Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Sorry, i'm a bit confused now, with your new code, some of the changes would be nice to know why they are made

Maybe an update of the main post, so everything is up to date? That would be a lot easier, rather than one having to read through the entire thread to gather bits of info..

The update is mainly just more efficient/cleaner code, it can also now be used without a USB/optware/entware and is self contained within the JFFS partition. Also a few other additional features like downloading an adding IPSets so you can have your regular blacklist functioning + other sets.

I removed a few functions like backing up IPSets to a remote server when it reaches the maxelem value (65535) so a new set can be created and virtually an unlimited amount of IP's can be banned without user interaction, along with a firmware auto-update feature as they were dependand on my build server and the backup feature required SSH keys. I will add them back once I find a better method to share with the public.

Hold the Phone... why does this script backup and flashes the bootoader?

Again, this is a personal script I pretty much throw all my automated tasks into. A few months ago when there was big discussion over changing the region in CFE to unlock more channels etc I wrote those functions as a minor "safeguard" to prevent flashing a CFE with bad values. All it does is compare the current CFE with a file named cfe.flash and check if all the important values were carried over to prevent bricking. The script is written using if statements so any functions can be removed without a rewrite.

 

[Eet_46]

Okay, this might seem as noob question of the year here, but i was just wondering...

If i ban an ip or whole country, is it only banning them from accessing me or is it both ways completely? I mean, i once in a while visit chinese sites, will i be unable to do that if i block the whole country for instance?

And does the banning work, if i'm using a vpn cilent on the computer i'm browsing with?

 

[Adamm]

Okay, this might seem as noob question of the year here, but i was just wondering...

If i ban an ip or whole country, is it only banning them from accessing me or is it both ways completely? I mean, i once in a while visit chinese sites, will i be unable to do that if i block the whole country for instance?

And does the banning work, if i'm using a vpn cilent on the computer i'm browsing with?

The script currently uses IPTables to block all connections originating from the IP. This can be modified as IPTables is highly configurable, but in most cases it shouldn't need to be changed. Here's the specific lines in question;

    iptables -I INPUT -m set --match-set Blacklist src -j DROP
    iptables -I INPUT -m set --match-set BlockedCountries src -j DROP

With countries, if you block one country expect a good majority of websites hosted there to be blocked, currently the script downloads the IP ranges from http://www.ipdeny.com/ipblocks/data/countries/ and phrases them into the list.

As for VPN access, technically it should bypass this filter as all traffic is being routed through another machines connection, I haven't tried it myself but in theory that's what should happen I guess.

 

[LemurTech]

Thanks, Adamm, for a fine little script. I'm sure someone out there has managed to get this working with an RT-N66U. I seem to be just about there, but am running into one little syntax issue, in the lines below:

    iptables -D INPUT -m set --set Whitelist src -j ACCEPT
    iptables -D INPUT -m set --set Blacklist src -j DROP
    iptables -D INPUT -m set --set BlockedCountries src -j DROP
    iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
    iptables -I INPUT -m set --set Blacklist src -j DROP
    iptables -I INPUT -m set --set BlockedCountries src -j DROP
    iptables -I INPUT -m set --set Whitelist src -j ACCEPT
    iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src

Running sh firewall, I get...

start_time=`date +%s`
cat /jffs/scripts/firewall | head -28
Correct Settings Detected.
Correct Settings Detected.
Correct Settings Detected.
[IP Banning Started] ... ... ...
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
[Complete] 0 IPs currently banned. 0 New IP's Banned. 5980 Banned Overall [0s]

The problematic bit is:

iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src

My fumbling with iptables 1.3.8 documentation is not producing any results. Please, if you know the answer, help an old monkey out? Thanks, all!

 

[Martineau]

Thanks, Adamm, for a fine little script. I'm sure someone out there has managed to get this working with an RT-N66U. I seem to be just about there, but am running into one little syntax issue, in the lines below:

    iptables -D INPUT -m set --set Whitelist src -j ACCEPT
    iptables -D INPUT -m set --set Blacklist src -j DROP
    iptables -D INPUT -m set --set BlockedCountries src -j DROP
    iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
    iptables -I INPUT -m set --set Blacklist src -j DROP
    iptables -I INPUT -m set --set BlockedCountries src -j DROP
    iptables -I INPUT -m set --set Whitelist src -j ACCEPT
    iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src

Running sh firewall, I get...

start_time=`date +%s`
cat /jffs/scripts/firewall | head -28
Correct Settings Detected.
Correct Settings Detected.
Correct Settings Detected.
[IP Banning Started] ... ... ...
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
[Complete] 0 IPs currently banned. 0 New IP's Banned. 5980 Banned Overall [0s]

The problematic bit is:

iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src

My fumbling with iptables 1.3.8 documentation is not producing any results. Please, if you know the answer, help an old monkey out? Thanks, all!

http://www.snbforums.com/threads/firewall-deny-ip-range.23066/#post-169084

 

[LemurTech]

http://www.snbforums.com/threads/firewall-deny-ip-range.23066/#post-169084

Thanks Martineau. You can from my original post, though, that I've already implemented the change from -m set --match-set to -m set --set in several places. But this doesn't work in the line I mention.

 

[Martineau]

Thanks Martineau. You can from my original post, though, that I've already implemented the change from -m set --match-set to -m set --set in several places. But this doesn't work in the line I mention.

Doesn't this ONLY work on ARM routers as per post #1 ?

My version of iptables:

admin@RT-AC56U:/tmp/home/root# iptables
iptables v1.4.14: no command specified
Try `iptables -h' or 'iptables --help' for more information.

 

[LemurTech]

Doesn't this ONLY work on ARM routers as per post #1 ?

My understanding was that, as given, the script only applied to ARM routers, with a more recent build of iptables. I thought it was implied that it could be done on the N66U, with iptables 1.3.8, but that syntax changes were necessary. I could be wrong.

 

[Sniegov]

Hi Adamm,

Would be nice if could You add IPv6 (http://www.ipdeny.com/ipv6/ipaddresses/blocks/) adress to block as well,
and function to check wich county is current blocked as above but in function, if possibile.

Please could have a look at this: http://www.ipdeny.com/blog/ipv4-ip-address-blocks-aggregation/

Thanks!

 

[bayern1975]

how to add this scripts for blocking IP? here it is: http://www.snbforums.com/threads/ho...et-firewall-addition.16798/page-3#post-169462

i have asus ac68u with merlin 378.55....

 

[bayern1975]

i am installing this two scripts, one is firewall and one is firewall-start....scripts it seems to working but i do not know how to ban IP ranges.what i must to do that i could block for example this IP range:
188.196.0.0/14?

 

[bayern1975]

any help?

 

[andresmorago]

Hello to all.
I tried to run the script on my AC66U (3.0.0.4.374.43_0 merlin) unit and got the `--match-set' errors.
According to scripts changelog, AC66U is now supported.

Can you please give me some help?


Thanks!

admin@RT-AC66U-FF48:/jffs/scripts# /jffs/scripts/firewall-start
#!/bin/sh
#################################################################################################
## - 25/12/2014 ---        RT-AC66U/RT-AC56U/RT-AC68U Firewall Addition v2.5 -          #
###################################################################################################################
###                    ----- Make Sure To Edit The Following Files -----              #
### /jffs/scripts/firewall-start                     <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                     <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                     <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"                 # <-- Create new IPSet Blacklist
DUMPCFE="dumpcfe"              # <-- Dumps current CFE to /jffs/scripts/cfe.dump
UPDATECFE="updatecfe"         # <-- Flash CFE from /jffs/scripts/cfe.flash (reset nvram afterwards)
##############################

start_time=`date +%s`
cat /jffs/scripts/firewall | head -28
Correct Settings Detected.
Enabled Firewall Logging
Correct Settings Detected.
/jffs/scripts/firewall: line 201: echo: Bad address
[IP Banning Started] ... ... ...
/jffs/scripts/firewall: line 201: can't open /jffs/scripts/ipset.txt: no such file
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
/jffs/scripts/firewall: line 201: echo: Bad address
expr: syntax error
[Complete] 0 IPs currently banned.  New IP's Banned. 12889 Banned Overall [4s]
expr: syntax error
admin@RT-AC66U-FF48:/jffs/scripts#

 

[Poopiepants]

Are there any requirements other than Merlin firmware to get this to work?
I also installed optware via installing download master located at usb applications menu item.
I am getting all sorts of errors when I try to manually run the script.
Merlin Firmware:378.56_2


admin@RT-AC68R-D800:/tmp# sh /jffs/scripts/firewall-start


: not foundts/firewall-start: line 2:
: not foundts/firewall-start: line 5:
'leep: invalid number '5
: not foundts/firewall-start: line 7: crond
: not foundts/firewall: line 10:
: not foundts/firewall: line 24:
'ead: invalid number '23
cat: can't open '/opt/bin/firewall': No such file or directory
: not foundts/firewall: line 28:
: not foundts/firewall: line 32:
/jffs/scripts/firewall: line 42: syntax error: unexpected "elif" (expecting "then")


I have read the entire thread and searched around so more an no luck.
Any help would be greatly appreciated.
Thank you!

 

[ColinTaylor]

@Poopiepants: Those are the kind of errors you get when you have DOS/Windows end-of-line characters in your firewall-start script.

You can get these when you have edited the file on a Windows PC and then transferred it to the router,

How did you create and transfer that file?

 

[john9527]

Merlin picked up 'dos2unix' in 378.56_2 so you can use that to fix up the file. At the router prompt....

dos2unix /jffs/scripts/firewall-start

 

[Poopiepants]

Thank you for the quick replies.
I use notepad +++ and winscp to transfer.
I found where to switch it in notepad +++
Notepad++. From the "Edit" menu, select "EOL Conversion" -> "UNIX/OSX Format".
http://stackoverflow.com/questions/16239551/eol-conversion-in-notepad

So far it looks good, some how I must of forgotten to add that switch to the new text file.
Thank you all!

 

[TomT]

The update is mainly just more efficient/cleaner code, it can also now be used without a USB/optware/entware and is self contained within the JFFS partition. Also a few other additional features like downloading an adding IPSets so you can have your regular blacklist functioning + other set.

Does this mean you don't need to install DLM for this to work ?

 

[Poopiepants]

I have a couple of new questions I am hoping someone can help.

I am Trying to ban a particular ip without any success.
I am trying
sh firewall BANSINGLE=x.x.x.x
I also tried with quotes
sh firewall BANSINGLE="x.x.x.x"

I check the ipset.txt file and it's not listed and I see the firewall log and it's still being accepted.

I probably have the command line wrong somewhere.

Another interesting thing is the firewall log always reverts to dropped,. like to view the accepted packets, but when I switch and refresh it always says dropped now.

Should the ipset.txt file save when the router is restarted? Mine starts a new blank file on restart.

Thank so much for all the help!

 

[TomT]

Does this mean you don't need to install DLM for this to work ?

Hi
Does any one know if DLMis needed to be installed?
Thanks