What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Maybe you should uninstall reboot and install again.
 
Thanks for the watch and help.

Code:
Router Model: RT-AC87U
Skynet Version: v5.1.5 (24/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]

Why two times?
Code:
22:48:02 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate )
Aug 24 22:48:46 Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [44s]
Aug 24 22:51:58 Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]
 
Last edited:
When the script executes it clears the information I just pointed out the previous post.
 
Thanks for the watch and help.

Code:
Router Model: RT-AC87U
Skynet Version: v5.1.5 (24/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /jffs (62.8M Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132360 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [2s]

Okay I have a good idea of what the issue is now. Specifically relating to error "Level 5 Messages Won't Be Logged"

This indicates you changed the default syslog settings so that anything with the default log level won't be logged. Is there any specific reason for this?

Secondly I'm assuming due to this the router modifies the drop rule to account for this so my default rules won't remove it.

Please post the output of;

"iptables-save"
 
Honestly, I have no idea why this is so. There is no reason.

iptables-save, the output is too large to post. which part are you interested in?
 
Honestly, I have no idea why this is so. There is no reason.

You probably did it without realising, for reference the default and recommended settings are;

Default message log level: Notice
Log only messages more urgent than: debug


iptables-save, the output is too large to post. which part are you interested in?

Before you change the setting above to fix the issue, I'm specifically looking for the output from;

"iptables-save | grep "A logdrop"

Then I'll be able to push an update accordingly to prevent this kind of breakage in future (although your current syslog settings will have other adverse effects)
 
Code:
A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP
COMMIT
 
Does Skynet block certain countries by default? For now, I am blocking the following:
Code:
firewall ban country "cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph"
Is there a command to list what countries are being blocked? Thank you.
 
Code:
A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP
COMMIT


Now that I have access to my router, I've tried to replicate your issue with no luck. Your output here also indicates it isn't printing drop messages so its quite confusing. If you are still experiencing this, please post the output of the following;

Code:
iptables-save | grep "\--log-prefix"

Does Skynet block certain countries by default?

No

Is there a command to list what countries are being blocked?

Forgot to add this during the comment support update, for now this will show under "debug info" if it detects country blocking in use, it should look something like the following;

RxfYdRd.png


As I didn't push a version change, you will need to force update to get these changes;

Code:
sh /jffs/scripts/firewall update -f
 
The output is:
Code:
ASUSWRT-Merlin RT-AC87U 380.68-0 Fri Aug 18 21:40:17 UTC 2017
miju@RT-AC87U:/tmp/home/root# iptables-save | grep "\--log-prefix"-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
 
The output is:

After scratching my head, It finally occurred to me why this is happening while going over your posts.

This is because you are using IPv6 and the IPTables rules related to it is whats triggering the messages. Skynet was written with only IPv4 in mind as I have no way to test anything IPv6 related.

To remove the messages, you will need to add something like the following to the bottom of your firewall-start file;

Code:
ip6tables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options

But please note I do not officially support ip6tables, Skynet in its current state will only filter IPv4 traffic, I'm not sure how much having IPv6 will or won't affect it.
 
Understand.
It would be good if you can simply switch it off permanently.

ac.png
 
Understand.
It would be good if you can simply switch it off permanently.

The ip6tables command above does the equivalent. I pushed an update just now with it included, but I again reiterate ip6tables isn't fully supported.

Update via;

Code:
sh /jffs/scripts/firewall update -f
 
Last edited:
Thank you! :)
I think that works, I will continue to monitor it. Is planned and at all possible in the future an Full IPv6 support?

Edit:
Can I remove this line again?
Code:
ip6tables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
 
Last edited:
Is planned and at all possible in the future an Full IPv6 support?

Maybe if my provider ever fully implements it, but adding features that I can't test isn't very ideal. I haven't really looked into IPv6 too much.

Can I remove this line again?

Yes after you force update its included by default.
 
Now that I have access to my router, I've tried to replicate your issue with no luck. Your output here also indicates it isn't printing drop messages so its quite confusing. If you are still experiencing this, please post the output of the following;

Code:
iptables-save | grep "\--log-prefix"



No



Forgot to add this during the comment support update, for now this will show under "debug info" if it detects country blocking in use, it should look something like the following;

RxfYdRd.png


As I didn't push a version change, you will need to force update to get these changes;

Code:
sh /jffs/scripts/firewall update -f
Thanks for the update @Adamm! The list of countries comes from pfSense pfBlockerNG package default geo location list. I also added PH as I saw some scan attempts from there recently. I will add more countries as I monitor where the scan attempts originate from.

After the update, debug info showed:
Code:
Router Model; RT-AC88U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (ppp0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/RT-AC88U/skynet (434.8M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/RT-AC88U
Banned Countries; cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph
Install Dir Writeable
Startup Entry Detected
Lock File Detected (pid=7247)
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged - Only 5+
Autobanning Disabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Not Detected
Skynet IPTable Not Detected
Whitelist IPSet Detected
BlockedRanges IPSet Not Detected
Blacklist IPSet Detected
Skynet IPSet Not Detected
Skynet: [Complete] 132173 IPs / 53569 Ranges Banned. 0 New IPs / 0 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [3s]

I rebooted and it appears to have self corrected:
Code:
Router Model; RT-AC88U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (ppp0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/RT-AC88U/skynet (434.8M Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/RT-AC88U
Banned Countries; cn ru jp ua gb de br fr in tr it kr pl es vn ar co tw mx cl ph
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Won't Be Logged - Only 5+
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132173 IPs / 53569 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [3s]
Any concerns with this message? Level 5 Messages Won't Be Logged - Only 5+
 
Last edited:
Just checked my debug info, out of curiousity, and something seems a bit contradictive:

Router Model: RT-AC68U
Skynet Version: v5.1.4 (16/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/usb/skynet (57.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/usb
Install Dir Writeable
Startup Entry Detected
cat: can't open '/tmp/skynet.lock': No such file or directory
Lock File Detected (pid=)

Cronjobs Detected
IPSet Supports Comments
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132506 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [1s]

Code:
marco@router:/tmp# ll /tmp | grep "skynet"
marco@router:/tmp#

Is the lockfile mentioned located elsewhere?
 
Just checked my debug info, out of curiousity, and something seems a bit contradictive:



Code:
marco@router:/tmp# ll /tmp | grep "skynet"
marco@router:/tmp#

Is the lockfile mentioned located elsewhere?
I noticed that after the upgrade
Code:
No Lock File Found
Before the upgrade:
Code:
Lock File Detected (pid=7247)
 
Just updated manually and everything looks fine now...

Code:
Router Model; RT-AC68U
Skynet Version; v5.1.5 (26/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version; 380.68_0 (Aug 18 2017)
Install Dir; /tmp/mnt/usb/skynet (57.2G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware autoupdate usb=/tmp/mnt/usb
Install Dir Writeable
Startup Entry Detected
No Lock File Found
Cronjobs Detected
IPSet Supports Comments
Level 5 Messages Will Be Logged
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 132506 IPs / 2866 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 51 Inbound / 84 Outbound Connections Blocked! [3s]
 
How do you ban a range of IP's ? Do I need a special character in-between the start and end IP or do I just leave a blank space ?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top