Skynet Skynet Not Starting with IPTables Rules Failed

[Calkulin]

I installed 386.2 alpha 2-g0b90696715 and I now have 3x AC68Us that are not starting Skynet and all show IPTables Rules failed even though my AX88U is running fine with Skynet with the same build. I tried uninstalling/reinstalling Skynet and while it eventually started fine after the install, within a few mins, it showed the same failed error. Logs are showing Rule Integrity Violation - Restarting Firewall [ #9 #10 ] for those 3 AC68Us, anyone else having this same issue with the new alpha build or have suggestions on how to fix it? I looked at the source code and found what the errors are pointing to and ran the 4 checks manually and returned correct values. Tried running the commands manually and got "iptables: Bad rule (does a matching rule exist in that chain?)"

    if [ "$(nvram get sshd_enable)" = "1" ] && [ "$(nvram get sshd_bfp)" = "1" ] && [ "$(uname -o)" = "ASUSWRT-Merlin" ] && [ "$(nvram get switch_wantag)" != "movistar" ]; then
        iptables -C SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j SET --add-set Skynet-Blacklist src 2>/dev/null || fail="${fail}#9 "
        iptables -C SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#10 "
    fi

 

[dave14305]

SSH Brute Force Protection was deprecated in 386.2 alphas. Skynet needs an update.

rc: remove SSH brute force protection option, as it is redundant · RMerl/asuswrt-merlin.ng@526f463

Asus's Protect Service daemon already takes care of blacklisting IPs that generate too many authentication failures on the SSH service.

github.com

What if you run:

nvram unset sshd_bfp
nvram commit

 

[Calkulin]

Makes sense but weird that it starts on the AX88U but not on the AC68Us

 

[dave14305]

Makes sense but weird that it starts on the AX88U but not on the AC68Us

Was brute force protection enabled on all of them, though? And more importantly, did the nvram command fix it?

 

[Calkulin]

Was brute force protection enabled on all of them, though? And more importantly, did the nvram command fix it?

Yes, all had it turned on and the unset command did fix it on all the AC68Us immediately, didn't even need to restart Skynet manually. Thanks a lot for that quick fix,

 

[dave14305]

Yes, all had it turned on and the unset command did fix it on all the AC68Us immediately, didn't even need to restart Skynet manually. Thanks a lot for that quick fix,

And all had SSH enabled for WAN? Both conditions must be met for the rule check to take effect.

 

[Calkulin]

And all had SSH enabled for WAN? Both conditions must be met for the rule check to take effect.

The AC68Us did but with access restriction enabled for local /24 and 1 external IP. The AX88U didn't, which explains why the AX88U didn't have that issue now that I think about it,

 

[isr25]

Skynet was updated yesterday by adamm00 to resolve this issue. Thanks Adamm00!

 

[evo17paul]

Hi, have an AX86U and recently updated SkyNet to 7.5.4 and also Merlin FW to 3004.388.6 and I am now faced with this IPTables Rules [Failed]
Integrity violation on Rule #22

Anyone seen this?
How do I show rule #22 please?

Thanks in advance

 

[evo17paul]

Just an update
I also updated AMTM and notice entware had disappeared

Reinstalled entware - Skynet not fixed
Uninstalled Skynet
Installed Skynet - All good
Updated filter list - All good
Update country bans - All good
Enabled Invalid Logs - Failed again - Violation Rule #22
Couldn't disabled Invalid Logs

Uninstalled Skynet
Installed Skynet - All good
Updated filter list - All good
Updated country bans - All good

Left at that and all seems to be working still
Bit odd that Entware disappeared from AMTM and when reinstalling it detected a previous install

 

[dave14305]

Hi, have an AX86U and recently updated SkyNet to 7.5.4 and also Merlin FW to 3004.388.6 and I am now faced with this IPTables Rules [Failed]
Integrity violation on Rule #22

Anyone seen this?
How do I show rule #22 please?

Thanks in advance

What’s the output of iptables --line -nL logdrop

 

[visortgw]

Just an update
I also updated AMTM and notice entware had disappeared

Reinstalled entware - Skynet not fixed
Uninstalled Skynet
Installed Skynet - All good
Updated filter list - All good
Update country bans - All good
Enabled Invalid Logs - Failed again - Violation Rule #22
Couldn't disabled Invalid Logs

Uninstalled Skynet
Installed Skynet - All good
Updated filter list - All good
Updated country bans - All good

Left at that and all seems to be working still
Bit odd that Entware disappeared from AMTM and when reinstalling it detected a previous install

My guess is that USB storage was not available/mounted.

 

[evo17paul]

What’s the output of iptables --line -nL logdrop

I'll take a look later and feedback as soon as

 

[evo17paul]

My guess is that USB storage was not available/mounted.

That's the odd thing, it seemed to be mounted no issue

 

[evo17paul]

What’s the output of iptables --line -nL logdrop

This is what I've got

Chain logdrop (55 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0

 

[dave14305]

This is what I've got

Chain logdrop (55 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0

Yes, it seems to be a new problem in the Skynet version released today.

 

[noworries]

Yup, v7.5.4, AC88U- No internet at all. Disabling Skynet doesn't help.

Any ideas how to manually modify IPTABLES to allow connections?

 

[dave14305]

Yup, v7.5.4, AC88U- No internet at all. Disabling Skynet doesn't help.

Any ideas how to manually modify IPTABLES to allow connections?

Check syslog in case it’s a dnsmasq issue with Skynet whitelist entries in /jffs/configs/dnsmasq.conf.add.

 

[noworries]

I happen to be configuring a new AX86U and notice that amtm says skynet [now?] requires a 2GB minimum swap file. My 88U install has a 1GB swap file from several years ago, FWIW.

 

[noworries]

Check syslog in case it’s a dnsmasq issue with Skynet whitelist entries in /jffs/configs/dnsmasq.conf.add.

There were a few empty lines at the head of the file. Deleting them didn't help.

But, I see a syslog message:

Error locking: /var/lock//usr/networkmap/[several files].js.lock

I have no such directory for lock files