Skynet Skynet - Router Firewall & Security Enhancements

[yk101]

Great! Thanks Adamm!

Now another small issue - after running for while, script stopped showing one of the counters (number of connections blocked):

May  8 14:00:05 Firewall: [Complete] 112244 IPs / 16927 Ranges banned. 33 New IPs / 0 New Ranges Banned. 82003 Connections Blocked! [5s]
May  8 15:00:05 Firewall: [Complete] 112265 IPs / 16927 Ranges banned. 21 New IPs / 0 New Ranges Banned. 87118 Connections Blocked! [5s]
May  8 16:00:05 Firewall: [Complete] 112298 IPs / 16927 Ranges banned. 33 New IPs / 0 New Ranges Banned. 92182 Connections Blocked! [5s]
May  8 17:00:05 Firewall: [Complete] 112323 IPs / 16927 Ranges banned. 25 New IPs / 0 New Ranges Banned. 97124 Connections Blocked! [5s]
May  8 18:00:05 Firewall: [Complete] 112342 IPs / 16927 Ranges banned. 19 New IPs / 0 New Ranges Banned. 102622 Connections Blocked! [5s]
May  8 19:00:05 Firewall: [Complete] 112367 IPs / 16927 Ranges banned. 25 New IPs / 0 New Ranges Banned.  Connections Blocked! [5s]
May  8 20:00:05 Firewall: [Complete] 112393 IPs / 16927 Ranges banned. 26 New IPs / 0 New Ranges Banned.  Connections Blocked! [5s]

 

[yk101]

Ah, I think I see the problem:

admin@RT-AC88U:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist" | awk '{print $2}'
115K

It seems that once you get above certain number, you get back an abbreviation that script chokes on while trying to add-up values in the 'HITS=' line of logging routine. The actual error thrown is "expr: non-numeric argument"

 

[Adamm]

Ah, I think I see the problem:

admin@RT-AC88U:/jffs/scripts# iptables --line -nvL FORWARD | grep -E "set.*Blacklist" | awk '{print $2}'
115K

It seems that once you get above certain number, you get back an abbreviation that script chokes on while trying to add-up values in the 'HITS=' line of logging routine. The actual error thrown is "expr: non-numeric argument"

Thanks, I play with my firewall too much to let the counter get that high so never noticed it

I pushed a fix and also a change to when packets are blocked. From now on the blacklists are added to the "raw" table over filter table and should use less CPU/Memory, that way the packets are handled sooner, without the need to go though conntrack+mangle+nat+routing.

After updating please reset the firewall to flush iptables rules (or reboot)

service restart_firewall

 

[Adamm]

I've also added two new commands;

bandomain & unbandomain - As the name suggests, is looks up any associated IP's (via nslookup) and bans them (and anything else hosted on the same IP).

 

[HardCat]

@Adamm, I ran /jffs/scripts/firewall update and recieved the following error:

Firewall: [New Version Detected - Updating]... ... ...
Firewall: [Complete] 111980 IPs / 30541 Ranges banned. 0 New IPs / 0 New Ranges Banned.  IP /  Range Connections Blocked! [2s]
./firewall: line 297: s: not found
./firewall: line 299: syntax error: unexpected ";;"

 

[Adamm]

@Adamm, I ran /jffs/scripts/firewall update and recieved the following error:

Firewall: [New Version Detected - Updating]... ... ...
Firewall: [Complete] 111980 IPs / 30541 Ranges banned. 0 New IPs / 0 New Ranges Banned.  IP /  Range Connections Blocked! [2s]
./firewall: line 297: s: not found
./firewall: line 299: syntax error: unexpected ";;"

That can be safely ignored. I added a cleaner exit after updating in the newest version just now.

Also it looks like you haven't got your IPTables rules active (possibly because you updated from the version prior to switching to the raw table) Run the following;

service restart_firewall

Also make sure you have the newest version of firewall-start applied (but based on your output I assume you do)

 

[yk101]

Thanks, I play with my firewall too much to let the counter get that high so never noticed it

I pushed a fix and also a change to when packets are blocked. From now on the blacklists are added to the "raw" table over filter table and should use less CPU/Memory, that way the packets are handled sooner, without the need to go though conntrack+mangle+nat+routing.

After updating please reset the firewall to flush iptables rules (or reboot)

service restart_firewall

Hmm... I've done it this morning as I was leaving from work. Now I find that I can't access the router anymore from outside. Traffic seems to be passing through, and my VPN to/from other devices works properly, so I assume that my router just needs a reboot, but thought I'd bring it up just in case...

 

[Adamm]

Hmm... I've done it this morning as I was leaving from work. Now I find that I can't access the router anymore from outside. Traffic seems to be passing through, and my VPN to/from other devices works properly, so I assume that my router just needs a reboot, but thought I'd bring it up just in case...

Try reboot first, its always easier to debug something on a fresh slate. By access the router I assume you mean the gui?

After rebooting (if the problem still persists) first issue;

sh /jffs/scripts/firewall disable

Let me know if that allows you to once again access the router, that way we can narrow it down to an IP being blacklisted that shouldn't be.

 

[Adamm]

I have pushed another recommended update, this helps with private IP's being banned by mistake by either the SPI firewall or Malware lists.

 

[HardCat]

I have pushed another recommended update, this helps with private IP's being banned by mistake by either the SPI firewall or Malware lists.

Running the latest v3.5.2 here, looks to me like I am getting some hits.

admin@RT-AC3100:/jffs/scripts# iptables -vL -nt raw
Chain PREROUTING (policy ACCEPT 460K packets, 89M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 126K   16M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
   84  3974 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src
  276 34258 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

Nice script, Thanks!

 

[yk101]

OK, attempted to use update:

irewall: [New Version Detected - Updating]... ... ...
Firewall: [Complete] 114104 IPs / 16927 Ranges banned. 1 New IPs / 0 New Ranges Banned. 111K IP / 1487 Range Connections Blocked! [2s]
./firewall: line 342: syntax error: unterminated quoted string
admin@RT-AC88U:/jffs/scripts#

Rebooting now.

 

[Adamm]

OK, attempted to use update:

irewall: [New Version Detected - Updating]... ... ...
Firewall: [Complete] 114104 IPs / 16927 Ranges banned. 1 New IPs / 0 New Ranges Banned. 111K IP / 1487 Range Connections Blocked! [2s]
./firewall: line 342: syntax error: unterminated quoted string
admin@RT-AC88U:/jffs/scripts#

Rebooting now.

That error can be ignored, like the one @HardCat posted earlier it was due to a dirty exit (which has now been fixed)

 

[yk101]

Ok, rebooted with the latest version (skynet is a nice touch!). Also whitelisted /16 for my work domain. Will see tomorrow if that part works.

 

[yk101]

@Adamm, I love your script, and hope you don't mind, if I make a few suggestions:

1. Please remove hardcoded whitelist /32 address - I'm sure it is important to you, but makes no sense for the rest of us to have it as an exception (call me paranoid?);
2. When checking for the update, instead of cat and check the whole file, just grep for and check version label. This will prevent unnecessary overriding whatever custom changes we make to adjust the script to individual requirements.

Those are not principal, but mostly for convenience of the general population of your users.

 

[Adamm]

@Adamm, I love your script, and hope you don't mind, if I make a few suggestions:

1. Please remove hardcoded whitelist /32 address - I'm sure it is important to you, but makes no sense for the rest of us to have it as an exception (call me paranoid?);
2. When checking for the update, instead of cat and check the whole file, just grep for and check version label. This will prevent unnecessary overriding whatever custom changes we make to adjust the script to individual requirements.

Those are not principal, but mostly for convenience of the general population of your users.

1.) I must have removed the comment I originally had in-front of it at some point. That IP is for github so the update server doesn't get banned by accident.

admin@RT-AC68U-EE20:/tmp/mnt/Main/entware/tmp# nslookup raw.githubusercontent.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: raw.githubusercontent.com
Address 1: 151.101.96.133


2.) I agree with this (and will add it anyway), but I don't think this will help your situation regardless. If you did have custom changes, upon detecting a new version string, it would overwrite them with the update. Maybe I should add a check arg (that doesn't update) so users like yourself can see if there's an update and make the necessary adjustments manually?

 

[Adamm]

And done.

The update command now supports the following arguments;

sh /jffs/scripts/firewall update check (Check for updates only)
sh /jffs/scripts/firewall update -f (Force Update)

Update checking is now also based on the version, not the contents of the file as per request.

 

[Adamm]

Another major update. I've consolidated the multiple "ban / unban / whitelist" commands (and previously un-added functionality) into single commands. Each now accepts multiple arguments and supports complete automation. In doing so I also rewrote the country banning code and is now x12 faster.

Example commands now accepted;

Here Are Some Example Unban Commands;
"./jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" his Unbans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Unbans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Unbans the URL Specified
"./jffs/scripts/firewall unban all" This Unbans All Entries From Both Blacklists

Here Are Some Example Ban Commands;
"./jffs/scripts/firewall ban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall ban 8.8.8.8" This Bans The IP Specified
"./jffs/scripts/firewall ban range 8.8.8.8/24" This Bans the CIDR Block Specified
"./jffs/scripts/firewall ban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall ban domain google.com" This Bans the URL Specified
"./jffs/scripts/firewall ban country pk" This Bans The Known IPs For The Specified Country http://www.ipdeny.com/ipblocks/data/countries/

Here Are Some Example Banmalware Commands;
"./jffs/scripts/firewall banmalware" This Bans IPs From The Predefined Filter List
"./jffs/scripts/firewall banmalware google.com/filter.list" This Uses The Fitler List From The Specified URL

Here Are Some Example Whitelist Commands;
"./jffs/scripts/firewall whitelist" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall whitelist IP" This Bans The IP or Range Specified
"./jffs/scripts/firewall whitelist domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall whitelist domain google.com" This Bans the URL Specified

Here Are Some Example Debug Commands;
"./jffs/scripts/firewall debug enable" Enable Debugging To Syslog
"./jffs/scripts/firewall debug disable" Disable Debugging

Here Are Some Example Update Commands;
"./jffs/scripts/firewall update" Standard Update Check - If Nothing Detected Exit
"./jffs/scripts/firewall update check" Check For Updates Only - Wont Update If Detected
"./jffs/scripts/firewall update -f" Force Update Even If No Changes Detected

 

[HardCat]

Another major update. I've consolidated the multiple "ban / unban / whitelist" commands (and previously un-added functionality) into single commands. Each now accepts multiple arguments and supports complete automation. In doing so I also rewrote the country banning code and is now x12 faster.

Example commands now accepted;

Here Are Some Example Unban Commands;
"./jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" his Unbans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Unbans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Unbans the URL Specified
"./jffs/scripts/firewall unban all" This Unbans All Entries From Both Blacklists

Here Are Some Example Ban Commands;
"./jffs/scripts/firewall ban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" This Bans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Bans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Bans the URL Specified
"./jffs/scripts/firewall country pk" This Bans The Known IPs For The Specified Country http://www.ipdeny.com/ipblocks/data/countries/

Here Are Some Example Banmalware Commands;
"./jffs/scripts/firewall banmalware" This Bans IPs From The Predefined Filter List
"./jffs/scripts/firewall banmalware google.com/filter.list" This Uses The Fitler List From The Specified URL

Here Are Some Example Whitelist Commands;
"./jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban IP" This Bans The IP or Range Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall whitelist domain google.com" This Bans the URL Specified

Here Are Some Example Debug Commands;
"./jffs/scripts/firewall debug enable" Enable Debugging To Syslog
"./jffs/scripts/firewall debug disable" Disable Debugging

Here Are Some Example Update Commands;
"./jffs/scripts/firewall update" Standard Update Check - If Nothing Detected Exit
"./jffs/scripts/firewall update check" Check For Updates Only - Wont Update If Detected
"./jffs/scripts/firewall update -f" Force Update Even If No Changes Detected

In the file "README.md" I noticed unban is referenced where I think you meant to ban.

Here Are Some Example Ban Commands;
"./jffs/scripts/firewall ban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" This Bans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Bans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Bans the URL Specified
"./jffs/scripts/firewall country pk" This Bans The Known IPs For The Specified Country http://www.ipdeny.com/ipblocks/data/countries/

Great Script BTW...

 

[Adamm]

In the file "README.md" I noticed unban is referenced where I think you meant to ban.

Here Are Some Example Ban Commands;
"./jffs/scripts/firewall ban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" This Bans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Bans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Bans the URL Specified
"./jffs/scripts/firewall country pk" This Bans The Known IPs For The Specified Country http://www.ipdeny.com/ipblocks/data/countries/

Great Script BTW...

Thanks, had a bit of free time lately so decided to put some effort into improving it, although I'm starting to run low on ideas

 

[Jack Yaz]

Does this work with dnscrypt? Been having some issues with Martineau's version, despite whitelisting the proxy IP, DNS would fail until I flushed the lists. So I'm guessing an IP was being banned that shouldn't have been. Too many IPs in the blacklist for me to reasonably find which though!