Skynet Skynet - Router Firewall & Security Enhancements

[swetoast]

naaaa but i maintain other scripts that are similar and from the error messages that your script gives i can clearly tell that something is wrong

 

[mannp]

naaaa but i maintain other scripts that are similar and from the error messages that your script gives i can clearly tell that something is wrong

Yep, just noticed 'Currently this script is only supported for ARM based routers (AC56U/AC68U) as they run a different version of IPTables' for the updated version, so my bad on a N66U

Thanks for replying and thanks for the links to a couple of other script in your sig, that I've just installed.

 

[swetoast]

havent looked at that much on this script but it would be nice with a proper write up from one of the scripters.

just think information gets lost in threads like this resulting in users like you missing vital information.

your welcome hope they work out good for ya

 

[mannp]

havent looked at that much on this script but it would be nice with a proper write up from one of the scripters.

just think information gets lost in threads like this resulting in users like you missing vital information.

your welcome hope they work out good for ya

Well, for sure I found it hard to follow which script instructions were for which script in this thread and the write ups for the others on github were much easier to follow.

Thats said, its not me writing them up, so its easy for me to say

 

[a_lunatic]

Ok now I am more confused what to do to get this working now.

 

[Adamm]

Ok now I am more confused what to do to get this working now.

I agree, it is quite a mess right now so in this thread so from this point on-wards I'd like to keep this thread specific to the script in the OP.

1. Create the file /jffs/scripts/firewall (using a text editor like nano) and copy the code from the linked post.

2. Create the file /jffs/scripts/firewall-start from again the code in the linked post.

3. Chmod both files so they are executable.

chmod +x /jffs/scripts/firewall
chmod +x /jffs/scripts/firewall-start

Reboot the router. If this was successful, in the router syslog you should see similar lines

Apr 22 18:42:50 Firewall: [IP Banning Started] ... ... ...
Apr 22 18:42:51 Firewall: [Complete] 5670 IPs currently banned. 54 New IP's Banned. [1s]

 

[a_lunatic]

Done but after restarting it doesn't show Firewall: [IP Banning Started] ... in the log unless login to ssh and I run the sh /jffs/scripts/firewall command and I noticed it runs the firewall-start script 3 times after reboot so does that mean it's not running until I run that command ?

 

[Adamm]

Done but after restarting it doesn't show Firewall: [IP Banning Started] ... in the log unless login to ssh and I run the sh /jffs/scripts/firewall command and I noticed it runs the firewall-start script 3 times after reboot so does that mean it's not running until I run that command ?

Do you have the option "Enable JFFS custom scripts and configs" enabled under Administration - System?

If so, it should execute the file on boot and leave something like this in your syslog;

Apr 22 18:42:45 custom script: Running /jffs/scripts/firewall-start (args: eth0)

Assuming this file is executed (and has the right permissions via chmod) it should initiate the script.

Another way to confirm the script is running as per usual after boot, if you run the follow command, you should get a list of the different IPSet's and any blocked/whitelisted IP's.

ipset -L

 

[a_lunatic]

Ok I worked out why it wasn't starting it is cause I have changed the admin login name so changing that in firewall-start fixed it.

/var/spool/cron/crontabs/LOGINNAME

 

[yk101]

OK, first of all - thanks for great forum! You guys are the best!

Now I have a question. I've been running firewall for a few days - everything appears to be functional, but I still get hits on my postfix from IPs that are supposed to be banned:

Here is an example:

2017-04-24T19:50:08-04:00 nas01 postfix/postscreen[15702]: CONNECT from [113.176.82.240]:50463 to [192.168.2.200]:25
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15703]: addr 113.176.82.240 listed by domain bl.blocklist.de as 127.0.0.13
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15710]: addr 113.176.82.240 listed by domain all.usa.bl.blocklist.de as 127.0.0.13
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15707]: addr 113.176.82.240 listed by domain all.rbl.webiron.net as 127.0.0.2
2017-04-24T19:50:08-04:00 nas01 postfix/postscreen[15702]: DNSBL rank 8 for [113.176.82.240]:50463
2017-04-24T19:50:09-04:00 nas01 postfix/postscreen[15702]: DISCONNECT [113.176.82.240]:50463

Now looking at freshly saved ipset.txt:

admin@RT-AC88U:/jffs/scripts/data# grep 113.176.82.240 ipset.txt
add Blacklist 113.176.82.240 timeout 2052259
admin@RT-AC88U:/jffs/scripts/data#

and finally in ipset:

admin@RT-AC88U:/jffs/scripts/data# ipset -L | grep 113.176.82.240
113.176.82.240 timeout 600744
admin@RT-AC88U:/jffs/scripts/data#

Can someone please explain to me how is this possible? What am I missing?

I mean - if the IP is being blocked by the firewall, how can it get to my mail server that is located inside?

 

[Adamm]

OK, first of all - thanks for great forum! You guys are the best!

Now I have a question. I've been running firewall for a few days - everything appears to be functional, but I still get hits on my postfix from IPs that are supposed to be banned:

Here is an example:

2017-04-24T19:50:08-04:00 nas01 postfix/postscreen[15702]: CONNECT from [113.176.82.240]:50463 to [192.168.2.200]:25
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15703]: addr 113.176.82.240 listed by domain bl.blocklist.de as 127.0.0.13
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15710]: addr 113.176.82.240 listed by domain all.usa.bl.blocklist.de as 127.0.0.13
2017-04-24T19:50:08-04:00 nas01 postfix/dnsblog[15707]: addr 113.176.82.240 listed by domain all.rbl.webiron.net as 127.0.0.2
2017-04-24T19:50:08-04:00 nas01 postfix/postscreen[15702]: DNSBL rank 8 for [113.176.82.240]:50463
2017-04-24T19:50:09-04:00 nas01 postfix/postscreen[15702]: DISCONNECT [113.176.82.240]:50463

Now looking at freshly saved ipset.txt:

admin@RT-AC88U:/jffs/scripts/data# grep 113.176.82.240 ipset.txt
add Blacklist 113.176.82.240 timeout 2052259
admin@RT-AC88U:/jffs/scripts/data#

and finally in ipset:

admin@RT-AC88U:/jffs/scripts/data# ipset -L | grep 113.176.82.240
113.176.82.240 timeout 600744
admin@RT-AC88U:/jffs/scripts/data#

Can someone please explain to me how is this possible? What am I missing?

I mean - if the IP is being blocked by the firewall, how can it get to my mail server that is located inside?

I can see the "timeout" option being listed in your IPSet file which leads me to believe you are using Martineau's version of the script. I haven't looked too much into that feature as I prefer long term banning but it possibly could be expired as his bans only last 24 hours.

Also can you ping the IP that should be banned?

 

[Adamm]

Ok I worked out why it wasn't starting it is cause I have changed the admin login name so changing that in firewall-start fixed it.

/var/spool/cron/crontabs/LOGINNAME

Ahh good find, I will grab the username from the nvram in future versions.

https://www.snbforums.com/threads/h...-ipset-adamm-version.16798/page-7#post-318015

 

[Cat]

WHITELISTING;
If you wish to whitelist the IPs other than default whitelist mentioned above, you can use "sh /jffs/scripts/firewall whitelist file_path" command.
In that case, whitelist command will append IPs itself in the file to "Whitelist IPSET", not IP/24 range.

Default whitelisting of local IP is appeded as ip/24 range automatically.
But whitelist command don't apppend ip"/cidr" range automatically and ips itself(as that is in file) is appended to Whitelist IPSET.

Is it right that I understand?
if so, if I add xxx.xxx.xxx.xxx/24 to whitelist file, "whitelist command" accepts IPs as /cidr?

sorry, I'm a linux novice. I can't understand most of linux scripts.

I applied 4 scripts of wiki to my router below.

1. Tor and Countries Block: Blocks Tor nodes or countries
2. iblocklist-loader: Block or allow using any list from iblocklist
3. Malware Filter: Blocks Malware Spreading ip addresses daily
4. Privacy Filter: Blocks Telemetry, Trackers and Shodian.io

Next, I'd like to try to Adamm's script at first.
if I apply Adamm's script, some of the scripts seem to be duplicates. Countries Block, Malware Filter..

if I apply Adamm's script, May I uninstall some scripts of 4 scripts above?
I don't know what scripts are able to substitute completely by Adamm's script.

If I use all of 4 scripts and Adamm's script together, do any problem can occur in the long run?

suggestion:
I think it is maybe possible to delete some of blocked country list without rebooting router.
If I can add or delete and apply on the fly "blocked country list", it would be fantastic.

 

[Adamm]

WHITELISTING;
If you wish to whitelist the IPs other than default whitelist mentioned above, you can use "sh /jffs/scripts/firewall whitelist file_path" command.
In that case, whitelist command will append IPs itself in the file to "Whitelist IPSET", not IP/24 range.

Default whitelisting of local IP is appeded as ip/24 range automatically.
But whitelist command don't apppend ip"/cidr" range automatically and ips itself(as that is in file) is appended to Whitelist IPSET.

Is it right that I understand?
if so, if I add xxx.xxx.xxx.xxx/24 to whitelist file, "whitelist command" accepts IPs as /cidr?

sorry, I'm a linux novice. I can't understand most of linux scripts.

I applied 4 scripts of wiki to my router below.

1. Tor and Countries Block: Blocks Tor nodes or countries
2. iblocklist-loader: Block or allow using any list from iblocklist
3. Malware Filter: Blocks Malware Spreading ip addresses daily
4. Privacy Filter: Blocks Telemetry, Trackers and Shodian.io

Next, I'd like to try to Adamm's script at first.
if I apply Adamm's script, some of the scripts seem to be duplicates. Countries Block, Malware Filter..

if I apply Adamm's script, May I uninstall some scripts of 4 scripts above?
I don't know what scripts are able to substitute completely by Adamm's script.

If I use all of 4 scripts and Adamm's script together, do any problem can occur in the long run?

suggestion:
I think it is maybe possible to delete some of blocked country list without rebooting router.
If I can add or delete and apply on the fly "blocked country list", it would be fantastic.

Yes, the whitelist command simply adds all ip's in a "192.168.1.0/24" format from the specified file. Also for reference the file path isn't specified in the initial command, after doing;

sh /jffs/scripts/firewall whitelist

You will be prompted to enter a file path.
Alternatively you can also use the following command and do this manually;

ipset -q -A Whitelist ***.***.***.***.***/24

As for other scripts, over the years people have focused on specific areas that this script covers but slightly more in-depth using more or less the same methods. I don't see any obvious conflicts adding my script into the mix having a quick look at the others and just using my scripts main functionality of banning port scanning bots etc picked up by the SPI firewall and an easy way to handle IPSet blacklisting.

And finally about blocking countries, IPSet doesn't require a reboot for changes to apply, so if you used my script for example to block specific countries and wanted to clear the list, you could simply use the command;

ipset flush BlockedCountries

Then reapply the country's you wish to block.

Hope this helps

 

[yk101]

I can see the "timeout" option being listed in your IPSet file which leads me to believe you are using Martineau's version of the script. I haven't looked too much into that feature as I prefer long term banning but it possibly could be expired as his bans only last 24 hours.

- Thanks for the response Adamm! I'm using a hybrid version because it appears that there may be a limit of 64k entries in ipset (at least on my rt-ac88u - still testing). In any case, the entry was not expired - you can see the remaining time in the last portion of the output posted.

Also can you ping the IP that should be banned?

- I haven't tried doing ICMP ping, but even if I can't ping the target, it doesn't necessary mean that connection is being dropped at MY firewall. Or am I missing something again?

 

[Adamm]

- Thanks for the response Adamm! I'm using a hybrid version because it appears that there may be a limit of 64k entries in ipset (at least on my rt-ac88u - still testing). In any case, the entry was not expired - you can see the remaining time in the last portion of the output posted.


- I haven't tried doing ICMP ping, but even if I can't ping the target, it doesn't necessary mean that connection is being dropped at MY firewall. Or am I missing something again?

I'm not sure about other scripts, but mine boosts this 65536 limit (maxelem) to 500k by default and can be adjusted in the script.

And this isn't a perfect indication, but it gives us some idea if the firewall rules are being applied. That being said, if the script is working as it should, the iptables rule is inserted first in the input chain so it should take priority.

 

[yk101]

I'm not sure about other scripts, but mine boosts this 65536 limit (maxelem) to 500k by default and can be adjusted in the script.

And this isn't a perfect indication, but it gives us some idea if the firewall rules are being applied.

Understood. Thanks and I will try it tonight.

 

[Adamm]

Understood. Thanks and I will try it tonight.

Looking further into this specific IP. Its known and been previously reported for abuse and based in Vietnam (shocker). It doesn't accept ping requests which makes my previous question irrelevant, but even when I ban the IP (or /24) I can still make a http connection to the mini_httpd server its hosting which is very strange. Can't say I've seen this before, I'll dig into it as maybe I'm overlooking something simple but it is definitely a unique case.

 

[yk101]

Looking further into this specific IP. Its known and been previously reported for abuse and based in Vietnam (shocker). It doesn't accept ping requests which makes my previous question irrelevant, but even when I ban the IP (or /24) I can still make a http connection to the mini_httpd server its hosting which is very strange. Can't say I've seen this before, I'll dig into it as maybe I'm overlooking something simple but it is definitely a unique case.

Thanks! It is actually not that unique... I get a few thousands hits through the firewall, but then rejected by postfix DNS BL check every day (the same exact list I used in the ipset!). This actually makes me think that anything being forwarded to an internal host/port by the router may not be subject to rules set by ipset. Is that at all possible?

 

[yk101]

I'm not sure about other scripts, but mine boosts this 65536 limit (maxelem) to 500k by default and can be adjusted in the script.

And this isn't a perfect indication, but it gives us some idea if the firewall rules are being applied. That being said, if the script is working as it should, the iptables rule is inserted first in the input chain so it should take priority.

Adamm, I looked at the script, but can't see where it is being set (this may be because I'm a noob in sh scripting). I removed all of the sets from FW and re-run the script (v3.0)
Looking at the logging I see the following confirmation of my previous 64k limit assumption:

Apr 25 14:47:27 Firewall: [Complete] 1 IPs currently banned. -55700 New IP's Banned. [0s]
Apr 25 14:48:28 Firewall: [Complete] 2 IPs currently banned. 1 New IP's Banned. [0s]
Apr 25 14:52:55 Firewall: [Complete] 63260 IPs currently banned. 63258 New IP's Banned. [236s]
Apr 25 15:00:28 Firewall: [Complete] 63270 IPs currently banned. 10 New IP's Banned. [28s]
Apr 25 16:00:28 Firewall: [Complete] 63331 IPs currently banned. 61 New IP's Banned. [28s]
Apr 25 16:22:22 Firewall: [Complete] 63358 IPs currently banned. 27 New IP's Banned. [7s]
Apr 25 16:49:41 Firewall: [Complete] 65537 IPs currently banned. 2179 New IP's Banned. [383s]
Apr 25 16:55:53 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 17:00:04 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [4s]
Apr 25 17:01:40 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 18:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]
Apr 25 19:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]

Once the count hits 65537 (64k), new bans are not being added. Is it possible that something is broken in ipset 6?