Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

For support requests and questions please use the Github Issue Tracker where this script is actively maintained


Skynet - Router Firewall & Security Enhancements

Elevate your home network security with Skynet, a robust firewall and security tool meticulously crafted for ASUS routers running the AsusWRT-Merlin firmware, ensuring POSIX compliance for seamless integration.

Featured on SmallNetBuilder, Skynet extends the capabilities of your router's SPI Firewall, Brute Force Detection, and AiProtect with its lightweight yet powerful IPSet-based firewall. This flexible addition allows for effortless customization of firewall rules to match your precise requirements and preferences.

However, Skynet goes beyond mere firewall functionalities. It serves as a comprehensive security suite capable of blacklisting single IPs, domains, or even entire countries. Leveraging predefined malware lists from reputable sources, it fortifies your network against potential threats while also securing IoT devices against unauthorized access.

Furthermore, Skynet seamlessly integrates with OpenVPN and WireGuard implementations, safeguarding local servers and ensuring encrypted communication channels remain secure. Whether you're hosting an OpenVPN or WireGuard server, Skynet offers robust protection, enhancing its versatility and utility.

With Skynet and AsusWRT-Merlin, you can entrust your router's security to a reliable and fully compatible solution. Whether you're a novice or an experienced user, Skynet's intuitive interface and extensive feature set make it the ultimate choice for bolstering your network defenses.

In conclusion, if you're seeking to augment the security features of your ASUS router running AsusWRT-Merlin, Skynet stands out as the premier solution. Don't compromise on your network's safety any longer – embrace Skynet today and safeguard your digital domain with confidence.

You can read about explanations and solutions for common errors here.

You can use this script for free as it will always remain open source. However, if you would like to contribute to future development efforts, you have the option to support us by Donating With PayPal.

Installation;

All that's required is a USB drive that's at-least 2GB (so there is room for a SWAP file). After downloading it just works.

This script is now hosted on GitHub, you can follow the most recent changes here.

In your favorite SSH terminal;

/usr/sbin/curl -s "https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh" -o "/jffs/scripts/firewall" && chmod 755 /jffs/scripts/firewall && sh /jffs/scripts/firewall install

For firmware versions 384.15+ this can also be installed via AMTM by following the menu prompts;

amtm

After installation (or reboot) you should see output similar the following indicating the script is working.

Sep 15 21:55:39 Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Elements/skynet )
Sep 15 21:56:00 Skynet: [#] 132577 IPs (+0) -- 1828 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [21s]

 

[Adamm]

Usage;

Skynet provides both a user interactive menu, and command line interface for those who prefer it.

To open the menu its as simple as;

firewall

For users on firmware v384.15+ (Merlin) or v374.43_43E6 (Johns Fork) there will also be a WebUI tab under the heading Firewall.

And for the CLI users, here's a list of possible commands.

Example Unban Commands;
( firewall unban ip 8.8.8.8 ) This Unbans The IP Specified
( firewall unban range 8.8.8.8/24 ) This Unbans the CIDR Block Specified
( firewall unban domain google.com ) This Unbans the URL Specified
( firewall unban comment "Apples" ) This Unbans Entries With The Comment Apples
( firewall unban country ) This Unbans Entries Added By The "Ban Country" Feature
( firewall unban asn AS123456 ) This Unbans the ASN Specified
( firewall unban malware ) This Unbans Entries Added By The "Ban Malware" Feature
( firewall unban nomanual ) This Unbans Everything But Manual Bans
( firewall unban all ) This Unbans All Entries From Both Blacklists

Example Ban Commands;
( firewall ban ip 8.8.8.8 "Apples" ) This Bans The IP Specified With The Comment Apples
( firewall ban range 8.8.8.8/24 "Apples" ) This Bans the CIDR Block Specified With The Comment Apples
( firewall ban domain google.com ) This Bans the URL Specified
( firewall ban country "pk cn sa" ) This Bans The Known IPs For The Specified Countries (Accepts Single/Multiple Inputs If Quoted) https://www.ipdeny.com/ipblocks/
( firewall ban asn AS123456 ) This Bans the ASN Specified

Example Banmalware Commands;
( firewall banmalware ) This Bans IPs From The Predefined Filter List
( firewall banmalware google.com/filter.list ) This Uses The Filter List From The Specified URL
( firewall banmalware reset ) This Will Reset Skynet Back To The Default Filter URL
( firewall banmalware exclude "list1.ipset|list2.ipset" ) This Will Exclude Lists Matching The Names "list1.ipset list2.ipset" From The Current Filter (Quotes And Pipes Are Nessessary For Seperating Multiple Entries!)
( firewall banmalware exclude reset ) This Will Reset The Exclusion List

Example Whitelist Commands;
( firewall whitelist ip 8.8.8.8 "Apples" ) This Whitelists The IP Specified With The Comment Apples
( firewall whitelist range 8.8.8.8/24 "Apples" ) This Whitelists The Range Specified With The Comment Apples
( firewall whitelist domain google.com) This Whitelists the URL Specified
( firewall whitelist asn AS123456 ) This Whitelists the ASN Specified
( firewall whitelist vpn) Refresh VPN Whitelist
( firewall whitelist remove all) This Removes All Non-Default Entries
( firewall whitelist remove entry 8.8.8.8) This Removes IP/Range Specified
( firewall whitelist remove comment "Apples" ) This Removes Entries With The Comment Apples
( firewall whitelist refresh ) Regenerate Shared Whitelist Files
( firewall whitelist view ips|domains|imported ) View Whitelist Entries Based On Category (Leave Blank For All)

Example Import Commands;
( firewall import blacklist file.txt "Apples" ) This Bans All IPs From URL/Local File With The Comment Apples
( firewall import whitelist file.txt "Apples" ) This Whitelists All IPs From URL/Local File With The Comment Apples

Example Deport Commands;
( firewall deport blacklist file.txt ) This Unbans All IPs From URL/Local File
( firewall deport whitelist file.txt ) This Unwhitelists All IPs From URL/Local File

Example Update Commands;
( firewall update ) Standard Update Check - If Nothing Detected Exit
( firewall update check ) Check For Updates Only - Wont Update If Detected
( firewall update -f ) Force Update Even If No Changes Detected

Example Settings Commands;
( firewall settings autoupdate enable|disable ) Enable/Disable Skynet Autoupdating
( firewall settings banmalware daily|weekly|disable ) Enable/Disable Automatic Malware List Updating
( firewall settings logmode enable|disable ) Enable/Disable Logging
( firewall settings filter all|inbound|outbound ) Select What Traffic To Filter
( firewall settings unbanprivate enable|disable ) Enable/Disable Unban_PrivateIP Function
( firewall settings loginvalid enable|disable ) Enable/Disable Invalid Packet Logging
( firewall settings banaiprotect enable|disable ) Enable/Disable Banning IPs Flagged By AiProtect
( firewall settings securemode enable|disable ) Enable/Disable Insecure Settings Being Applied In WebUI
( firewall settings fs google.com/filter.list|disable ) Configure/Disable Fast Malware List Switching
( firewall settings syslog|syslog1 /tmp/syslog.log|default ) Configure Custom Syslog/Syslog-1 Location
( firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban IOT Device(s) (or CIDR) From Accessing WAN (Allow NTP / Remote Access Via OpenVPN Only) (Use Comma As Separator)
( firewall settings iot view ) View Currently Banned IOT Devices
( firewall settings iot ports 123,124,125 ) Allow Port(s) To Access WAN (Use Comma As Separator)
( firewall settings iot ports reset ) Reset Allowed Port List To Default
( firewall settings iot proto udp|tcp|all ) Select IOT Allowed Port Protocol
( firewall settings lookupcountry enable|disable ) Enable/Disable Country Lookup For Stat Data
( firewall settings cdnwhitelist enable|disable ) Enable/Disable CDN Whitelisting
( firewall settings webui enable|disable ) Enable/Disable WebUI

Example Debug Commands;
( firewall debug watch ) Show Debug Entries As They Appear
( firewall debug info ) Print Useful Debug Info
( firewall debug info extended ) Debug Info + Config
( firewall debug genstats ) Update WebUI Stats
( firewall debug clean ) Cleanup Syslog Entries
( firewall debug swap install|uninstall ) Install/Uninstall SWAP File
( firewall debug backup ) Backup Skynet Files To Skynets Install Directory With The Name "Skynet-Backup.tar.gz"
( firewall debug restore ) Restore Backup Files From Skynets Install Directory With The Name "Skynet-Backup.tar.gz"

Example Stats Commands;
( firewall stats ) Compile Stats With Default Top10 Output
( firewall stats 20 ) Compile Stats With Customizable Top20 Output
( firewall stats tcp ) Compile Stats Showing Only TCP Entries
( firewall stats tcp 20 ) Compile Stats Showing Only TCP Entries With Customizable Top20 Output
( firewall stats search port 23 ) Search Logs For Entries On Port 23
( firewall stats search port 23 20 ) Search Logs For Entries On Port 23 With Customizable Top20 Output
( firewall stats search ip 8.8.8.8 ) Search Logs For Entries On 8.8.8.8
( firewall stats search ip 8.8.8.8 20 ) Search Logs For Entries On 8.8.8.8 With Customizable Top20 Output
( firewall stats search malware 8.8.8.8 ) Search Malwarelists For Specified IP
( firewall stats search manualbans ) Search For All Manual Bans
( firewall stats search device 192.168.1.134 ) Search For All Outbound Entries From Local Device 192.168.1.134
( firewall stats search device reports ) Search Previous Hourly Report History
( firewall stats search invalid ) Search For Invalid Packets
( firewall stats search iot ) Search For IOT Packets
( firewall stats search connections ip|port|proto|id xxxxxxxxxx) Search Active Connections
( firewall stats remove ip 8.8.8.8 ) Remove Log Entries Containing IP 8.8.8.8
( firewall stats remove port 23 ) Remove Log Entries Containing Port 23
( firewall stats reset ) Reset All Collected Logs

Help! - Application.exe or Website.com Is Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

firewall settings logmode enable

2.) Open the blocked application/website and use the command;

firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

firewall whitelist ip 175.115.37.52

 

[jernau]

Unfortunately this script doesn't work for me, I just get loads of errors stating that the --match-set argument is not available in the version of iptables installed;

iptables v1.3.8: Unknown arg `--match-set'

I'm running 374.41 Beta 1

Also the firewall.sh script as downloaded appears to be in DOS format i.e. includes windows linefeeds (^M) so wouldn't run until I ran dos2unix on another machine against the file.

 

[Adamm]

Reserved

 

[shooter40sw]

Hi guys, I already have donwload manager installed, and no planes de uninstall it, or install entware, also have active ssh brute force prevention on the admin page, can I use this script?, I also use a "wierd" LAN setup! x.x.x.x/27 thanks

 

[Adamm]

Reserved

 

[jernau]

Does this script only work on certain Merlin versions as I mentioned before I keep getting the following error when running the script;

iptables v1.3.8: Unknown arg `--match-set'

 

[Adamm]

Does this script only work on certain Merlin versions as I mentioned before I keep getting the following error when running the script;

iptables v1.3.8: Unknown arg `--match-set'

What router are you running and which firmware? Your IPTables is out of date compared to the latest release which the script is based on.

admin@RT-AC68R:/tmp/home/root# iptables -V
iptables v1.4.14

admin@RT-AC68R:/tmp/home/root# ipset -V
ipset v4.5, protocol version 4.
Kernel module protocol version 4.


Edit; Okay so just realized the AC66U for whatever reason is based on an older IPTables version. For now support is limited to the AC56U and AC68U. Sorry about that.

 

[octopus]

Use: -m set --match-set

 

[Adamm]

Use: set --match-set

I will eventually make the script dynamically adjust the IPTables syntax based on the router model, currently the N56U/AC66U/AC68U all run different versions of IPTables and IPSet which makes things painful as I'm maintaining 3 different scripts that do the same thing. I'll get around to it sooner or later.

 

[wbennett77]

Hey Adamm,

Thanks for sharing your work with us. I am using your script and being this is the first time I have ever used SSH and I have one question. I just upgraded the firmare to Merlins final .41 and I wanted to know if this area gets overwritten during the upgrade. I don't see the "starting ...." but I do see this:
Apr 19 09:45:52 Firewall: [Complete] 0 IPs currently banned. 0 New IP's Banned.
I am assuming that this means that it didn't get overwritten but being a rookie in this area just need to know for sure.

Cheers!

 

[Adamm]

Hey Adamm,

Thanks for sharing your work with us. I am using your script and being this is the first time I have ever used SSH and I have one question. I just upgraded the firmare to Merlins final .41 and I wanted to know if this area gets overwritten during the upgrade. I don't see the "starting ...." but I do see this:
Apr 19 09:45:52 Firewall: [Complete] 0 IPs currently banned. 0 New IP's Banned.
I am assuming that this means that it didn't get overwritten but being a rookie in this area just need to know for sure.

Cheers!

Looks like its working fine, if you see anything like that in the syslog you can confirm its been executed.

 

[wbennett77]

Thanks Adamm!

 

[idolza]

@Adamm thank you so much.

Managed to get it working and its been doing its work for me :

Apr 21 15:11:38 Firewall: [IP Banning Started] ... ... ...
Apr 21 15:11:39 Firewall: [Complete] 159 IPs currently banned. 2 New IP's Banned.

Having teenagers on the network, who aren't as careful - this also helps along with all the other measures I've put in place.

 

[wbennett77]

@Adamm thank you so much.

Managed to get it working and its been doing its work for me :

Apr 21 15:11:38 Firewall: [IP Banning Started] ... ... ...
Apr 21 15:11:39 Firewall: [Complete] 159 IPs currently banned. 2 New IP's Banned.

Having teenagers on the network, who aren't as careful - this also helps along with all the other measures I've put in place.

That's a lot of banned IPs. Did you add anything to the defaults such as additional countries?
Cheers!

Sent from my Galaxy S4 using Tapatalk

 

[sinshiva]

Hey Adamm,

Thanks for sharing your work with us. I am using your script and being this is the first time I have ever used SSH and I have one question. I just upgraded the firmare to Merlins final .41 and I wanted to know if this area gets overwritten during the upgrade. I don't see the "starting ...." but I do see this:
Apr 19 09:45:52 Firewall: [Complete] 0 IPs currently banned. 0 New IP's Banned.
I am assuming that this means that it didn't get overwritten but being a rookie in this area just need to know for sure.

Cheers!

sometimes JFFS is overwritten during upgrades so it would definitely be wise to backup from time to time.

 

[wbennett77]

One possibly strange question (rookie) but do I have to leave SSH enabled on the router for this to run correctly? The reason I ask is because as soon as I enable SSH the router log showed this but nothing before being enabled:

Apr 21 20:22:25 Firewall: [IP Banning Started] ... ... ...
Apr 21 20:22:26 Firewall: [Complete] 20 IPs currently banned. 20 New IP's Banned.

Maybe it's just a coincidence?

Cheers!

 

[Adamm]

One possibly strange question (rookie) but do I have to leave SSH enabled on the router for this to run correctly? The reason I ask is because as soon as I enable SSH the router log showed this but nothing before being enabled:


Maybe it's just a coincidence?

Cheers!

I believe your question was answered on IRC but for convience of others, no SSH being enabled is not a requirement but it is required to install the script (that or Telnet).

And for clarification, the "firewall-start" script is how the firewall addition is initiated on boot (or firewall restart), along with setting up two conjobs that save the IP list and back it up.


For others to see the scripts effectiveness, here's my firewalls results after a week.

Apr 22 15:00:02 Firewall: [Complete] 23942 IPs currently banned. 60 New IP's Banned.

 

[wbennett77]

Good morning,

Yes, after writing here I went directly to IRC and got the answer I was looking for.

A couple other things.....how do I get an update as to how many ip's have currently been banned and where would I go to get a country list that works with your script.

Thanks again!

Cheers!

 

[Adamm]

Good morning,

Yes, after writing here I went directly to IRC and got the answer I was looking for.

A couple other things.....how do I get an update as to how many ip's have currently been banned and where would I go to get a country list that works with your script.

Thanks again!

Cheers!

By default the cron should show this information every hour when the save command is executed. You can do this in ssh by using "firewall save"

Also the country lists are located here. The country can be added using "firewall country" command then it prompts you type the two letter abbreviation.