Skynet Skynet - Router Firewall & Security Enhancements

[Xentrk]

If the same code block is in place you run the very same risk on that router also. What this "legacy code" does from my brief look is;

1. A for loop listing all current loaded IPSets
2. If the IPSet name matches a particular name, it checks for an IPTables rule via a very basic pattern check. If there are no grep matches it creates a new rule
3. If the IPSet name doesn't match any of the listed patterns, it defaults to the wildcard match. This will basically force a IPTables drop rule regardless of the IPSets intended purpose.

I personally find the need for this code quite bad from a scriptwriters standpoint. I think that scripts should be smart enough to handle their own rules and "fix" themselves in the event something goes wrong. Because in this case, a wildcard rule has caused a complete loss of connectivity (the blocked countries rule would eventually cause issues too)

Now the question is what exactly happened to your setup. I can see a point of failure being if Skynet is initially loaded correctly, then the firewall-start event is called again. During this event only IPTables rules are flushed (not the IPSets themselves). So upon restart this "legacy code" would have listed all Skynets IPSets still loaded in ram and defaulted to the wildcard drop entry listed. This means all 3 IPSets (including the Whitelist with a bunch of important Private IP's) would have had some generic drop entry.

Usually if this code wasn't present, Skynet is smart enough to deal with situations like this and proceed as expected. So I highly suggest removing this code from both routers.



You can just simply delete it, Skynet will generate the file during the install process with a shebang and the appropriate permissions etc.

Here is the link to the source code in the wiki

https://github.com/RMerl/asuswrt-me...atchip-utility---search-ipset-lists-for-an-ip

 

[Adamm]

Here is the link to the source code in the wiki

I was referring to the contents of your firewall-start file which has a different purpose to the "match-ip" script. Also this functionality is built into Skynet via;

sh /jffs/scripts/firewall stats search ip xxx.xxx.xxx.xxx

Which returns;

Debug Data Detected in /tmp/mnt/Main/skynet/skynet.log - 1.6M
Monitoring From Aug 12 20:55:34 To Aug 16 00:00:11
6970 Total Events Detected
1615 Unique IPs
241 Autobans Issued
10 Manual Bans Issued

205.185.216.10 is NOT in set Whitelist.
205.185.216.10 is in set Blacklist.
205.185.216.10 is NOT in set BlockedRanges.

Blacklist Reason;  "BanMalware"

205.185.216.10 First Tracked On Aug 13 19:30:06
205.185.216.10 Last Tracked On Aug 15 17:09:49
23 Attempts Total

 

[Xentrk]

I was referring to the contents of your firewall-start file which has a different purpose to the "match-ip" script.

The code is down the page from the MatchIP code on the wiki page, past the Tor and Countries Block section. Here is the explanation:

"Note that every time you do something on the web UI or through your android app or ios app to control your router that affects reloading the firewall rules, /jffs/scripts/firewall-start will be called, so the iptables rules that are defined outside will be wiped out. To reinstate the rules as defined by this script, you'd need to add this to a script (say /jffs/scripts/firewall-reinstate.sh):"

--<snipped the code part>--
Looks like i missed the update to the wiki. The original instructions were to install in firewall-start. I now see the instructions are to install in firewall-reinstate.sh. Ah!

 

[Adamm]

Here is the explanation

Oh my mistake, I didn't scroll down far enough.

Regardless this is still bad practice I personally think this code is "too general". Such functionality should be built into the respective scripts following the general guidelines posted on here a few weeks/months ago.

 

[thelonelycoder]

@redhat27 was the author of the code. I'll let him chime in on this one.

Then it's part of a larger script, I thought this is a separate script.
Then it makes sense.

 

[redhat27]

@redhat27 was the author of the code. I'll let him chime in on this one.

@thelonelycoder That line reinstates a iptable ACCEPT rule if the ipset called "AcceptList" exists, but a corresponding iptables rules does not.

EDIT: Just saw that you had already referred to it just above. Never mind.

EDIT2: The wiki is a bit confusing and begs a re-write <sigh>

EDIT3: I agree that wildcard case should not be there. It's a blanket blocking rule that will interfere with other ipsets. It was written a while ago.

 

[Xentrk]

@Adamm,
The install on the second router was successful this time. Blocking is taking place. So far I am impressed by Skynet. Very nice job. I have been working on pfSense the past five days troubleshooting the IDS/IPS Suricata package. Not as easy to master when compared to Skynet! Many thanks for a fine job and great support.

Monitoring From Aug 16 14:14:34 To Aug 16 19:57:30
18 Total Events Detected
2 Unique IPs
7 Autobans Issued
0 Manual Bans Issued

 pkts bytes target     prot opt in     out     source               destination
23187 2727K ACCEPT     all  --  br0    any     anywhere             anywhere             match-set Whitelist dst
    0     0 LOG        all  --  br0    any     anywhere             anywhere             match-set Skynet dst LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - OUTBOUND] "
    0     0 DROP       all  --  br0    any     anywhere             anywhere             match-set Skynet dst
 7010 2361K ACCEPT     all  --  ppp0   any     anywhere             anywhere             match-set Whitelist src
   11   440 LOG        all  --  ppp0   any     anywhere             anywhere             match-set Skynet src LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - INBOUND] "
   11   440 DROP       all  --  ppp0   any     anywhere             anywhere             match-set Skynet src
    0     0 ACCEPT     all  --  ppp0   any     anywhere             anywhere             match-set Whitelist src

 

[skeal]

@Adamm just a couple quick questions.

Aug 16 07:12:44 kernel: ip_set: protocol 6
Aug 16 07:12:44 rc_service: service 13770:notify_rc restart_firewall
Aug 16 07:12:45 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan3000_vlan3000)!
Aug 16 07:12:45 custom_script: Running /jffs/scripts/firewall-start (args: vlan3000)
Aug 16 07:12:46 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/EXT4 )
Aug 16 07:13:07 Skynet: [Complete] 31 IPs / 0 Ranges Banned. 31 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [20s]
Aug 16 07:14:26 rc_service: httpd 620:notify_rc restart_rstats;restart_conntrack;restart_leds;restart_cstats
Aug 16 08:00:01 Skynet: [Complete] 32 IPs / 0 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 09:00:01 Skynet: [Complete] 32 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 10:00:01 Skynet: [Complete] 34 IPs / 0 Ranges Banned. 2 New IPs / 0 New Ranges Banned. 4 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 11:00:01 Skynet: [Complete] 34 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 6 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 11:09:01 kernel: htb: htb qdisc 14: is non-work-conserving?
Aug 16 12:00:01 Skynet: [Complete] 35 IPs / 0 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 7 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 12:25:36 kernel: [BLOCKED - NEW BAN] IN=vlan3000 OUT= MAC=Blah:Blah:Blah:45:00:00:28 SRC=112.166.229.47 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=17074 PROTO=TCP SPT=2684 DPT=81 SEQ=3684630528 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0

Is this typical 1 day of operation with a restart? I'm using this on a home network.

 

[Adamm]

@Adamm just a couple quick questions.

Aug 16 07:12:44 kernel: ip_set: protocol 6
Aug 16 07:12:44 rc_service: service 13770:notify_rc restart_firewall
Aug 16 07:12:45 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan3000_vlan3000)!
Aug 16 07:12:45 custom_script: Running /jffs/scripts/firewall-start (args: vlan3000)
Aug 16 07:12:46 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/EXT4 )
Aug 16 07:13:07 Skynet: [Complete] 31 IPs / 0 Ranges Banned. 31 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [20s]
Aug 16 07:14:26 rc_service: httpd 620:notify_rc restart_rstats;restart_conntrack;restart_leds;restart_cstats
Aug 16 08:00:01 Skynet: [Complete] 32 IPs / 0 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 09:00:01 Skynet: [Complete] 32 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 2 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 10:00:01 Skynet: [Complete] 34 IPs / 0 Ranges Banned. 2 New IPs / 0 New Ranges Banned. 4 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 11:00:01 Skynet: [Complete] 34 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 6 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 11:09:01 kernel: htb: htb qdisc 14: is non-work-conserving?
Aug 16 12:00:01 Skynet: [Complete] 35 IPs / 0 Ranges Banned. 1 New IPs / 0 New Ranges Banned. 7 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 12:25:36 kernel: [BLOCKED - NEW BAN] IN=vlan3000 OUT= MAC=Blah:Blah:Blah:45:00:00:28 SRC=112.166.229.47 DST=xxx.xxx.xxx.xxxLEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=17074 PROTO=TCP SPT=2684 DPT=81 SEQ=3684630528 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0

Is this typical 1 day of operation with a restart? I'm using this on a home network.

Looks fine to me

 

[skeal]

Looks fine to me

One last question. I checked my log after last night. Logs show period of inactivity between 8pm and 3am.

Aug 16 19:00:01 Skynet: [Complete] 36 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 26 Inbound / 0 Outbound Connections Blocked! [1s]
Aug 16 19:07:12 ntp: start NTP update
Aug 16 20:36:42 kernel: htb: htb qdisc 10: is non-work-conserving?
Aug 16 23:07:16 disk_monitor: Got SIGALRM...

It is now just after 4am and still no updates to skynet. Is this because it has no new stats to show?

 

[Adamm]

It is now just after 4am and still no updates to skynet. Is this because it has no new stats to show?

The cronjob should still be active, please post the output of;

cru l

sh /jffs/scripts/firewall debug info

 

[skeal]

Output as asked.

00 2 * * Sat /tmp/mnt/EXT4/adblocking/addon/update-hosts.add cronjob #AB_UpdateHosts#
20 5 * * * /tmp/mnt/EXT4/adblocking/addon/rotate-logs.add #AB_RotateLogs#
25 2 * * 1 sh /jffs/scripts/firewall banmalware #Skynet_banmalware#
25 1 * * 1 sh /jffs/scripts/firewall update #Skynet_autoupdate#
0 * * * * sh /jffs/scripts/firewall save #Skynet_save#

That was all the results of cru l
The results of sh /jffs/scripts/firewall debug info.

Router Model: RT-AC3100
Skynet Version: v5.1.3 (14/08/2017)
iptables v1.4.14 - (vlan3000)
ipset v6.32, protocol version: 6
FW Version: 380.68_beta1-gbc6ee4f (Aug 13 2017)
Install Dir; /tmp/mnt/EXT4/skynet (56.9G Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/EXT4
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
IPSet Supports Comments
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 39 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 27 Inbound / 0 Outbound Connections Blocked! [0s]

Thanks for looking at this!

 

[skeal]

The cronjob should still be active, please post the output of;

cru l

sh /jffs/scripts/firewall debug info

Output is in previous post.

 

[Adamm]

Output is in previous post.

It looks like everything is fine including the cronjobs, the reason for not printing to syslog though is beyond me (did you possibly mess with the syslog settings in the WebUI?).

For peace of mind you can "refresh" everything and run;

sh /jffs/scripts/firewall debug restart

 

[skeal]

It looks like everything is fine including the cronjobs, the reason for not printing to syslog though is beyond me (did you possibly mess with the syslog settings in the WebUI?).

For peace of mind you can "refresh" everything and run;

sh /jffs/scripts/firewall debug restart

I did change logging options at one point. I don't remember the defaults do you? I can change options to comply.

 

[Adamm]

. I don't remember the defaults do you?

Default message log level: Notice
Log only messages more urgent than: debug

 

[Adamm]

I did change logging options at one point. I don't remember the defaults do you? I can change options to comply.

I also added a new check for this in the debug info command as its a (small) point of failure.

 

[Stevemcclure]

Hi, would the following output at the bottom of the attached photo suggest this script will not work with hgg firmware?

Many thanks.


Sent from my iPhone using Tapatalk

 

[Adamm]

Hi, would the following output at the bottom of the attached photo suggest this script will not work with hgg firmware

I haven't looked much into his fork, but if the new IPSet changes aren't backported I'm afraid you're out of luck. Sorry

 

[Stevemcclure]

I haven't looked much into his fork, but if the new IPSet changes aren't backported I'm afraid you're out of luck. Sorry

Thanks Adamm, in this case I will put merlin back on my router and leave hgg on the AP, where it will benefit the most.

Thanks again, looking forward to getting this running.


Sent from my iPhone using Tapatalk