Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Does this work with dnscrypt? Been having some issues with Martineau's version, despite whitelisting the proxy IP, DNS would fail until I flushed the lists. So I'm guessing an IP was being banned that shouldn't have been. Too many IPs in the blacklist for me to reasonably find which though!

Yes it should work with my script, I don't see any reason why not.

 

[yk101]

@Adamm, I did a bit of experimenting and see the following:

admin@RT-AC88U:/jffs/scripts# grep -i 'xxx.xxx.' ipset.txt
add Whitelist xxx.xxx.0.0/16
add Whitelist xxx.xxx.106.0/24
add Whitelist xxx.xxx.106.123
admin@RT-AC88U:/jffs/scripts#

Obviously IP has been obfuscated.
Then, enabling the the debug in the firewall, the following appears in the syslog as it blocks my whitelisted (by range with /16 /24 and /32) IP:

May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7764 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146603 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7779 DF PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756124 ACK=2158012732 WINDOW=257 RES=0x00 ACK FIN URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7780 DF PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756125 ACK=2158013083 WINDOW=0 RES=0x00 ACK RST URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=61285 PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756125 ACK=2158013115 WINDOW=216 RES=0x00 ACK RST URGP=0
May 11 10:19:52 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7782 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146683 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:53 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7800 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146843 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:54 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7820 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146907 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7843 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146971 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7856 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518245 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030801010101)
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7857 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518246 ACK=1005172174 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=266 TOS=0x00 PREC=0x00 TTL=110 ID=7858 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518246 ACK=1005172174 WINDOW=258 RES=0x00 ACK PSH URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7861 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518472 ACK=1005173606 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=166 TOS=0x00 PREC=0x00 TTL=110 ID=7862 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518472 ACK=1005173606 WINDOW=258 RES=0x00 ACK PSH URGP=0

Does this make sense to you? Is something broken, or is it my setup that is not working properly?

 

[HardCat]

Another major update. I've consolidated the multiple "ban / unban / whitelist" commands (and previously un-added functionality) into single commands. Each now accepts multiple arguments and supports complete automation. In doing so I also rewrote the country banning code and is now x12 faster.

Example commands now accepted;

Here Are Some Example Unban Commands;
"./jffs/scripts/firewall unban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall unban 8.8.8.8" his Unbans The IP Specified
"./jffs/scripts/firewall unban range 8.8.8.8/24" This Unbans the CIDR Block Specified
"./jffs/scripts/firewall unban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall unban domain google.com" This Unbans the URL Specified
"./jffs/scripts/firewall unban all" This Unbans All Entries From Both Blacklists

Here Are Some Example Ban Commands;
"./jffs/scripts/firewall ban" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall ban 8.8.8.8" This Bans The IP Specified
"./jffs/scripts/firewall ban range 8.8.8.8/24" This Bans the CIDR Block Specified
"./jffs/scripts/firewall ban domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall ban domain google.com" This Bans the URL Specified
"./jffs/scripts/firewall ban country pk" This Bans The Known IPs For The Specified Country http://www.ipdeny.com/ipblocks/data/countries/

Here Are Some Example Banmalware Commands;
"./jffs/scripts/firewall banmalware" This Bans IPs From The Predefined Filter List
"./jffs/scripts/firewall banmalware google.com/filter.list" This Uses The Fitler List From The Specified URL

Here Are Some Example Whitelist Commands;
"./jffs/scripts/firewall whitelist" This Requires Manual Input (Only IPs accepted)
"./jffs/scripts/firewall whitelist IP" This Bans The IP or Range Specified
"./jffs/scripts/firewall whitelist domain" This Requires Manual Input (Only Domains Accepted)
"./jffs/scripts/firewall whitelist domain google.com" This Bans the URL Specified

Here Are Some Example Debug Commands;
"./jffs/scripts/firewall debug enable" Enable Debugging To Syslog
"./jffs/scripts/firewall debug disable" Disable Debugging

Here Are Some Example Update Commands;
"./jffs/scripts/firewall update" Standard Update Check - If Nothing Detected Exit
"./jffs/scripts/firewall update check" Check For Updates Only - Wont Update If Detected
"./jffs/scripts/firewall update -f" Force Update Even If No Changes Detected

@Adamm Would I be correct in saying that to ban a country now you must add them one at a time instead of from the static list you had before?

 

[Adamm]

@Adamm, I did a bit of experimenting and see the following:

admin@RT-AC88U:/jffs/scripts# grep -i 'xxx.xxx.' ipset.txt
add Whitelist xxx.xxx.0.0/16
add Whitelist xxx.xxx.106.0/24
add Whitelist xxx.xxx.106.123
admin@RT-AC88U:/jffs/scripts#

Obviously IP has been obfuscated.
Then, enabling the the debug in the firewall, the following appears in the syslog as it blocks my whitelisted (by range with /16 /24 and /32) IP:

May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7764 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146603 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7779 DF PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756124 ACK=2158012732 WINDOW=257 RES=0x00 ACK FIN URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7780 DF PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756125 ACK=2158013083 WINDOW=0 RES=0x00 ACK RST URGP=0
May 11 10:19:51 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=61285 PROTO=TCP SPT=63164 DPT=8443 SEQ=3994756125 ACK=2158013115 WINDOW=216 RES=0x00 ACK RST URGP=0
May 11 10:19:52 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7782 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146683 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:53 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7800 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146843 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:54 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7820 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146907 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7843 DF PROTO=TCP SPT=62796 DPT=22223 SEQ=1096019285 ACK=2405146971 WINDOW=257 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=7856 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518245 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405640103030801010101)
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7857 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518246 ACK=1005172174 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=266 TOS=0x00 PREC=0x00 TTL=110 ID=7858 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518246 ACK=1005172174 WINDOW=258 RES=0x00 ACK PSH URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=7861 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518472 ACK=1005173606 WINDOW=258 RES=0x00 ACK URGP=0
May 11 10:19:55 kernel: [BLOCKED - RAW] IN=eth0 OUT= MAC=2c:4d:54:22:92:78:00:01:5c:85:38:46:08:00 SRC=xxx.xxx.106.123 DST=xxx.xxx.125.247 LEN=166 TOS=0x00 PREC=0x00 TTL=110 ID=7862 DF PROTO=TCP SPT=63226 DPT=8443 SEQ=2674518472 ACK=1005173606 WINDOW=258 RES=0x00 ACK PSH URGP=0

Does this make sense to you? Is something broken, or is it my setup that is not working properly?

I'm assuming connections to/from this IP still work right?

My guess is the IP is on both your Blacklist and Whitelist (probably added as a false positive by the routers SPI firewall). This was a error in my debug rule placement, before it was checking for packets before they had been processed by the whitelist, I just pushed an update which fix's this. (Disable and reenable the debug printing after updating)

 

[Adamm]

@Adamm Would I be correct in saying that to ban a country now you must add them one at a time instead of from the static list you had before?

For the time being yes, the static list feature is still a WIP, I should have it out possibly in the next few hours. I was thinking of changing how it works to be completely command-line as I don't like users being forced to edit the file.

 

[yk101]

Blacklist Doesn't show those IPs. No, connections to the router web interface and ssh don't work!

 

[Adamm]

Blacklist Doesn't show those IPs. No, connections to the router web interface and ssh don't work!

Is the IP showing up in;

ipset -L Whitelist

Please also update the script (disable then enable) debug mode and run;

sh /jffs/scripts/firewall debug info

 

[yk101]

Is the IP showing up in;

ipset -L Whitelist

Please also update the script (disable then enable) debug mode and run;

sh /jffs/scripts/firewall debug info

As per my previous port, IP is showing up in the ipset listing of Whitelist. It is there as /16, /24 and /32.
debug info produces the following:

Router Model: RT-AC88U
Skynet Version: v3.6.4 (12/05/2017)
iptables v1.4.14
ipset v6.29, protocol version: 6
FW Version: 380.66_beta5-gfccc157
Startup Entry Detected
Cronjob Detected
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 150063 IPs / 18318 Ranges banned. 7 New IPs / 0 New Ranges Banned. 1031
5788 IP / 150 Range Connections Blocked! [3s]
admin@RT-AC88U:/jffs/scripts#

 

[Adamm]

@Adamm Would I be correct in saying that to ban a country now you must add them one at a time instead of from the static list you had before?

Okay I have re-added the feature. To ban multiple countries they need to be quoted in the commandline, eg;

sh /jffs/scripts/firewall ban country "cn pk sa"

 

[Adamm]

As per my previous port, IP is showing up in the ipset listing of Whitelist. It is there as /16, /24 and /32.

Yes but you are getting the info from the ipset save file, not the whitelist itself. (I assume you completed the debug disable/enable like requested)

I'm asking this because the way the rules are setup, packets are first checked against the whitelist, if a match is found the packet is accepted, if no match is found its checked against the blacklist. In theory if an IP is whitelisted it will never make it to the step of checking the blacklist.

That being said, please give me the output of the following commands so I can get a full scope of whats going on as I have an idea of what the problem may be;

ipset -L Whitelist
iptables -vL -nt raw
iptables -vL

 

[yk101]

ipset -L Whitelist iptables -vL -nt raw iptables -vL

Here it is:

admin@RT-AC88U:/jffs/scripts# ipset -L Whitelist
Name: Whitelist
Type: hash:net
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8724
References: 1
Members:
xxx.231.0.0/16
151.101.96.133
xxx.77.0.0/16
xxx.77.106.0/24
xxx.77.106.123
192.168.1.0/24
192.168.2.0/24
admin@RT-AC88U:/jffs/scripts# iptables -vL -nt raw
Chain PREROUTING (policy ACCEPT 18312 packets, 4415K bytes)
 pkts bytes target     prot opt in     out     source               destination
75892 9433K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
 3976  239K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src LOG flags 7 level 4 prefix "[BLOCKED - RAW] "
  205  7018 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src
 8712  523K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

Chain OUTPUT (policy ACCEPT 29918 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination
admin@RT-AC88U:/jffs/scripts# iptables -vL

 

[Adamm]

Here it is:

That all looks fine so far, but you missed pasting the output of the final command.

 

[yk101]

Update: just pulled down 3.6.6 - everything works! Thanks a lot @Adamm! You are Z-man!

 

[Adamm]

Update: just pulled down 3.6.6 - everything works! Thanks a lot @Adamm! You are Z-man!

No worries, I assume what you were seeing was due to the misplaced rule. In any case glad its fixed and thanks for helping me find a bug.

 

[Adamm]

Pushed another update to prevent this type of bug in future;

Added "newbans" "blocked" arguments to debug enable command (uses both if not specified)
Added extra safety checks to prevent rule duplication or misplacement

 

[yk101]

@Adamm, you were looking for ideas earlier, so here are a few:

1. Export/import Whitelist entries to a separate file. This will allow running banmalware to download refreshed ban lists without blowing away manually added whitelist entries;
2. Ditto for Countries;

 

[Adamm]

@Adamm, you were looking for ideas earlier, so here are a few:

1. Export/import Whitelist entries to a separate file. This will allow running banmalware to download refreshed ban lists without blowing away manually added whitelist entries;
2. Ditto for Countries;

Sorry trying to understand what you're implying. Running banmalware again won't remove the previous entries and just add anything new it detects (same as countries).

 

[yk101]

Sorry, it is my illiterate translation of the script then. In that case, how would one go about refreshing the country list without re-entering them one by one?

 

[Adamm]

Sorry, it is my illiterate translation of the script then. In that case, how would one go about refreshing the country list without re-entering them one by one?

I don't blame you, I've made 84 changes in the last week and basically rewritten it twice

Lets say you wanted to update a country list on a regular interval, you could make a cronjob for the command;

/jffs/scripts/firewall ban country "cn jp sa bz"

Lets say we wanted to update this list on the 15th and the 30th of every month, we would add something like the following to the bottom of "/jffs/scripts/firewall-start"

cru a Firewall_BanCountry "0 0 */15 * * /jffs/scripts/firewall ban country "cn jp sa bz""

Did I understand your question correctly?

 

[yk101]

Yes, thank you. This would work for me.