Menu
What's new
By:
Filters Better Search

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

yk101 said:
Thanks! It is actually not that unique... I get a few thousands hits through the firewall, but then rejected by postfix DNS BL check every day (the same exact list I used in the ipset!). This actually makes me think that anything being forwarded to an internal host/port by the router may not be subject to rules set by ipset. Is that at all possible?
Click to expand...

From my understanding, all networking is handled via IPTables, being the IPSet blacklist is inserted at the top of the input chain, it _should_ take priority over all other rules for incoming traffic. Every example of IPSet blocking I can find uses the same method
yk101 said:
Adamm, I looked at the script, but can't see where it is being set (this may be because I'm a noob in sh scripting). I removed all of the sets from FW and re-run the script (v3.0)
Looking at the logging I see the following confirmation of my previous 64k limit assumption:

Code: 
Apr 25 14:47:27 Firewall: [Complete] 1 IPs currently banned. -55700 New IP's Banned. [0s]
Apr 25 14:48:28 Firewall: [Complete] 2 IPs currently banned. 1 New IP's Banned. [0s]
Apr 25 14:52:55 Firewall: [Complete] 63260 IPs currently banned. 63258 New IP's Banned. [236s]
Apr 25 15:00:28 Firewall: [Complete] 63270 IPs currently banned. 10 New IP's Banned. [28s]
Apr 25 16:00:28 Firewall: [Complete] 63331 IPs currently banned. 61 New IP's Banned. [28s]
Apr 25 16:22:22 Firewall: [Complete] 63358 IPs currently banned. 27 New IP's Banned. [7s]
Apr 25 16:49:41 Firewall: [Complete] 65537 IPs currently banned. 2179 New IP's Banned. [383s]
Apr 25 16:55:53 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 17:00:04 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [4s]
Apr 25 17:01:40 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 18:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]
Apr 25 19:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]

Once the count hits 65537 (64k), new bans are not being added. Is it possible that something is broken in ipset 6?
Click to expand...

This is because you're importing configuration for an IPSet without maxelem specified. Manually edit your /jffs/scripts/ipset.txt file so you have a line similar to this;

Code: 
create Blacklist hash:ip family inet hashsize 4096 maxelem 500000

Then run;

Code: 
ipset destroy Blacklist
ipset -q -R  < /jffs/scripts/ipset.txt
 
Adamm said:
From my understanding, all networking is handled via IPTables, being the IPSet blacklist is inserted at the top of the input chain, it _should_ take priority over all other rules for incoming traffic. Every example of IPSet blocking I can find uses the same method


This is because you're importing configuration for an IPSet without maxelem specified. Manually edit your /jffs/scripts/ipset.txt file so you have a line similar to this;

Code: 
create Blacklist hash:ip family inet hashsize 4096 maxelem 500000

Then run;

Code: 
ipset destroy Blacklist
ipset -q -R  < /jffs/scripts/ipset.txt
Click to expand...

Thanks! Will try that.
 
yk101 said:
Thanks! Will try that.
Click to expand...

Okay so I had some free time and decided to look into this issue again as it was bugging me and I think I found the issue.

These requests (among others like http) are handled by the FOWARD chain which wasn't being filtered by the IPSet. I went ahead and did a quick change to the script so it also filters this chain also. This should fix the issue and block those requests. Give it a try and let me know.
 
swetoast said:
yes, sadly none of the authors have picked me up on my offer to put up official installation instructions on the wiki

but its almost like all the other scripts get the script from this post

https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

  • Enable and format JFFS through WEB UI first (if not already enabled)

  • Then place the content to /jffs/scripts/IPSET_Block.sh

  • Then make it executable:
chmod +x /jffs/scripts/IPSET_Block.sh

  • Finally call this at the end of your existing /jffs/firewall-start:
# Load ipset filter rules
sh /jffs/scripts/IPSET_Block.sh

  • then append the following line to /jffs/scripts/services-start:
cru a dynamic-filter "0 */4 * * * /jffs/scripts/IPSET_Block.sh"

this is just an example of how to but it should work

@Martineau that should cover it, shouldn't it ?
Click to expand...

Thanks for this information. Sadly when applying those settings this error pops up.

Code: 
admin@RT-AC66U:/jffs/scripts# sh firewall
#!/bin/sh
#################################################################################################
## - 02/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.1 -                     #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                 #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules         #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules             #
###################################################################################################################

##############################
###         Commands          ###
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
BANMALWARE="banmalware"      # <-- Bans various malware domains
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"            # <-- Create new IPSet Blacklist
##############################

Correct Settings Detected.
Correct Settings Detected.
Enabled Firewall Logging
firewall: line 196: echo: Bad address
[IP Banning Started] ... ... ...
firewall: line 196: can't open /jffs/scripts/ipset.txt: no such file
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
firewall: line 196: echo: Bad address
ipset v4.5: Unknown set
expr: syntax error
[Complete] -6 IPs currently banned.  New IP's Banned. [8s]
expr: syntax error

Fixed the missing file /jffs/script/ipset.txt already, but the other errors I dont understand. Using this script on AC66U Merlinwrt
 
Last edited:
steef84 said:
Thanks for this information. Sadly when applying those settings this error pops up.

Code: 
admin@RT-AC66U:/jffs/scripts# sh firewall
#!/bin/sh
#################################################################################################
## - 02/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.1 -                     #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                 #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules         #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules             #
###################################################################################################################

##############################
###         Commands          ###
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
BANMALWARE="banmalware"      # <-- Bans various malware domains
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"            # <-- Create new IPSet Blacklist
##############################

Correct Settings Detected.
Correct Settings Detected.
Enabled Firewall Logging
firewall: line 196: echo: Bad address
[IP Banning Started] ... ... ...
firewall: line 196: can't open /jffs/scripts/ipset.txt: no such file
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
firewall: line 196: echo: Bad address
ipset v4.5: Unknown set
expr: syntax error
[Complete] -6 IPs currently banned.  New IP's Banned. [8s]
expr: syntax error

Fixed the missing file /jffs/script/ipset.txt already, but the other errors I dont understand. Using this script on AC66U Merlinwrt
Click to expand...

This is because you are using a non ARM based router that uses an older ipset version. I may add support in future when I get some spare time.

I believe Martineau's version of this script supports your router which is what the post you quoted was referring to.
 
Ahhhh thanks for your prompt reply! Will see if you add mips support in the future... in the meanwhile I'll try and look in the Martineau's thread
 
This script is now hosted on GitHub, you can follow the most recent changes here.

I suggest all users update. I added some features today like a update function (painless script updating), debug mode (show whats actually being blocked in syslog) and a disable command.
 
Sorry if this is stupid, but is this supported on the AC87U? I'm led to believe its ARM based on specs, but wanted to be sure!
 
Jack Yaz said:
Sorry if this is stupid, but is this supported on the AC87U? I'm led to believe its ARM based on specs, but wanted to be sure!
Click to expand...

I haven't been able to personally test this as I don't have the device, but in theory it should work. Feel free to give it a try and let me know.
 
Is this also OK to run on the router itself, or should a USB be used for the jffs scripts? I read somewhere that nvram commit calls will wear the flash?
 
There was some testing done a long time ago around this debate and it was a general consensus that these type of scripts running from jffs shouldn't do any long term damage.
 
Ok thanks. If i wanted to point ipset etc. to usb, presumably I just have to change the paths in your script?
 
Also, the line below, is this needed if I'm not running anything in that subnet?

ipset -q -A Whitelist 192.168.1.0/24
 
Jack Yaz said:
Ok thanks. If i wanted to point ipset etc. to usb, presumably I just have to change the paths in your script?
Click to expand...
Yes it would be as simple as modifying the paths in firewall / firewall-start, but that will be up to you to modify. I also like to symlink /jffs/scripts/firewall to /opt/bin for easier execution.

Jack Yaz said:
Also, the line below, is this needed if I'm not running anything in that subnet?

ipset -q -A Whitelist 192.168.1.0/24
Click to expand...

Sure but I keep it as a hardcoded failsafe as the SPI firewall sometimes blocks you out for whatever reason.
 
I'm guessing opt is if running optware? Which I'm not atm, wasn't sure what advantages there were to it.

Would I need to adapt that line to my actual subnet? e.g. 10.14.16.0/24 ?
 
Jack Yaz said:
I'm guessing opt is if running optware? Which I'm not atm, wasn't sure what advantages there were to it.

Would I need to adapt that line to my actual subnet? e.g. 10.14.16.0/24 ?
Click to expand...

Entware which is a modern version of optware which can be installed fairly easily.

The script should detect your subnet from nvram in the following line for any non default configurations. It wouldn't hurt to leave that line in too.

Code: 
ipset -q -A Whitelist `nvram get lan_ipaddr`/24
 
I suggest anyone using this update to the latest version, I have rewritten it to use case statements as they are slightly faster (and more flexible). I have also been cleaning up various parts of code throughout the week and adding new features.

Both /jffs/scripts/firewall and /jffs/scripts/firewall-start need to be updated!
 
Last edited:
Adamm said:
I suggest anyone using this update to the latest version, I have rewritten it to use case statements as they are slightly faster (and more flexible). I have also been cleaning up various parts of code throughout the week and adding new features.

Both /jffs/scripts/firewall and /jffs/scripts/firewall-start need to be updated!
Click to expand...

Hey buddy, I think there is a typo in the script - check the spelling for "banmalware" case - you have "balmalware", otherwise great work! Thanks.

Code: 
admin@RT-AC88U:/jffs/scripts# sh -x ./firewall banmalware

+ date +%s
+ start_time=1494205019
+ cat /jffs/scripts/firewall
+ head -29
#!/bin/sh
#################################################################################################
## - 08/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.4.1 -          #
##                     https://github.com/Adamm00/IPSet_ASUS            #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                  #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
###      Commands      ###
##############################

#      "unban"        # <-- Remove Single IP From Blacklist
#      "unbanall"        # <-- Remove All Entries From Blacklist
#      "save"        # <-- Save Blacklists to /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist
#       "country"        # <-- Adds entire country to blacklist
#      "bancountry"        # <-- Bans specified countries in this file
#      "banmalware"        # <-- Bans various malware domains
#      "whitelist"        # <-- Add IP range to whitelist
#      "import"        # <-- Import and merge IPSet save to firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Enable/Disable Debug Output
#      "update"        # <-- Update Script to latest version (check github for changes)
#      "start"        # <-- Initiate Firewall
##############################

+ echo Command not found, please try again.

Command not found, please try again.
+ Logging
+ nvram get Blacklist
+ OLDIPS=39
+ nvram get BlockedRanges
+ OLDRANGES=0
+ ipset -L Blacklist
+ wc -l
+ expr 60 - 7
+ nvram set Blacklist=53
+ ipset -L BlockedRanges
+ wc -l
+ expr 7 - 7
+ nvram set BlockedRanges=0
+ nvram get Blacklist
+ NEWIPS=53
+ nvram get BlockedRanges
+ NEWRANGES=0
+ nvram commit
+ iptables --line -nvL INPUT
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL INPUT
+ grep -E set.*BlockedRanges
+ awk {print $2}
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*BlockedRanges
+ expr 66 + 0 + 185 + 0
+ HITS=251
+ date +%s
+ expr 1494205020 - 1494205019
+ start_time=1
+ expr 53 - 39
+ expr 0 - 0
+ echo 1
+ logger -st Firewall [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Firewall: [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
 
yk101 said:
Hey buddy, I think there is a typo in the script - check the spelling for "banmalware" case - you have "balmalware", otherwise great work! Thanks.

Code: 
admin@RT-AC88U:/jffs/scripts# sh -x ./firewall banmalware

+ date +%s
+ start_time=1494205019
+ cat /jffs/scripts/firewall
+ head -29
#!/bin/sh
#################################################################################################
## - 08/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.4.1 -          #
##                     https://github.com/Adamm00/IPSet_ASUS            #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                  #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
###      Commands      ###
##############################

#      "unban"        # <-- Remove Single IP From Blacklist
#      "unbanall"        # <-- Remove All Entries From Blacklist
#      "save"        # <-- Save Blacklists to /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist
#       "country"        # <-- Adds entire country to blacklist
#      "bancountry"        # <-- Bans specified countries in this file
#      "banmalware"        # <-- Bans various malware domains
#      "whitelist"        # <-- Add IP range to whitelist
#      "import"        # <-- Import and merge IPSet save to firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Enable/Disable Debug Output
#      "update"        # <-- Update Script to latest version (check github for changes)
#      "start"        # <-- Initiate Firewall
##############################

+ echo Command not found, please try again.

Command not found, please try again.
+ Logging
+ nvram get Blacklist
+ OLDIPS=39
+ nvram get BlockedRanges
+ OLDRANGES=0
+ ipset -L Blacklist
+ wc -l
+ expr 60 - 7
+ nvram set Blacklist=53
+ ipset -L BlockedRanges
+ wc -l
+ expr 7 - 7
+ nvram set BlockedRanges=0
+ nvram get Blacklist
+ NEWIPS=53
+ nvram get BlockedRanges
+ NEWRANGES=0
+ nvram commit
+ iptables --line -nvL INPUT
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL INPUT
+ grep -E set.*BlockedRanges
+ awk {print $2}
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*BlockedRanges
+ expr 66 + 0 + 185 + 0
+ HITS=251
+ date +%s
+ expr 1494205020 - 1494205019
+ start_time=1
+ expr 53 - 39
+ expr 0 - 0
+ echo 1
+ logger -st Firewall [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Firewall: [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Click to expand...
Thanks, pushed the fix.
 
You must log in or register to reply here.

Similar threads

W
Looking for an add-on that does...
Replies
5
Views
2K
JGrana
JGrana
Viktor Jaep
Skynet Filter Validator v0.7 - Skynet Firewall Filter List IPv4 Integrity Validator
3 4 5
Replies
83
Views
13K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Viktor Jaep
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)
Replies
2
Views
247
Viktor Jaep
Viktor Jaep
RMerlin
Fun with ChatGPT...
2
Replies
33
Views
2K
RMerlin
RMerlin
M
Firewall doesen't block custom rules, neighter Skynet
Replies
0
Views
1K
MamaLing
M
Similar threads
Thread starter Title Forum Replies Date
Klonoa Skynet Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 1
S Skynet Skynet showing router itself making calls to China? Asuswrt-Merlin AddOns 26
J Skynet Skynet - Blocked outbounds coming from the router itself? Asuswrt-Merlin AddOns 12
O Skynet Installing Skynet causes router to crash and reboot Asuswrt-Merlin AddOns 26
L Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important? Asuswrt-Merlin AddOns 2
Davidncali001 Skynet Message on SKYNET I havent seen before Asuswrt-Merlin AddOns 1
S Skynet firewall reduces wireless range Asuswrt-Merlin AddOns 14
P Skynet Internet speed lower with Skynet on Asuswrt-Merlin AddOns 9
N Skynet SkyNet/Firewall blocking all ping requests, including outbound Asuswrt-Merlin AddOns 6
W Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14 Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 892 (members: 16, guests: 876)
Top