Poopiepants
Occasional Visitor
My telnet is not for the router, but for an old school bbs.
In this case there is no security issue.
In this case there is no security issue.
Skynet Skynet - Router Firewall & Security Enhancements
sfx2000
Part of the Furniture
Cool... have a friend that does something similar, so he set up a RaspPI to act as a terminal server (ssh into the PI, and then Telnet into the DOS machine running WWIV 5 telnet server)...
Cake
Senior Member
AC68U with HGG. I followed your guide, and humpty dumpty fell. I have only had to use the reset once on the back. I can't get back in.
So.. after pasting the scripts in, and chmod a+x .. rebooting....
I never could shh and type firewall ... ... . I get unknown command or something.
ipset.txt missing comes back when typing sh firewall.
Started with random reboots every 5 minutes, then no route to host, no ip handed out to my desktop, etc.
Even with static ip I can't find the router's gui.
Did your script overclock by any chance? I thought I seen some kind of cfe message about it when first running something.
So.. after pasting the scripts in, and chmod a+x .. rebooting....
I never could shh and type firewall ... ... . I get unknown command or something.
ipset.txt missing comes back when typing sh firewall.
Started with random reboots every 5 minutes, then no route to host, no ip handed out to my desktop, etc.
Even with static ip I can't find the router's gui.
Did your script overclock by any chance? I thought I seen some kind of cfe message about it when first running something.
Cake
Senior Member
Well I got back in, I suspect I am overclocked as the routers GUI says 1200Mhz!
Did HGG's firmware do that or the script in this thread?
I guess its not important, but how do I go back to default cpu speed?
will:
nvram set clkfreq=800
nvram commit
reboot
work?
(link)
My problem is my router locks up between 5 seconds and 2 minutes after a reboot now.
I am worried it will do it in the middle of reinstalling firmware/factory reset.
The router's bootlader (cfe) is 1.0.2.0 (I'm not sure if it got changed I was using HGG 380.57.6-older driver, AC68U)
Final edit: The above nvram command works, router's gui shows 800Mhz after reboot. It still maybe the wrong freq, (I think there is 2 or 3 values after 800), but until someone replies back with correct default freq, I'll keep it.
Did HGG's firmware do that or the script in this thread?
I guess its not important, but how do I go back to default cpu speed?
will:
nvram set clkfreq=800
nvram commit
reboot
work?
(link)
My problem is my router locks up between 5 seconds and 2 minutes after a reboot now.
I am worried it will do it in the middle of reinstalling firmware/factory reset.
The router's bootlader (cfe) is 1.0.2.0 (I'm not sure if it got changed I was using HGG 380.57.6-older driver, AC68U)
Final edit: The above nvram command works, router's gui shows 800Mhz after reboot. It still maybe the wrong freq, (I think there is 2 or 3 values after 800), but until someone replies back with correct default freq, I'll keep it.
Last edited:
Well, I still need help:
I have the firewall code up and running and added some tweaks to it like the option of banning an IP block with Mask e.g. 188.143.0.0/16 from the program commande line. And added the M$ anti-spying code from the wiki at the end.
It DOES work splendidly for attackers that are going for ports OTHER than 80. See, I have a website that's running on port 80 and some people out there are trying to hack it. Since I'm using the PortForward option in the GUI to open the http port and redirect to my PC, I have no control over who's getting in...
Now, what I would desperately need is a way to use the banned ipset's to filter an iptables FORWARD and PREROUTING set of rules instead of the GUI.
I found some code in SNB threads, code like this:
combined with this:
Conceptually, what I would like is a FORWARD rule that's accepting a NOT -m set --match-set Maude src
Can someone help ?
EDIT:
This is what I'm trying now with PortForward disabled:
PS: I can share the changes I made to the code through the website... Just ask for it...
Thanks !
Maude
I have the firewall code up and running and added some tweaks to it like the option of banning an IP block with Mask e.g. 188.143.0.0/16 from the program commande line. And added the M$ anti-spying code from the wiki at the end.
It DOES work splendidly for attackers that are going for ports OTHER than 80. See, I have a website that's running on port 80 and some people out there are trying to hack it. Since I'm using the PortForward option in the GUI to open the http port and redirect to my PC, I have no control over who's getting in...
Now, what I would desperately need is a way to use the banned ipset's to filter an iptables FORWARD and PREROUTING set of rules instead of the GUI.
I found some code in SNB threads, code like this:
Code:
iptables -t nat -I PREROUTING -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
Code:
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPTConceptually, what I would like is a FORWARD rule that's accepting a NOT -m set --match-set Maude src
Can someone help ?
EDIT:
This is what I'm trying now with PortForward disabled:
Code:
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -j VSERVER
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT
iptables -t nat -I PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROPPS: I can share the changes I made to the code through the website... Just ask for it...
Thanks !
Maude
Last edited:
ColinTaylor
Part of the Furniture
Did you read the release notes where it says ipset has changed?
http://www.snbforums.com/threads/release-asuswrt-merlin-380-63-is-now-available.35561/
HardCat
Regular Contributor
As pointed out in another thread...
http://www.snbforums.com/threads/using-ipset-revisited.32817/#post-287431
This may get you headed in the right direction for the changes required.
Cheers!
Did you manage to get the script running for version 380.63? If so, could you please post the updated code, thanks!
Yes, but it has changed again in .65, which I am unable to look at due to other commitments, in .63, this is what I did in the firewall-start script.
Code:
#!/bin/sh
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
# Load ipset modules
ipset -v | grep -i "v4" > /dev/null 2>&1
if [ $? -eq 0 ];
then
# old ipset
ipsetv=4
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
else
# new ipset
ipsetv=6
lsmod | grep "xt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
do
insmod $module
done
fi
echo "0 * * * * /jffs/scripts/firewall save" > /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond
sleep 5
crond
sh /jffs/scripts/firewall
fiLet us know if it works for you.
Kind Regards
swetoast
Guest
errr thats not malware-filter if your gonna copy paste stuff do it right
errr that's the script, see /jffs/scripts/firewall-start here: https://www.snbforums.com/threads/h...ng-ipset-firewall-addition.16798/#post-115872
Next time, don't be so rude. It works for me, and I was trying to help someone out, I won't in future if that is the type of reply I get.
Two Potatoe
New Around Here
Hi all,
Can anyone confirm (or repost) the scripts that work with 380.65?
Thanks!
Can anyone confirm (or repost) the scripts that work with 380.65?
Thanks!
el pescador
Senior Member
Hope this is the right place.
Any way of blocking a range of ips.
For example 159.153.76.xxx
Im using ddwrt but also have merlin on the Ac88U which i switch over every week or few days.
Any way of blocking a range of ips.
For example 159.153.76.xxx
Im using ddwrt but also have merlin on the Ac88U which i switch over every week or few days.
Similar threads
Similar threads
Similar threads
-
-
Skynet Skynet showing router itself making calls to China?
- Started by Skywise
- Replies: 26
-
Skynet Skynet - Blocked outbounds coming from the router itself?
- Started by JuanGF
- Replies: 12
-
Skynet Installing Skynet causes router to crash and reboot
- Started by ovancantfort
- Replies: 26
-
Skynet I have installed the skynet firewall how do I configure it if the security of iot devices is important?
- Started by lenovomen
- Replies: 2
-
Skynet Message on SKYNET I havent seen before- Started by Davidncali001
- Replies: 1
-
-
-
Skynet SkyNet/Firewall blocking all ping requests, including outbound
- Started by nearlyheadlessarvie
- Replies: 6
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10