What's new

Aegis Aegis (simple yet effective protection)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Awesome. I have been blocking DNS to all devices except the piholes ( Port 53 & 853 )under Netgear/Security/Block Services...your prerouting config should be exactly what I need...Edit: As I am at work right now it will be a few hours before I can get home to test. Was thinking though, is there a way to command line and revert Reject back to Drop for testing?? Thanks
 
Awesome. I have been blocking DNS to all devices except the piholes ( Port 53 & 853 )under Netgear/Security/Block Services...your prerouting config should be exactly what I need...Edit: As I am at work right now it will be a few hours before I can get home to test. Was thinking though, is there a way to command line and revert Reject back to Drop for testing?? Thanks
Yes, you can do:
If logging is off:
iptables -I aegis_dst 2 -j DROP

If logging is on:
iptables -I aegis_dst 3 -j DROP

Please note that aegis status will complain about that, but it would work for testing.
To get rid of those rules and go back to a clean aegis setup: aegis restart.

By the way, after testing the PREROUTING rules, to make them stick, you would have to put them in firewall-start.sh, or if you are using @kamoj Add-on, you can create a firewall-start-google_dns_redir.sh with only the rules about it in it. Without that, each time the internal firewall would be restarted, you would lose the custom rules.
Firewall start scripts go in /opt/scripts/
 
Ran home to do a few quick test....Prerouting causes Unbound errors.....It seems hardcooded devices just cant handle Reject as where they pass off Drop with no complaining...But not a big deal as I can stick with using Static Routes to get around this issue.....Appreciate your help and no need to change any of your hard work as my issue seems to be just my setup.....
 
Ok, apparently, it does not like the dport option.
dport option requires a protocol. So you can do this (I tested and it works for me):
Code:
iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p udp --dport 53 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p udp --dport 53 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A POSTROUTING -o br0 -s PIHOLEIP/32 -p udp --sport 53 -j SNAT --to-source 8.8.8.8

Alternative:
Code:
iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -j DNAT --to-destination PIHOLEIP
This version changes the destination address for all ports of any packets going to 8.8.8.8 (and 8.8.4.4) to your PIHOLEIP address. The first version is doing only with dns (and is letting your Nvidia Shield that anything coming from your PIHOLE is from 8.8.8.8).
 
Last edited:
Success! Nice stable logs and no Unbound errors....I took the first option and used pihole1 then copied it again, changed udp to tcp and pointed it to pihole2...Thank you, sorry for the headache........(now off to figure out how to stick this on a usb to survive a reboot :) )
 
Success! Nice stable logs and no Unbound errors....I took the first option and used pihole1 then copied it again, changed udp to tcp and pointed it to pihole2...Thank you, sorry for the headache........(now off to figure out how to stick this on a usb to survive a reboot :) )
If in firewall-start.sh, it will survive reboots.
The USB post-mount.sh is to survive flashing firmwares.
 
wanting to backup nvram, what would be the command to save it and then put it back?

just to get a copy

i have the usb in / tmp / mnt / sdc1
 
wanting to backup nvram, what would be the command to save it and then put it back?

just to get a copy

i have the usb in / tmp / mnt / sdc1
Exactly like @kamoj said.

You can also install my nvram-utils script:https://www.snbforums.com/threads/r7800-utility-nvram-utils.63585/#post-575310

You don’t have to use the fix (that is there for deficient internal flash disks), but each time you use the command nvram-utils backup it saves a bin backup at the root of the flash disk, and a time stamped copy of it (bin and text format) in a nvram_backps folder at the root of your USB disk.
 
or if you are using @kamoj Add-on, you can create a firewall-start-google_dns_redir.sh with only the rules about it in it. Without that, each time the internal firewall would be restarted, you would lose the custom rules.
Firewall start scripts go in /opt/scripts/

Sorry for being such a noob, but how exactly would i go about setting up that script in kamoj's add-on?
 
Sorry for being such a noob, but how exactly would i go about setting up that script in kamoj's add-on?
It is not a setup from the Addon. It is more a feature the Addon is offering.

When Kamoj’s Addon is installed, all scripts named firewall-start-[SOMETHING].sh placed in /opt/scripts/ will be loaded each time the internal firewall is started or restarted.

Without the Addon, the only file loaded is firewall-start.sh
 
Just updated to kamoj's latest beta, so: uninstalled the beta, rebooted, installed latest beta and rebooted again. The settings survived all of that. AMAZING! Thanks again brother!

Voxel, kamoj, HELLO_wORLD ... I cannot thank you enough! Trying times this year, but hoping you all find someway to enjoy the upcoming holidays! Thanks for all you have given us! :)
 
It's possible to install to R7000?

No, it requires a Voxel firmware as it relies on his custom net-wall script and the binaries present in his firmware.
 
1.4.0 is out

Aegis Core:
- internal improvement and optimization.
- iptables outgoing engine rule is now REJECT --reject-with icmp-admin-prohibited which is the appropriate one according to ICMP protocol.
- iptables rules are now commented for clarity if users are having a more complex setup.
- the ipset WAN gateway bypass system has been removed.
- aegis rules will now bypass the WAN and VPN network ranges (subnets) if they are in the master blacklist. This can be manually prevented using new -wan_no_bypass and -vpn_no_bypass options (only in command line).
- aegis is not using nvram anymore. It saves its internal settings using UCI in its own place ( /opt/bolemo/etc/config/aegis ). Users should not need to access or change it directly.
- option to enable logging is now -log (using restart, load_set or update). Without the option, log is disabled, but until aegis restart, load_set or update is called without the option (or clean), the log setting will survive internal firewall restarts, router reboots and even firmware installs if aegis is on external drive.

Aegis Web:
- minor bug corrected with LOG display when it was disabled and enabled after log is empty.
- in TOOLS, check if an IP is blocked is now showing if it is in WAN or VPN subnets.
- STATUS was updated to be in sync with Aegis Core.


Clean and restart will be needed.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top