Skynet Skynet - Router Firewall & Security Enhancements

[pattiri]

I'm no sure it's related but after I've updated 6.1.5 all my wireless clients disconnected and they are not able to re-connect. Router is up for more near 7 days and everything was OK. This is how my clients are seen under wireless log page when I try to connect;

OK forget about it. after about 5 minutes it fixed itself

 

[Adamm]

I'm no sure it's related but after I've updated 6.1.5 all my wireless clients disconnected and they are not able to re-connect. Router is up for more near 7 days and everything was OK. This is how my clients are seen under wireless log page when I try to connect;

OK forget about it. after about 5 minutes it fixed itself

Coincidence I'd say, Skynet doesn't interfere with much outside IPTables.

 

[Adamm]

So it looks like we missed our 4 year birthday about 3 weeks ago. Just wanted to say thank you to all the users supporting the script over the years. Wish I had exact numbers but with limited statistics it’s somewhere in the thousands which is awesome.

The last year in particular the scripting scene really picked up which gave me a much renewed interest in the project making significant improvements from the mess it once was

In the last year alone we went from a basic 200 line script, now 700+ github commits later we are not sitting around 3000 lines of code and arguably one of the most advance shell based open source IPSet blacklist implementations on the net.

Special shoutout to RMerlin and John who put the time into adding and maintaining the firmware’s IPSet implementation making it all possible. Also thanks to anyone who donated a few bucks here and there, the coffee went to good use

As always, if you have any suggestions feel free to comment and I’ll try my best to add them it if possible. With v6 I ticked off most of the remaining items on my todo list.

Here’s to another year

 

[skeal]

Happy Birthday Skynet!! You look fantastic....

 

[DonnyJohnny]

Happy belated birthday Skynet!

Imagining a life without you is
something that is impossible,
you make me complete and I want
you to know you mean everything to me.

Long live Skynet! Long live Adamm!
Hip Hip Hooray!

 

[jarmka]

Confirmed your latest update is working flaw-less-ly! Awesome! Absolutely AWESOME! Great work! Happy belated birthday to you, and it feels like to mee tooo!
May 6 13:41:54 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=**.**.***.** DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=19471 SEQ=0
May 6 13:42:04 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=**.**.***.** DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22799 SEQ=0

 

[Jack Yaz]

Perhaps a daft question (i.e. I'm not understanding how connections/routing work!) - is there a way to use banmalware but only on incoming connections with a "new" state? I ask as I used to use Skynet but my wife and I use various cashback/survey sites that often end up on malware lists (shared hosting, most likely), and keeping on top of the manual whitelist was proving cumbersome.

So this leads me to my question of incoming "new" only, as an outbound connection to the site could go through, and then any related connections. I will be running several services on the LAN (WAN facing) that I'd like to protect from known malware IPs using Skynet, as an additional layer to the authentication those services will be using.

 

[jarmka]

@Adamm is there anyway to block/drop logging for specific banned IP's? This would be a great option in the menu as well to keep cleaner logs.

 

[Adamm]

Perhaps a daft question (i.e. I'm not understanding how connections/routing work!) - is there a way to use banmalware but only on incoming connections with a "new" state? I ask as I used to use Skynet but my wife and I use various cashback/survey sites that often end up on malware lists (shared hosting, most likely), and keeping on top of the manual whitelist was proving cumbersome.

So this leads me to my question of incoming "new" only, as an outbound connection to the site could go through, and then any related connections. I will be running several services on the LAN (WAN facing) that I'd like to protect from known malware IPs using Skynet, as an additional layer to the authentication those services will be using.

Skynet does it’s blocking in the raw table before any connection states are tracked. So long story short is no unfortunately not.

 

[Laszlo Ladanyi]

Hi.

I have some problem with Skynet. When I start /jffs/scripts/firewall command, I get this error message and the menu failed to load:
---
Router Model; RT-AC87U
Skynet Version; v6.1.5 (06/05/2018)
iptables v1.4.15 - (ppp0 @ 192.168.15.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_2 (Mar 24 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/eeeEntware/skynet (24.5G / 26.0G Space Available)
SWAP File; /dev/sda1 (0)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/eeeEntware/skynet

/jffs/scripts/firewall: line 21: arithmetic syntax error
xxx@AC87U:/tmp/home/root#
---
This is the mentioned line:
20: export LC_ALL=C
21:
22: retry=1

I'm sure it worked two days ago.
Any advise? (I'm already tried: router reboot, script update, uninstall/reinstall)

 

[Adamm]

Hi.

I have some problem with Skynet. When I start /jffs/scripts/firewall command, I get this error message and the menu failed to load:
---
Router Model; RT-AC87U
Skynet Version; v6.1.5 (06/05/2018)
iptables v1.4.15 - (ppp0 @ 192.168.15.1)
ipset v6.32, protocol version: 6
FW Version; 384.4_2 (Mar 24 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/eeeEntware/skynet (24.5G / 26.0G Space Available)
SWAP File; /dev/sda1 (0)
Boot Args; /jffs/scripts/firewall start skynetloc=/tmp/mnt/eeeEntware/skynet

/jffs/scripts/firewall: line 21: arithmetic syntax error
xxx@AC87U:/tmp/home/root#
---
This is the mentioned line:
20: export LC_ALL=C
21:
22: retry=1

I'm sure it worked two days ago.
Any advise? (I'm already tried: router reboot, script update, uninstall/reinstall)

Can you give me the output of;

sh -x /jffs/scripts/firewall

Then;

sh /jffs/scripts/firewall debug info

And finally;

cat /jffs/scripts/post-mount

 

[Jack Yaz]

Skynet does it’s blocking in the raw table before any connection states are tracked. So long story short is no unfortunately not.

I thought as much. If I were so inclined, would I be able to rewrite the relevant bits to add to the filter table rather than raw?

 

[Laszlo Ladanyi]

Can you give me the output of;

sh -x /jffs/scripts/firewall

Then;

sh /jffs/scripts/firewall debug info

And finally;

cat /jffs/scripts/post-mount

Attached the outputs.

 

[Adamm]

@Adamm is there anyway to block/drop logging for specific banned IP's? This would be a great option in the menu as well to keep cleaner logs.

Not currently possible to exclude specific IP's. But as a compromise I pushed v6.1.6 which contains the ability to remove logs based on a specific port/IP.

sh /jffs/scripts/firewall stats remove IP xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall stats remove port xxxxx

 

[Adamm]

I thought as much. If I were so inclined, would I be able to rewrite the relevant bits to add to the filter table rather than raw?

I mean, technically anything is possible. But it would require gutting just about everything IPTables related and be a pain to keep in sync with the main branch. Not to mention not having support if/when needed.

Can't say I've ever used one of those cashback/survey sites, they don't exactly have a great reputation (I assumed they were all scams tbh). But once a site is whitelisted, its whitelisted forever and Skynet will periodically update the IP it resolves to in the event that it has changed. So once you whitelist whatever ones you visit, it shouldn't be an issue in future.

 

[Adamm]

Attached the outputs.

Thanks for pointing this out, the way I generate the log summary was outdated (didn't support the selective input/output blocking nor the latest outbound blocking changes). I must have overlooked it during the v6 update and again yesterday. In any case I pushed a hotfix and made it much smarter (version number is still 6.1.6 so you will need to force update if you updated already in the last 30 minutes).

 

[Laszlo Ladanyi]

Thanks for pointing this out, the way I generate the log summary was outdated (didn't support the selective input/output blocking nor the latest outbound blocking changes). I must have overlooked it during the v6 update and again yesterday. In any case I pushed a hotfix and made it much smarter (version number is still 6.1.6 so you will need to force update if you updated already in the last 30 minutes).

Thank You. I can confirm it works like a charm after the force update.

 

[Jack Yaz]

I mean, technically anything is possible. But it would require gutting just about everything IPTables related and be a pain to keep in sync with the main branch. Not to mention not having support if/when needed.

Can't say I've ever used one of those cashback/survey sites, they don't exactly have a great reputation (I assumed they were all scams tbh). But once a site is whitelisted, its whitelisted forever and Skynet will periodically update the IP it resolves to in the event that it has changed. So once you whitelist whatever ones you visit, it shouldn't be an issue in future.

I'll have a poke around and see what I can do, I wasn't expecting you to do anything!

And some are scams, some are more reputable. I think the main issue was there are a lot of referral domains, and the whitelist would probably end up doing more harm than good!

 

[DonnyJohnny]

Not currently possible to exclude specific IP's. But as a compromise I pushed v6.1.6 which contains the ability to remove logs based on a specific port/IP.

sh /jffs/scripts/firewall stats remove IP xxx.xxx.xxx.xxx

sh /jffs/scripts/firewall stats remove port xxxxx

Just asking, this command remove the existing log that contain that ip/port?
OR
Prevent logging of future encounter of the particular ip/port as per asked by @jarmka ?

 

[Adamm]

Just asking, this command remove the existing log that contain that ip/port?
OR
Prevent logging of future encounter of the particular ip/port as per asked by @jarmka ?

Only removes existing logs.