Skynet SkyNet/Firewall blocking all ping requests, including outbound

[nearlyheadlessarvie]

Hi, in my RT-AX86U with latest firmware, 3004.388.8, SkyNet/firewall is blocking all ping requests, including outbound, resulting in Internet-Connectivity failure. Well, to be fair I don't think its because of SkyNet, because I can't ping anyting even when it's uninstalled (iptables virtually unchanged after removing skynet).

Is there any way to allow outbound PING in my firewall-start script?

iptables -vnL --line-number

(other chains removed for brevity)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 86 4096 INPUT_PING icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500
3 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
5 6351 1477K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 279 24167 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
7 2053 496K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
8 5200 440K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
9 0 0 logdrop tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5152
10 5200 440K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
11 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec state NEW
12 940 234K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
13 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
14 0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
15 1113 262K WGSI all -- * * 0.0.0.0/0 0.0.0.0/0
16 1113 262K WGCI all -- * * 0.0.0.0/0 0.0.0.0/0
17 1113 262K OVPNSI all -- * * 0.0.0.0/0 0.0.0.0/0
18 1113 262K OVPNCI all -- * * 0.0.0.0/0 0.0.0.0/0
19 1113 262K logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 63036 23M IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
2 63036 23M IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
3 20 1440 PControls all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC 5C:62:8B:F9:7F:8E
4 0 0 PControls all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC FA:8A:15:45:02:88
5 18 2003 PControls all -- br0 * 0.0.0.0/0 0.0.0.0/0 MAC 2E:3D:E5:A6:6A:4F
6 59865 22M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
8 3151 1316K WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
9 3151 1316K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
11 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
12 112 4900 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
13 0 0 SECURITY all -- eth0 * 0.0.0.0/0 0.0.0.0/0
14 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
15 3039 1311K WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
16 3039 1311K OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
17 3039 1311K VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
18 3039 1311K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
19 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT_ICMP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
2 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT_PING (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
2 2 64 logdrop icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain IPSEC_DROP_SUBNET_ICMP (1 references)
num pkts bytes target prot opt in out source destination

Chain IPSEC_STRONGSWAN (1 references)
num pkts bytes target prot opt in out source destination

Chain SECURITY (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
2 0 0 logdrop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
3 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
4 0 0 logdrop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
6 0 0 logdrop icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

 

[eibgrad]

It's NOT uncommon for inbound pings to be denied in an effort for the router to remain stealthy. At least by default.

If outbound ping (or another traffic) was being denied from the router's own processes, then it would likely appear in the OUTPUT chain of the filter table, which you haven't provided.

iptables -vnL OUTPUT

 

[nearlyheadlessarvie]

Thank you for the clarification. I do get a passing truestealth check, but denying outbound seems too much. I do not remember when this started, and I wouldn't want to reset my router but it's becoming annoying already.

Here's the output chain btw:

Chain OUTPUT (policy ACCEPT 320K packets, 370M bytes)
pkts bytes target prot opt in out source destination
22579 1802K OUTPUT_DNS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
239 38576 OUTPUT_DNS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
433K 472M OUTPUT_IP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT_DNS (2 references)
pkts bytes target prot opt in out source destination
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|10706f697579747975696f706b6a666e6603636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72666a656a6e666a6e65666a6503636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1131306166646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f376d667364666173646d6b676d726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d386d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f3966646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|086861636b7563647403636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|076c696e77756469056633333232036e657400|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f6c6b6a68676664736174727975696f03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b6d6e627663787a7a7a313203636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077131313133333303746f7000|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|057371353230056633333232036e657400|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077563746b6f6e6503636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0e7a786376626d6e6e666a6a66777103636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0a65756d6d6167766e627003636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b726f75746572736173757303636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777770b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0377777709617375736c6f67696e03636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72657065617461722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777310b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE

Chain OUTPUT_IP (1 references)
pkts bytes target prot opt in out source destination
0 0 logdrop_ip all -- * * 0.0.0.0/0 193.201.224.0/24
0 0 logdrop_ip all -- * * 0.0.0.0/0 51.15.120.245
0 0 logdrop_ip all -- * * 0.0.0.0/0 45.33.73.134
0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.28
0 0 logdrop_ip all -- * * 0.0.0.0/0 51.159.52.250
0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.86

 

[eibgrad]

I don't see anything in that dump of the OUTPUT chain(s) that would suggest ICMP was being actively blocked. At best, I suppose you might be blocked (perhaps completely) from specific LAN devices based on their MAC addresss due to Parental Controls (the PControls chain specifically referenced in the FORWARD chain). But that's about it.

P.S. IIRC, connectivity checking is sometimes based on success w/ DNS, NOT always ping. But again, I don't see any DNS matches being blocked by the firewall. Perhaps one of your add-ons is blocking name resolution w/ DNSMasq, pihole, Unbound, etc.

 

[Ripshod]

Perhaps the ISP is blocking it, or the op is on CG-NAT?

 

[dave14305]

If you want to see all rules from all tables, use:

iptables-save -c

Your earlier command was only showing the filter table. Skynet works on the raw table, plus there’s nat and mangle.

 

[nearlyheadlessarvie]

My router is on public IP and ping definitely works when firewall is off (with or without skynet). But I think I got it working now, at least from the router to the internet and LAN-to-LAN. LAN to internet is not working but there is no real need for it so it's all good.

Just added these iptables rules in firewall-start, before skynet start.

iptables -I INPUT 1 -p icmp -j INPUT_ICMP
iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Where INPUT_ICMP is:

Chain INPUT_ICMP (2 references)
pkts bytes target prot opt in out source destination
86 6908 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
2296 363K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

It is added by the firewall, when Respond ICMP echo request from WAN is off