # get the blacklist-custom
    wget http://pastebin.com/raw.php?i=2xkwzR1A -O blacklist-custom
    tr -d "\r"< ./blacklist-custom > ./.temp ; mv ./.temp ./blacklist-custom
    # get the whitelists
    wget http://pastebin.com/raw.php?i=eb0V3YLp -O whitelist
    tr -d "\r"< ./whitelist > ./.temp ; mv ./.temp ./whitelist

    6.x:
    Code:
    #Where should I create the p2partisan directory?
    INSTALLDIR=/cifs1
    #End of configuration ########
    cd $INSTALLDIR
    rm -fR p2partisan
    mkdir p2partisan
    cd p2partisan
    PWD=`pwd`
    # get the script
    wget http://pastebin.com/raw.php?i=mUeS6jP2 -O p2partisan.sh
    sed "s#/cifs1/p2partisan#$PWD#g" -i ./p2partisan.sh
    tr -d "\r"< ./p2partisan.sh > ./.temp ; mv ./.temp ./p2partisan.sh
    # get the blacklists
    wget http://pastebin.com/raw.php?i=ARx7NAYz -O blacklists
    tr -d "\r"< ./blacklists > ./.temp ; mv ./.temp ./blacklists
    # get the blacklist-custom
    wget http://pastebin.com/raw.php?i=2xkwzR1A -O blacklist-custom
    tr -d "\r"< ./blacklist-custom > ./.temp ; mv ./.temp ./blacklist-custom
    # get the whitelists
    wget http://pastebin.com/raw.php?i=eb0V3YLp -O whitelist
    tr -d "\r"< ./whitelist > ./.temp ; mv ./.temp ./whitelist
    chmod -R 777 $INSTALLDIR/p2partisan
    # get the greylists
    wget http://pastebin.com/raw.php?i=Q9NrpXYu -O greylist
    tr -d "\r"< ./greylist > ./.temp ; mv ./.temp ./greylist

    - Line 7 in p2partisan.sh should be automatically adjusted to your custom path but double check for your peace of mind
    - You might want to have a look at the other parameters set at the beginning of the file just to make sure you're happy with them
    - Edit the whiteports_tcp & whiteports_udp if needed
    - Edit the greyports_tcp & greyports_udp if needed
    - Edit the blacklists file if needed
    - Edit the blacklist-custom if needed
    - Edit the whitelist file if needed

    </INSTALLATION>
     
  4. JesseWV

    JesseWV New Member Member

    I'm trying to change the log file location to be in the p2partisan directory but even when I change it in p2partisan.sh it still ends up in /var/log/messages

    Here's the line in p2partisan.sh:

    Code:
    logfile="/jffs/p2partisan/messages.log"
    What gives?
     
  5. WaLLy3K

    WaLLy3K Serious Server Member

    I haven't looked into this myself, but I suspect P2Partisan makes extensive use of the "logger" app, which prints lines directly to syslog.
     
  6. rs232

    rs232 Network Guru Member

    The variable you're referring to is found after the user configuration part and you shouldn't touched it unless you know what you're doing (e.g. rewriting entire parts od the P2Partisan script)

    Having said that: Are you trying to move your system logfile or just the P2Partisan logs?

    In the first case you need to go via the GUI Administration/Logging/Custom Log File Path and P2Partisan will detect that automatically.

    In the second case this is not possible as P2Partisan only reads the logfile where it's the iptables writing in it. It appears like in busybox you can not split the log levels into different facilty (e.g. it all goes into the system syslog). Unless somebody has a work around to this limitation, this is the way it will stay.

    HTH
    rs232

    P.S. Storing any log into JFFS is a bad idea in general.
     
    Last edited: Feb 4, 2016
  7. swtorplayer

    swtorplayer New Member Member

    Pardon me, but where do I run these commands to setup P2Partisan?
    I managed to create a folder, a user account specifically for CIFS (Windows 7) and enable mounting of CIFS on my RT-AC66U.
    What's next? I am familiar with the commands for cd, rm, makedir, etc but what about wget?

    Any help would be appreciated.
     
  8. rs232

    rs232 Network Guru Member

    Just read the first post it's all in there. You need to create no folder.
    For the RT-AC66U you need version 6.x.
    Adjust the INSTALLDIR variable (if needed at all!)
    Code:
    #Where should I create the p2partisan directory?
    INSTALLDIR=/cifs1
    and paste the whole block of commands into an SSH session or via the GUI under Tools/System Commands. That's all.
     
  9. phuklok1

    phuklok1 Network Guru Member

    I apologize if I may have missed it scanning through this thread, but does this script provide the ability to inject a status tab into the main GUI? That is one nice non-core feature on the "Clean, Lean and Mean Adblocking" script. It is particularly useful when you are not at desktop. The ability to get a status or make a quick addition to a black or white list via the GUI when you may be on a mobile device is a luxury, but works well.

    Awesome, well done project! Thanks for all the time and effort you've put into this!
     
  10. rs232

    rs232 Network Guru Member

    if you're referring about a web GUI, it's not available yet but something that is in the roadmap for the future.
     
  11. skupi

    skupi Networkin' Nut Member

    i try many times, read all pages of discussion, but i still not sure its work or not

    on status i get:

    root@unknown:/opt/p2partisan# ./p2partisan.sh status

    +------------------------- P2Partisan --------------------------+
    | _______ __ __
    | | __| |_.---.-.| |_.--.--.-----.
    | |__ | _| _ || _| | |__ --|
    | |_______|____|___._||____|_____|_____|
    |
    | Release version: v6.05 (29/10/2015)
    +---------------------------------------------------------------+
    | Running: Yes
    | Autorun: Yes
    | Tutor: Yes / 0 problems in the last 24h
    | Debugger: Off
    | Partisan uptime: 0 - 00:24:21
    | Startup time: 21 seconds
    | Dropped in: 49
    | Rejected out: 0
    +---------------------------------------------------------------+
    | Black IPs: 0
    | Grey IPs: 0
    | White IPs: 0
    | TransmissionBT: Not available
    | Grey ports TCP: 5678
    | Grey ports UDP: 5678
    | White ports TCP: 80,443,3658,8080
    | White ports UDP: 1194:1197,53,123,1723,3658,67,68
    | Blacklist_01: [o] [e] [o] [o] - 4748 KB - level1
    | ^ ^ ^ ^
    | maxload: 2 - pri sec cid ipt - [e]mpty [l]oading l[o]aded [p]artial [q]ueued
    | Consumed RAM: 4756 KB
    +----------------------- Logs max(3/hour) ----------------------+


    +---------------------------------------------------------------+

    after debug display


    root@unknown:/opt/p2partisan# ./p2partisan.sh debug-display

    +------------------------- P2Partisan --------------------------+
    _____ __ __ __ __
    | \.-----.| |--.--.--.-----.______.--| |__|.-----.-----.| |.---.-.--.--.
    | -- | -__|| _ | | | _ |______| _ | ||__ --| _ || || _ | | |
    |_____/|_____||_____|_____|___ | |_____|__||_____| __||__||___._|___ |
    |_____| |__| |_____|

    +---------------------------------------------------------------+
    | p2partisan.sh debug-display Displays in & outbound debug logs
    | p2partisan.sh debug-display in Displays inbound debug logs only
    | p2partisan.sh debug-display out Displays outbound debug logs only
    +-------------------------- Drop Logs --------------------------+
    ./p2partisan.sh: line 1805: arithmetic syntax error
    ./p2partisan.sh: line 1805: arithmetic syntax error
    ./p2partisan.sh: line 1805: arithmetic syntax error
    ./p2partisan.sh: line 1805: arithmetic syntax error
    printf: invalid number ''
    printf: invalid number ''
    printf: invalid number ''
    head: ./iptables-debug-del: No such file or directory
    ./p2partisan.sh: line 1805: arithmetic syntax error
    ./p2partisan.sh: line 1805: arithmetic syntax error
    printf: invalid number ''
    ./p2partisan.sh: line 1805: arithmetic syntax error
    +----------------------- INPUT & OUTPUT ------------------------+
    +----------------------- INPUT & OUTPUT ------------------------+
    +---------------------------------------------------------------+

    And iam not sure what is blocked :/
     
  12. rs232

    rs232 Network Guru Member

    Have you actually enabled debug before using the debug-display function?
     
  13. skupi

    skupi Networkin' Nut Member

    Yep, you are right, but still now logs about dropped?

    root@unknown:/opt/p2partisan# ./p2partisan.sh status

    +------------------------- P2Partisan --------------------------+
    | _______ __ __
    | | __| |_.---.-.| |_.--.--.-----.
    | |__ | _| _ || _| | |__ --|
    | |_______|____|___._||____|_____|_____|
    |
    | Release version: v6.05 (29/10/2015)
    +---------------------------------------------------------------+
    | Running: Yes
    | Autorun: Yes
    | Tutor: Yes / 0 problems in the last 24h
    | Debugger: On IP 192.168.0.101 running for 00:05:33 /15 min (00:09:27 left)
    | Partisan uptime: 0 - 13:24:37
    | Startup time: 21 seconds
    | Dropped in: 1609
    | Rejected out: 0
    +---------------------------------------------------------------+
    | Black IPs: 0
    | Grey IPs: 0
    | White IPs: 0
    | TransmissionBT: Not available
    | Grey ports TCP: 5678
    | Grey ports UDP: 5678
    | White ports TCP: 80,443,3658,8080
    | White ports UDP: 1194:1197,53,123,1723,3658,67,68
    | Blacklist_01: [o] [e] [o] [o] - 4748 KB - level1
    | ^ ^ ^ ^
    | maxload: 2 - pri sec cid ipt - [e]mpty [l]oading l[o]aded [p]artial [q]ueued
    | Consumed RAM: 4756 KB
    +----------------------- Logs max(3/hour) ----------------------+


    +---------------------------------------------------------------+

    How can i check what is dropped?
     
  14. rs232

    rs232 Network Guru Member

    What's the output of:
    Code:
    head -70 ./p2partisan.sh | grep -Ev ^#
    Also where are you running p2partisan? HW and SW please.
     
  15. skupi

    skupi Networkin' Nut Member

    P2Partisandir=/opt/p2partisan
    syslogs=1
    maxloghour=3
    whiteports_tcp=80,443,3658,8080
    whiteports_udp=53,123,1194:1197,1723,3658
    greyports_tcp=5678
    greyports_udp=5678
    greyline=100
    scheduleupdates="1,6"
    maxconcurrentlistload=2
    autorun_availability_check=1
    testip=8.8.8.8

    i saw now i have dropped only network discovery:

    root@unknown:/opt/p2partisan# ./p2partisan.sh status

    +------------------------- P2Partisan --------------------------+
    | _______ __ __
    | | __| |_.---.-.| |_.--.--.-----.
    | |__ | _| _ || _| | |__ --|
    | |_______|____|___._||____|_____|_____|
    |
    | Release version: v6.05 (29/10/2015)
    +---------------------------------------------------------------+
    | Running: Yes
    | Autorun: Yes
    | Tutor: Yes / 0 problems in the last 24h
    | Debugger: Off
    | Partisan uptime: 0 - 00:16:24
    | Startup time: 29 seconds
    | Dropped in: 33
    | Rejected out: 0
    +---------------------------------------------------------------+
    | Black IPs: 1
    | Grey IPs: 0
    | White IPs: 0
    | TransmissionBT: Not available
    | Grey ports TCP: 5678
    | Grey ports UDP: 5678
    | White ports TCP: 80,443,3658,8080
    | White ports UDP: 1194:1197,53,123,1723,3658,67,68
    | Blacklist_01: [o] [e] [o] [o] - 4745 KB - level1
    | ^ ^ ^ ^
    | maxload: 2 - pri sec cid ipt - [e]mpty [l]oading l[o]aded [p]artial [q]ueued
    | Consumed RAM: 4753 KB
    +----------------------- Logs max(3/hour) ----------------------+
    | Mar 23 09:42:52 I=vlan2 O= S=0.0.0.0 D=255.255.255.255 UDP S=5678 D=5678

    +---------------------------------------------------------------+
     
  16. rs232

    rs232 Network Guru Member

    It seems to me that you're not generating much p2ptraffic:

    | Dropped in: 33
    | Rejected out: 0

    Also are you running peerblock/guardian on the client at the very same time?
     
  17. skupi

    skupi Networkin' Nut Member

    Iam using deluge on ubuntu, it has also blocklist, but there is no options to verify what its doo. I want check is it working :) too be sure if my brother start using p2p it will work.
     
  18. rs232

    rs232 Network Guru Member

    So if that's the case, supposed you have something blocking the very same list on the client, you'll never see reject out. That's meant to be as your client will never generate connection to blacklisted IPs.
     
  19. Bird333

    Bird333 Network Guru Member

    Can you add some kind of check to make sure all the iptables rules are added for all of the lists? When I rebooted the 'level1' iptables rules were not set. That is the main list that I use.
     
  20. rs232

    rs232 Network Guru Member

    It's already there (line 882) and run by the tutor hourly:

    Code:
                    elif [[ $running3 -eq "0" ]] && [[ $running4 -eq "1" ]]; then
                            plog "P2Partisan tutor had to restart due to: iptables instructions missing"
                            pforcestop
                            pstart      
    even though... it currently checks the INPUT table only; and it might not be enough.

    Also the status page should tell you:

    Code:
    +------------------------- P2Partisan --------------------------+
    |            _______ __          __
    |           |     __|  |_.---.-.|  |_.--.--.-----.
    |           |__     |   _|  _  ||   _|  |  |__ --|
    |           |_______|____|___._||____|_____|_____|
    |
    | Release version:  v6.05 (29/10/2015)
    +---------------------------------------------------------------+
    |         Running:  Yes
    |         Autorun:  Yes
    |           Tutor:  Yes / 0 problems in the last 24h
    |        Debugger:  Off
    | Partisan uptime:  7 - 10:08:32
    |    Startup time:  26 seconds
    |      Dropped in:  96857
    |    Rejected out:  52325
    +---------------------------------------------------------------+
    |       Black IPs:  3
    |        Grey IPs:  0
    |       White IPs:  0
    |  TransmissionBT:  Off
    |  Grey ports TCP:  22008,22002,22003
    |  Grey ports UDP:  22008,22002,22003
    | White ports TCP:  4000:4200,5730:5739,6665:6670,8800:8899,27000:27050
    | White ports TCP:  25,43,44,80,443,465,993,3658,4380,8080,14020
    | White ports UDP:  1194:1197,4000:4200,5730:5739,6665:6670,8800:8899,27000:27050
    | White ports UDP:  44,53,123,3658,4380,14020,67,68
    |    Blacklist_01:  [o] [e] [o] [o] - 4738 KB - level1
    |    Blacklist_02:  [o] [e] [o] [o] - 1358 KB - level2
    |    Blacklist_03:  [o] [e] [o] [o] -  729 KB - edu
    |    Blacklist_04:  [o] [e] [o] [o] -   49 KB - spywere
    |    Blacklist_05:  [o] [e] [o] [o] -   47 KB - advertisement
    |    Blacklist_06:  [o] [e] [o] [o] -    9 KB - dshields
    |                    ^   ^   ^   ^
    |      maxload: 2 - pri sec cid ipt - [e]mpty [l]oading l[o]aded [p]artial [q]ueued
    |    Consumed RAM:  9390 KB
    

    The [o] in the last column means iptables set

    I'm really not expect this to fail, and when it does in my experience there are other factors involved (other scripts). I'm interested to know why this happened to you regardless. Did you get any entry in the log which might help?
     
  21. rs232

    rs232 Network Guru Member

    Try version v6.06 which I have just uploaded, it has a better tutor iptables control.
    Still shouldn't happen...!
    Keep an eye on the log and let us know.
     
  22. Bird333

    Bird333 Network Guru Member

    I'm on 5.13. I don't know if it's got something to do with running multi-wan Shibby or not. I've got another weird issue that seems to be tied to it. BTW, I don't see the blacklist info with the 'status' command. Is that only for version 6?
     
  23. meazz1

    meazz1 LI Guru Member

    I used usb drives to installed it on both RT-N16 and RT-AC56U. Installations were smooth, I also setup cron jobs. Only thing iffy was how to do a wanup script.
    Any help is appreciated.
    the path is
    "/tmp/mnt/AD/p2partisn.sh"

    Secondly, If I have the auto updater to on, do I need to setup a cron job?
    Can I add a menu entry so I know its up when I log into the router?
     
    Last edited: May 5, 2016
  24. rs232

    rs232 Network Guru Member

    That's right, version 6 is quit different from version 5. DualWan can be something.... I don't have DualWan so unable to test unfortunatelly.
     
  25. rs232

    rs232 Network Guru Member


    You don't have to setup anything manually, P2partisan will do it for you. I suggest you remove anything you might have added manually (wan script included!) and use instead only:

    on v5.x
    Code:
    ./p2partisan.sh autorun-on|autorun-off
    ./p2partisan.sh autoupdate-on|autoupdate-off
    ./p2partisan.sh tutor-on|tutor-off
    on v6.x
    Code:
    ./p2partisan.sh autorun-on
    only, as autoupdate and tutor are automatic in this version.

    It's all documented in the (long!) original post.
     
    meazz1 likes this.
  26. The Master

    The Master Network Guru Member

    THX for the new Version.
     
  27. meazz1

    meazz1 LI Guru Member


    appreciate, thanks
     
  28. Bird333

    Bird333 Network Guru Member

    Can you make version 5 status screen show the blacklists? Also, can you make it check all P2partisan chains for blacklists?
     
  29. rs232

    rs232 Network Guru Member

    I think I had an initial attempt long time ago, but the old ipset (v4) work in a very different way compared to the new onw (v6) and even just query what's in it sometime takes forever, so i dropped the idea. I can though have a look and report on the iptables status, that shouldn't take long.

    When it comes to enforce the tutor function, I can have a look when I go back home later, it should be pretty similar to the modification applied to v6.06.
    Still, I think the spotlight here should be on the cause why these iptables commands disappear. P2Partisan is run within the firewall script and every time the firewall script is called, p2partisan restarts, this implies cleaning and re-establishes the iptables only (very quick usually) with no ipset/blacklist interaction. If there's something removing iptables items without calling the firewall script that doesn't sound right to me... I'm wondering if DualWan has perhaps multiple firewall script (one per gateway)? Pure guess.
     
  30. Bird333

    Bird333 Network Guru Member

    I don't know what caused it but I just happen to be looking at my iptables rules and I noticed that the 'level1' commands were missing.
     
  31. rs232

    rs232 Network Guru Member

    So level1 (if enabled) appears only in P2PARTISAN-LISTS-IN & P2PARTISAN-LISTS-OUT
    Where are you looking at precisely when you say it is missing?
    Can you take a snapshot of iptables -nvL next time this happens and post it here?
    Also a screenshot of the ./p2partisan.sh status would help
     
  32. Bird333

    Bird333 Network Guru Member

    Yeah, I saw it was missing on the 'OUT' list. Last I checked it was there. I'll look again later.
     
  33. Bird333

    Bird333 Network Guru Member

    Yeah, it was missing from both of those chains. It's there now. This is just a cosmetic thing but for some reason I have two port 68 listed in 'White ports UDP'.
     
  34. rs232

    rs232 Network Guru Member

    When you said cosmetic, are you saying you checked the iptables and you have indeed 67 and 68 in the P2PARTISAN-IN/OUT but the GUI reports 2x 68?
     
  35. Bird333

    Bird333 Network Guru Member

    The rules have 67 and 68 x2 in them also. I have port 68 as one of my whiteports in the config. Is that why it is getting added to iptables and the gui twice? Is port 68 automatically whitelisted and there is no need to add it to the whitelist?
     
  36. rs232

    rs232 Network Guru Member

    67 and 68 (UDP only) are hardcoded, no need to add them. Having said that if you specify any of them in the config your output status should be should always display 67 and 68 regardless, you can't remove them.

    Code:
    # DHCP hardcoded
    p1=`echo $whiteports_udp | grep -Eo '^67[,|:]|[,|:]67[,|:]|,67$' | wc -l`
    p2=`echo $whiteports_udp | grep -Eo '^68[,|:]|[,|:]68[,|:]|,68$' | wc -l`
    if [ $p1 -eq "0" ]; then
            whiteports_udp=${whiteports_udp},67
    fi             
    if [ $p2 -eq "0" ]; then
            whiteports_udp=${whiteports_udp},68
    fi
    If the 67 and/or 68 is specified in the config it will appear like a normal port (e.g. black background) where if you don't specify they become hardcoded and displayed with a light grey background.

    Regardless of the background color 2x 68 sounds wrong to me especially considering you do see 67 and 68 in the iptables.

    Where have you specified port 68 exactly? whiteports_udp only?
    Can you provide full documentation please? Like screenshot + dump of the config + iptables dump?
    I suspect you might have some ports specified that might confuse the regex part of the scrip above.
     
  37. Bird333

    Bird333 Network Guru Member

    What's weird is since they are hardcoded I don't have a duplicate port 67 too. PM sent.
     
  38. meazz1

    meazz1 LI Guru Member

    I have it install and running.
    Can anyone look at it and tell if I need anything else or it's good as is.

    [​IMG]
     
  39. rs232

    rs232 Network Guru Member

    you're the only person I know that uses yellow as the background color for the shell :-S
    Can you change to something darkish or even paste just the text?

    From the little I can see it seems ok though. if you re-run the command the purple [l] should have turned into a green [o] by now
     
  40. rs232

    rs232 Network Guru Member

    P2Partisan 5.14/6.07 release. Minor update

    - Forces black background when displaying data on the shell (6.x only)
    - Corrected test procedure now it checks greylist as well
     
  41. phuklok1

    phuklok1 Network Guru Member

    Thanks for the 5.x update! Love this script.
     
  42. meazz1

    meazz1 LI Guru Member

    Lol, changed the background. I had no clue the texts blended with the yellow background.
    Here's the screenshot after running update.
    Thanks for the new update.

    [​IMG]
     
  43. rs232

    rs232 Network Guru Member

    That's better. It seems like you have just run it for the very first time
    - [l] means it's loading and based on conditions and router performance it will eventually turn into an [o]. Give it few minutes. Next time you re-run the status command you'll see:
    Blacklist_01: [o] [e] [o] [o]
    - Level 1 should go above 4M in size and you're on 32K currently; so be patient and let it work. This is the fist time only, from next time it will load very fast.
    - You should see Dropped in and Rejected Out incresing the count in few minutes, this is async in reality it's already protecting.

    All good.
     
    meazz1 likes this.
  44. meazz1

    meazz1 LI Guru Member

    Appreciate your help.

    [​IMG]
     
  45. Bird333

    Bird333 Network Guru Member

    Does this new version check that the lists are downloading and the iptables rules are all present?
     
  46. meazz1

    meazz1 LI Guru Member

    I ran "./p2partisan.sh update" but it still shows v6.06 (04/05/2016).
    How does the new 6.07 gets updated?
     
  47. rs232

    rs232 Network Guru Member

    CASE B) if you're running a version>= 5.x/6.x
    Online: P2partisan upgrade itself retrieving the latest script online
    Code:
    ./p2partisan.sh upgrade


    update = lists
    upgrade = software
     
    meazz1 likes this.
  48. rs232

    rs232 Network Guru Member

    The tutor checks already the iptables and iptables-add for presence of idividual lists. It does not check the INPUT/OUTPUT/wanin/wanout P2PARTISAN reference at the moment. I'll see what I can do in the future release.

    List download check needs more time, it's not straight forward, I guess I need to store the list on filesystem first and compare number of elements previously downloaded with latest version; but I'm still thinking on this one.
     
    Last edited: May 22, 2016
  49. Bird333

    Bird333 Network Guru Member

    Ok thanks! What does '- Corrected test procedure now it checks greylist as well' mean? Can you explain further?
     
  50. rs232

    rs232 Network Guru Member

    if you haven't upgraded yet you'll see that ./p2partisan test x.y.w.z does not check against IP greylist
    The latest version does. So it affects the test funtion only
     
  51. user2k10

    user2k10 Reformed Router Member

    Does the current version support the RT-AC68U running the latest Merlin firmware? Thanks

    __________________
    Sent from my Samsung Galaxy Note4 (SM-N910F) on Sammy KK 4.4.4 (NK4) powered by Stock kernel via Tapatalk Pro
     
  52. rs232

    rs232 Network Guru Member

    You need Shibby for this however there was an blind attempt to make it working with Rmerlin but it is not tested as I don't use it. perhaps in the future, who knows.
     
  53. The Master

    The Master Network Guru Member

    Hello rs232,

    in a MULTI WAN configuration the block script hangs up after a few minutes. Is there something i could do?
    Thank you.

    EDIT:

    Router: R7000 Latest shibby 136
    WAN1: DHCP Cable Modem
    WAN 2: LTE USB Stick
     
  54. rs232

    rs232 Network Guru Member

    What does hangs mean in this case? Can you be more specific?
    Screenshot
    ./p2partisan.sh status
    iptables -nvL

    Thanks
     
  55. The Master

    The Master Network Guru Member

    That means that "No Command" is working, and if i do a command all Wan Connection are broken, so after the command there is no Wan at all so no Internet.

    iptables -nvl <- i test this on the weekend, because my LTE Stick is not at home :(
    What Screenshot do you need? Settings?

    All works fine with only one Wan Cable or LTE :)
     
  56. rs232

    rs232 Network Guru Member

    What does it hang? The SSH session or the P2Partisan command? Sorry I still don't get the full picture
    Can you disable autorun and try to run manually after a reboot?
    I don't now what your settings are but I run it successfully on v136 with 1 WAN only, perhaps try to reinstall from scratch?
     
  57. Bird333

    Bird333 Network Guru Member

    Hello. Any progress on this?
     
  58. rs232

    rs232 Network Guru Member

    No updates sorry, very busy at work in these few months. Feel free to look at the code and contribute with suggested modification.

    Thanks
     
  59. Bird333

    Bird333 Network Guru Member

    I would but I have no idea how to do this. :)
     
  60. vancer32

    vancer32 Networkin' Nut Member

    hi can i run this on a low-end router? my router is e1200 v2 which only has 32mb ram and 8mb flash. I want to block tor and vpn proxies. I am not knowledgeable when it comes to scripting and linux so this is a bit complicated for me :(
     
  61. rs232

    rs232 Network Guru Member

    What you're trying to block it's a dynamic thing e.g. port can change and a proxy can have any IP.
    I suggest you look into using the standard tomato's "access restriction" function before anything else but I guess you might be struggling to achieve what you're looking for if I got the question right.

    P.S. yes P2Partisan runs on low-end router like yours but you might need version 5.x for MIPS where modern ARM devices will run on version 6.x
     
  62. Bird333

    Bird333 Network Guru Member

    Dear Santa, can I have this for Christmas? ;)
     
  63. rs232

    rs232 Network Guru Member

    I have no time available at the moment so even if you've been a good boy and genuinely deserve this from Santa this is unlikely to happen anytime soon.

    If anybody wants to look into this and provide an example of implementation feel free to help. Jerrm provided pretty much all is needed in a previous post, it would be a matter to see what else is missing and integrate it with the existing script.
     
    koitsu likes this.
  64. Bird333

    Bird333 Network Guru Member

    How can you upgrade from MIPS (version 5) P2Partisan to ARM (version 6) if you upgrade your router?
     
  65. rs232

    rs232 Network Guru Member

    There's no upgrade function between 5 and 6 (only within the same version).
    Just follow the new installation procedure, copy over:

    blacklist-custom
    blacklists
    greylist
    whitelist

    files and edit the top of the new p2partisan file to make sure 6.x behaves like your old 5.x (e.g. whiteports). It doesn't take long at all.
     
  66. vancer32

    vancer32 Networkin' Nut Member

    Hi I finally bought a new router an e2500 v3 after many hours of tinkering I got it working. Thank you for sharing this powerful script.

    I have a slight problem tho how do I access the whiteport file so I can edit the ports i wanted to open?

    EDIT:
    I found out the way to edit whiteport. I needed to delete all whiteports to block the tor network because it uses port 443 and 80.
     
    Last edited: Dec 28, 2016
  67. vancer32

    vancer32 Networkin' Nut Member

    I have a problem on blacklist-custom it doesn't work. I tested a vpn app on android psiphon pro I enter its IP in the blacklist-custom file I can still browse the web. It uses port 53. I have already remove port 53 from the whitelist. If i enter the IP in the access restriction the vpn immediately stops and I cannot browse the web. Any ideas?
     
    Last edited: Dec 28, 2016
  68. rs232

    rs232 Network Guru Member

    give it a go with the test and debug functions. use the help to find how.
    In regards the blocking/allowing order refer to the original post there's a sort of flowchart that can help understanding the hierarchical processing.
     
    vancer32 likes this.
  69. vancer32

    vancer32 Networkin' Nut Member

    Hi thank you for the reply. Can you help me?

    I could not make the blacklist-custom to work. whitelist and blacklists are working fine.

    ######################################
    # Custom blacklist, mix and match any of the following formats
    # Single: "X.X.X.X"
    # Range: "FIRSTIP-LASTIP"
    # FQDN: "bbc.com"
    # CIDR: "X.X.X.X/YY"
    # NOTE: ONLY PUBLIC IP ADDRESSES WILL BE CONSIDERED HERE
    ######################################

    I tried the Single and FQDN. CIDR seems to be working I entered youtube's ip address list it is blocking. Single doesn't work. for FQDN i tried blocking facebook.com and youtube.com also doesn't work.
    I need this to work because if i enter many lists of ip in access restriction my router will ran out of nvram.

    I am hoping you can help me. thank you.
     
  70. rs232

    rs232 Network Guru Member

    when you say it works or it doesn't what are you referring to exactly? are you doing p2p with youtube and facebook? I have the feeling you have misunderstood what this script is about. regardless you need to use the test and debug functions have you tried that?
     
  71. vancer32

    vancer32 Networkin' Nut Member

    Hi rs232 thank you for the reply and sorry for the confusion. The blacklist-custom doesn't seem to work. I put a single IP address e.g 104.24.123.196 (vpn IP) in blacklist-custom then update thru ssh (after update black IPs shows "1") I can still browse. Now if I put the IP in access restriction the IP is block and I cannot browse anymore.

    Maybe a bug in mips version? Can you give me an example what to put in blacklist-custom to try out? I am very confused why it doesn't work as I am successfully blocking tor thru blacklists but the blacklist-custom doesn't work. I have not tried the debug I will try it and post the result.
     
  72. rs232

    rs232 Network Guru Member

    I think you've misunderstood what this script is about. I say I think because you're not providing comprehensive information and not even the output of the command I have previously suggested twice. So I guess you have a vpn connection, I guess you have all the traffic encapsulated via the tunnel and I guess you're not doing p2p but rather browse Internet.
    If my guessing skills are good, I can see you have asked the question once and you got the answer here http://www.linksysinfo.org/index.ph...rguardian-for-tomato.69128/page-8#post-280429

    So in short:
    browse != p2p traffic

    if and only if all my guesses above are correct read below:

    even if you wanted to use p2partisan that way (not supported) over a tunnel it would currently not work as the script does not expect the default gateway to be linked to a tunnel interface. The input/output interface is instead fetched from the tomato nvram (usually vlan2).

    Does this help?
     
    vancer32 likes this.
  73. vancer32

    vancer32 Networkin' Nut Member

    Ya I am misunderstanding your script I am not a programmer and I have little knowledge of this stuff. Sorry for that. It's even my 1st time using putty tho I have successfully installed and run your script. I just wanted to make it work. Your script is very useful to me. I am not using a vpn or tor. I have people in my network trying to bypass block sites by using vpn and tor. Before using p2partisan I am successfully blocking vpn connections by putting vpn IPs in access restriction. So if I can't block vpn IPs using p2partisan maybe I stick on using access restriction for that and use p2partisan for the tor and other type of blocking. If I keep on putting IPs in access restriction my router will eventually run out of nvram. This is why I want to block IP using your script.

    I put facebook for example to block.

    here's what I put in blacklist-custom:

    ######################################
    # Custom blacklist, mix and match any of the following formats
    # Single: "X.X.X.X"
    # Range: "FIRSTIP-LASTIP"
    # FQDN: "bbc.com"
    # CIDR: "X.X.X.X/YY"
    # NOTE: ONLY PUBLIC IP ADDRESSES WILL BE CONSIDERED HERE
    ######################################

    facebook.com

    here's the update:

    +------------------------- P2Partisan --------------------------+
    | _______ __ __
    | | __| |_.---.-.----.| |_
    | |__ | _| _ | _|| _|
    | |_______|____|___._|__| |____|
    |
    +---------------------------------------------------------------+
    +--------- PREPARATION --------
    | Loading the ipset modules
    +---- CUSTOM IP BLACKLIST -----
    | preparing blacklist-custom ...
    | Loading blacklist #0 --> ***Custom IP blacklist***
    +--------- GREYPORTs ----------
    | TransmissionBT: Off
    +--------- WHITEPORTs ---------
    | Loading white UDP ports 67,68
    +--------- WHITE IPs ---------
    | preparing IP whitelist ...
    | Loading IP whitelist
    +------- IP BLACKLISTs -------
    | loading blacklist #1 --> ***onion***
    | loading blacklist #2 --> ***proxy***
    | loading blacklist #3 --> ***ads***
    | loading blacklist #4 --> ***adservers***
    | loading blacklist #5 --> ***spyware***
    | P2PARTISAN: ... P2Partisan started
    +------------------------- Controls ----------------------------+
    | P2PARTISAN: log-async found under dnsmasq -> OK
    +---------------------------------------------------------------+

    here's the status

    +------------------------- P2Partisan --------------------------+
    | _______ __ __
    | | __| |_.---.-.| |_.--.--.-----.
    | |__ | _| _ || _| | |__ --|
    | |_______|____|___._||____|_____|_____|
    |
    | Release version: v5.14 (21/05/2016)
    +---------------------------------------------------------------+
    | Running: Yes
    | Autorun: Yes
    | Scheduled: No / 0 since device boot
    | Tutor: Yes / in the last 24h
    | Debugger: Off
    +---------------------------------------------------------------+
    | Partisan uptime: 0 - 00:01:28
    | Startup time: 27 seconds
    | Dropped in: 1
    | Rejected out: 0
    +---------------------------------------------------------------+
    | Black IPs: 1
    | White IPs: 0
    | TransmissionBT: Off
    | White ports UDP: 67,68
    | Black lists: 5


    I can still browse facebook.com.

    But if I put facebook's ip list it is blocked.

    31.13.24.0/21
    31.13.64.0/19
    31.13.64.0/24
    31.13.69.0/24
    31.13.70.0/24
    31.13.71.0/24
    31.13.72.0/24
    31.13.73.0/24
    31.13.75.0/24
    31.13.76.0/24
    31.13.77.0/24
    31.13.78.0/24
    31.13.79.0/24
    31.13.80.0/24
    66.220.144.0/20
    66.220.144.0/21
    66.220.149.11/16
    66.220.152.0/21
    66.220.158.11/16
    66.220.159.0/24
    69.63.176.0/21
    69.63.176.0/24
    69.63.184.0/21
    69.171.224.0/19
    69.171.224.0/20
    69.171.224.37/16
    69.171.229.11/16
    69.171.239.0/24
    69.171.240.0/20
    69.171.242.11/16
    69.171.255.0/24
    74.119.76.0/22
    173.252.64.0/19
    173.252.70.0/24
    173.252.96.0/19
    204.15.20.0/22
     
    Last edited: Dec 31, 2016
  74. rs232

    rs232 Network Guru Member

    P2Partisan must not be used to block web traffic so your test doesn't count.
    The only thing you could possibly block in your scenario is the vpn server and therefore prevent for the VPN connection to be established. If this VPN happens for whatever reason you will not see the content of the tunnel.
    For the third time: use the test and debug functions.
     
    Last edited: Dec 31, 2016
    vancer32 likes this.
  75. vancer32

    vancer32 Networkin' Nut Member

    Hi rs232 I am testing a single IP of psiphon pro vpn. I am using an android tablet with psiphon pro vpn installed.

    +------------------------- P2Partisan --------------------------+
    | _______ __
    | |_ _|.-----.-----.| |_
    | | | | -__|__ --|| _|
    | |___| |_____|_____||____|
    |
    +----------- Lists are sorted in order of precedence -----------+
    | 138.197.201.101 found in blacklist-custom
    | 138.197.201.101 not found in greylist
    | 138.197.201.101 not found in whitelist
    | 138.197.201.101 not found in onion
    | 138.197.201.101 not found in proxy
    | 138.197.201.101 not found in ads
    | 138.197.201.101 not found in adservers
    | 138.197.201.101 not found in spyware
    +---------------------------------------------------------------+
    | in case of multiple match the first prevails

    I enabled debug here is the output

    Jan 1 03:29:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:30:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:30:49 unknown user.alert kernel: P2Partisan Dropped IN >> IN=vlan2 OUT= MAC=c0:56:27:2e:b5:e6:08:19:a6:26:7b:81:08:00:45:00:00:28 SRC=61.240.144.65 DST=49.147.107.175 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=45811 PROTO=TCP SPT=52606 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0
    Jan 1 03:31:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:31:51 unknown daemon.info dnsmasq-dhcp[1033]: DHCPINFORM(br0) 192.168.2.8 90:2b:34:28:c2:5d
    Jan 1 03:31:51 unknown daemon.info dnsmasq-dhcp[1033]: DHCPACK(br0) 192.168.2.8 90:2b:34:28:c2:5d 4-PC
    Jan 1 03:32:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:33:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:33:38 unknown user.notice | P2PARTISAN: Debug started for IP for 15 minute
    Jan 1 03:34:05 unknown user.notice | P2PARTISAN: Debug started for IP 192.168.2.48 for 20 minute
    Jan 1 03:34:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
    Jan 1 03:35:15 unknown daemon.info dnsmasq-dhcp[1033]: DHCPINFORM(br0) 192.168.2.8 90:2b:34:28:c2:5d
    Jan 1 03:35:15 unknown daemon.info dnsmasq-dhcp[1033]: DHCPACK(br0) 192.168.2.8 90:2b:34:28:c2:5d 4-PC
    Jan 1 03:35:25 unknown daemon.info dnsmasq-dhcp[1033]: DHCPINFORM(br0) 192.168.2.47 8c:89:a5:06:18:af
    Jan 1 03:35:25 unknown daemon.info dnsmasq-dhcp[1033]: DHCPACK(br0) 192.168.2.47 8c:89:a5:06:18:af
    Jan 1 03:35:32 unknown daemon.warn miniupnpd[1902]: SendSSDPNotify(): truncated output (514>=512)
     
    Last edited: Dec 31, 2016
  76. rs232

    rs232 Network Guru Member

    this is not the output of the debug you must use the debug-display. Have you used the help function?
    Can I suggest you go re-reading all the answers and you go playing for sometimes with the test, debug and debug-display functions?
    the fact that you answer my messages within 2 min tells me that you're not trying to resolve this yourself.
    I'm not going to resolve your issue but I feel I have already given all the inputs needed.
     
  77. vancer32

    vancer32 Networkin' Nut Member

    new IP of psiphon pro vpn. I have been browsing the web using the built-in browser of psiphon pro. I hope im not being annoying to you. you sound like you dont want to help me :(

    +------------------------- P2Partisan --------------------------+
    | _______ __
    | |_ _|.-----.-----.| |_
    | | | | -__|__ --|| _|
    | |___| |_____|_____||____|
    |
    +----------- Lists are sorted in order of precedence -----------+
    | 139.59.17.128 found in blacklist-custom
    | 139.59.17.128 not found in greylist
    | 139.59.17.128 not found in whitelist
    | 139.59.17.128 not found in onion
    | 139.59.17.128 not found in proxy
    | 139.59.17.128 not found in ads
    | 139.59.17.128 not found in adservers
    | 139.59.17.128 not found in spyware
    +---------------------------------------------------------------+
    | in case of multiple match the first prevails
    +---------------------------------------------------------------+
    root@unknown:/tmp/home/root#


    +------------------------- P2Partisan --------------------------+
    _____ __ __ __ __
    | \.-----.| |--.--.--.-----.______.--| |__|.-----.-----.| |.---.-.--.--.
    | -- | -__|| _ | | | _ |______| _ | ||__ --| _ || || _ | | |
    |_____/|_____||_____|_____|___ | |_____|__||_____| __||__||___._|___ |
    |_____| |__| |_____|

    +---------------------------------------------------------------+
    | p2partisan.sh debug-display Displays in & outbound debug logs
    | p2partisan.sh debug-display in Displays inbound debug logs only
    | p2partisan.sh debug-display out Displays outbound debug logs only
    +-------------------------- Drop Logs --------------------------+
    +----------------------- INPUT & OUTPUT ------------------------+
    Jan 1 04:15:14 unknown user.notice | P2PARTISAN: Debug started for IP 192.168.2.48 for 30 minute
    NOTE: debugging is active for 00:10:33 /30 min (00:19:27 left). Run this command again to update the report
    +----------------------- INPUT & OUTPUT ------------------------+
    +---------------------------------------------------------------+
    root@unknown:/tmp/home/root#
     
  78. Bird333

    Bird333 Network Guru Member

    Can you explain what this does in the firewall script?
    Code:
    while true; do [ -f /opt/downloads/p2partisan/p2partisan.sh ] && break || sleep 5; done ;/opt/downloads/p2partisan/p2partisan.sh restart
    cru a P2Partisan-tutor "25 * * * * /opt/downloads/p2partisan/p2partisan.sh tutor"
    My P2Partisan script is installed on my USB drive. Would the above cause a problem if my drive wasn't available when it got called? I'm having an issue where some of the firewall rules (not P2Partisan rules) are being added multiple times also occasionally Tomato's FORWARD rules are added at all which stops access to the internet. I believe the Firewall script get run before USB is available.

    USB drive is mounted on /opt

    Thanks!
     
  79. vancer32

    vancer32 Networkin' Nut Member

    Hi rs232 I will no longer look into using the blacklist-custom as my go-to blocking for vpn connections. I will stick to using access restrictions to block vpn connection. Your script is fully working as I will continue using it to block tor and other stuff.

    thank you for your time answering my questions. Have a good day.
     
  80. rs232

    rs232 Network Guru Member

    the first line makes sure P2Partisan is reinstalled every time the firewall script is called. that while true at the beginning states specifically: if the file it's available run it if not skip.
    the second line is the P2Partisan tutor which runs every hour and resolves problems if found and does also some collateral tasks like resolve fqdns in the list files to mention one.

    where do you run your additional rules from? If I remember well you asked this long time ago and I did add a custom a custom script function to P2partisan for this matter so I suggest you use it. P2Partisan deals already with all the exceptions the tomato firewall introduces so you get a free ride if you jump on the boat.
     
  81. Bird333

    Bird333 Network Guru Member

    I don't recall discussing a firewall issue like this. My rules are in the Firewall box where that command is. I am running jerrm's adblock which adds its own rules. Where is this custom script function you speak of?
     
  82. rs232

    rs232 Network Guru Member

    check this old post
    http://www.linksysinfo.org/index.ph...rguardian-for-tomato.69128/page-6#post-263483

    all you have to do is to create the files and populate them with iptables commands.
     
  83. Bird333

    Bird333 Network Guru Member

  84. rs232

    rs232 Network Guru Member

    All I'm saying is: If you want your custom rules to be added and removed as a consequence of p2partisan start/stop, do use the custom script facility within p2partisan. You don't have to it's just an option you have.
     
  85. Bird333

    Bird333 Network Guru Member

    Ok. Back to the original issue. Does P2Partisan ever flush iptables? Could something in the script cause duplicate entries?
     
  86. koitsu

    koitsu Network Guru Member

    It is possible to write a kind of kludge-y "wrapper" around iptables, to log and try to figure out what is using/calling iptables, hence maybe reverse-engineering what's being done. But this is a bit off-topic.
     
  87. rs232

    rs232 Network Guru Member

    off the top of my head no flush is run by p2partisan on system tables.
     
  88. koitsu

    koitsu Network Guru Member

    @rs232 I'm still waiting for Bird333 to get me (in a PM) some examples of what "messed up/duplicate iptables rules" look like. I ABSOLUTELY believe him, for the record, there's no doubt in my mind it's happening. But if I can see what the mess looks like, I might be able to discern what happened or what might be triggering the problem.

    He does have a large number of custom iptables rules, and I'm going off of memory, but the last time I saw them they looked OK.

    And again, if pushed, I can explain how to do the iptables wrapper. It requires a USB flash drive (since the logging data may get long).
     
  89. rs232

    rs232 Network Guru Member

    Ok, if you want the full info from him ask for the content of the p2partisan files:
    iptables-add
    iptables-del

    they are the scripts run when p2partisan start/stop. It might help in getting the full picture.
     
  90. Jerome

    Jerome New Member Member

    Hi folks.

    I would like to know how can I determine if my R7000 should take a v5 or v6 (arm128 or arm129) Which version I have to install ?
     
  91. rs232

    rs232 Network Guru Member

    Depends on the Shibby version: for ARM up to V128 you need 5.x from v129 you need 6.x.
    See OP it's all in there.
     
  92. meazz1

    meazz1 LI Guru Member

    I have an Asus RT-N56U running shibby v138.
    I have the P2Partisan setup and running.
    Should I install "Script:adbloc" as well or P2P also does the adblocking job as well?
     
  93. rs232

    rs232 Network Guru Member

    You can, but they perform different functions:

    P2Partisan will protect you at IP level (useful for p2p traffic e.g. torrent), adblock at DNS level while browsing Internet (e.g. unwanted popups/advetisements)

    I have both running at the same time but you don't "have to"
     
    meazz1 likes this.
  94. meazz1

    meazz1 LI Guru Member

    Got it. Thanks
     
  95. rs232

    rs232 Network Guru Member

    P2Partisan v6.08 is out.
    This version will add automatically your tinc hosts to the IP whitelist.

    I'm now working on whitelisting OpenVPN and PPTP
     
    The Master likes this.
  96. rs232

    rs232 Network Guru Member

    wait, some more debugging needed for 6.09
     

    Attached Files:

    Last edited: Jun 17, 2017
  97. rs232

    rs232 Network Guru Member

    Can I please get some help on how to properly filter VPN traffic when used as defaulty gateway?

    It seems like that matching the interface like "-o tun12" as a destination (outbound traffic) works well but a "-i tun12" has no effect. I guess the inbound iptables still sees encryptied traffic only so e.g. UDP 1194 per se.

    Code:
    iptables -I FORWARD 1 -i tun12  -m state --state NEW -j P2PARTISAN-IN
    iptables -I FORWARD 2 -o tun12  -m state --state NEW -j P2PARTISAN-OUT
    Code:
    root@tomato36k:/tmp/home/root# iptables -nvL FORWARD
    Chain FORWARD (policy DROP 2 packets, 720 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 P2PARTISAN-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            state NEW
       35  3141 P2PARTISAN-OUT  all  --  *      tun12   0.0.0.0/0            0.0.0.0/0            state NEW
    See the packet count inbound.

    I did also try to catch inbound VPN traffic on the receiving vlan e.g.

    Code:
    iptables -I FORWARD 1 -i !vlan2 -o vlan1,vlan3 -m state --state NEW -j P2PARTISAN-IN
    but still no luck

    Code:
    root@tomato36k:/tmp/home/root# iptables -nvL FORWARD
    Chain FORWARD (policy DROP 1 packets, 360 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 P2PARTISAN-IN  all  --  !vlan2 vlan1,vlan3  0.0.0.0/0            0.0.0.0/0            state NEW
      385 36052 P2PARTISAN-OUT  all  --  *      tun12   0.0.0.0/0            0.0.0.0/0            state NEW
    Any tip?
    Thanks!
     
  98. Bird333

    Bird333 Network Guru Member

    Since you are back working on this, can you add verification that all the lists are downloading and the iptables rules are all present as was mentioned some months ago? If all lists and all rules are not being created then we are not protected. Thanks!
     
  99. Bird333

    Bird333 Network Guru Member

    Just a random thought but are you sure you should be using the 'forward' chain for inbound rules instead of the 'input' chain?
     
  100. glennsamuel32

    glennsamuel32 Network Newbie Member

    Thanks for your creation !!
    Would you recommend this to block Windows telemetry ?
    I have loaded about 17,000 lines of IP ranges and CIDR's, along with just 3 white-listed hosts...
    But I'm not able to understand the number of Black and White IP's...

    [​IMG]
     

Share This Page