Skynet Skynet showing router itself making calls to China?

[dave14305]

I tried the output chain when I was writing the rules originally and I found that skynet's prerouting rules were still taking priority. Traffic destined for port 53 to blocked IP addresses was still getting blocked. My only solution was to place prerouting rules before skynets prerouting chains.

Maybe it was blocking the reply traffic. I amended my earlier post.

 

[Twiglets]

[Router RT-AX86U_Pro: Running RMerlin 3004.388.7 -- uname -a =(Linux RT-AX86U_Pro 4.19.183 #1 SMP PREEMPT Fri Apr 26 14:23:13 EDT 2024 aarch64 ASUSWRT-Merlin) ]

Sorry but the awk command does not work for me on my Router and the 'nvram get wan_ifname' is *not* blank.
I have tried with GNU gawk as well and get the same result !!!???

I am cutting & pasting your commandline from the post into an 'echo' command to display the result.
(Including your new amended version and it does not work on my router !!!???)

I am confused as you are so sure it works *but* see following screen-capture:

 

[SomeWhereOverTheRainBow]

Maybe it was blocking the reply traffic. I amended my earlier post.

yea I didnt even think about trying that. Either way I also corrected my original prerouting rules so @Twiglets can try them to see if it works better. I hate messing in the raw tables unless I have to, it can make things really messy. I hope @Adamm incorporates a solution that works best for everyone's use case. Anyone in this thread is welcome to test when ready.

 

[SomeWhereOverTheRainBow]

[Router RT-AX86U_Pro: Running RMerlin 3004.388.7 -- uname -a =(Linux RT-AX86U_Pro 4.19.183 #1 SMP PREEMPT Fri Apr 26 14:23:13 EDT 2024 aarch64 ASUSWRT-Merlin) ]

Sorry but the awk command does not work for me on my Router and the 'nvram get wan_ifname' is *not* blank.
I have tried with GNU gawk as well and get the same result !!!???

I am cutting & pasting your commandline from the post into an 'echo' command to display the result.
(Including your new amended version and it does not work on my router !!!???)

I am confused as you are so sure it works *but* see following screen-capture:

View attachment 58865

@Twiglets try this command.

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT

 

[Twiglets]

@Twiglets try this command.

/usr/sbin/iptables -t raw -I PREROUTING -p udp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT
/usr/sbin/iptables -t raw -I PREROUTING -p tcp --sport 1024:65535 --dport 53 -s "$(ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')" -j ACCEPT

Works like a dream ..... still would like to know what is wrong with my awk/gawk!!!!

[I know there are, at least, 6 different ways to do the same thing in awk .... but they should work the same everywhere]

 

[dave14305]

I hate messing in the raw tables unless I have to, it can make things really messy.

That’s one reason I used RETURN instead of ACCEPT.

I hope @Adamm incorporates a solution that works best for everyone's use case.

Country blocking works as intended. Some people might be equally upset if Skynet suddenly allowed DNS requests to a blocked country.

 

[SomeWhereOverTheRainBow]

That’s one reason I used RETURN instead of ACCEPT.

Country blocking works as intended. Some people might be equally upset if Skynet suddenly allowed DNS requests to a blocked country.

I completely agree with you @dave14305 in regards to skynet working exactly as it should. What I mean is if @Adamm does decide to incorporate something, I hope skynets current functionality takes priority still. IF anything it could be a feature that can be enabled via menu option similar to CDN whitelisting. TBH I think it is just as easy to add the IP commands to the bottom of firewall-start script; or better yet why doesn't the developer of Unbound_manager incorporate something this time since skynet is functioning as intended.