Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Ok, I guess I should have been more clear. Upon opening I get what I think is a normal startup.

#############################


Router Model; RT-AC68U
Skynet Version; v5.7.6 (07/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_beta1 (Feb 4 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ab-solution/skynet (4.6G / 7.0G Space Available)
SWAP File; /tmp/mnt/ab-solution/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/ab-solution

0 IPs / 0 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu


If I use option 8 I receive:

Router Model; RT-AC68U
Skynet Version; v5.7.6 (07/02/2018)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 384.3_beta1 (Feb 4 2018) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/ab-solution/skynet (4.6G / 7.0G Space Available)
SWAP File; /tmp/mnt/ab-solution/myswap.swp (2.0G)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/ab-solution

Checking Skynet IPTable... [Failed]
Checking Whitelist IPSet... [Failed]
Checking BlockedRanges IPSet... [Failed]
Checking Blacklist IPSet... [Failed]
Checking Skynet IPSet... [Failed]

Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r] --> Reload Menu
[e] --> Exit Menu

About 60 seconds after using option 8, use the Reload Menu option [r]. These errors are to be expected because Skynet is still in the "booting" phase, so early on that a lockfile hadn't even been created yet. Once you use the reload option you should see these warnings no longer appear

 

[heinz]

About 60 seconds after using option 8, use the Reload Menu option [r]. These errors are to be expected because Skynet is still in the "booting" phase, so early on that a lockfile hadn't even been created yet. Once you use the reload option you should see these warnings no longer appear

Ok, Thank you.

 

[tweakertje]

Hi,
Wow this is nice
is it possible to block countries only on incomming packets? what i mean is that the websites are viewable
if I block cn now I can't go to websited from china.

or is this not possible?

 

[DonnyJohnny]

Hi,
Wow this is nice
is it possible to block countries only on incomming packets? what i mean is that the websites are viewable
if I block cn now I can't go to websited from china.

or is this not possible?

No.

How is it possible to view when u blocked incoming CN. You outgoing request for data from CN, but the packet will be blocked at incoming. You can’t see your page.

Just make sure you don’t open services/port to outside LAN (WAN), you should be fine. Any port scanning or activities will be dropped with the basic firewall setting in ASUS.

Not that there is always risk with port forwarding due to applications you used may have vulnerabilities that allow unauthorised access.

 

[yk101]

No.

How is it possible to view when u blocked incoming CN. You outgoing request for data from CN, but the packet will be blocked at incoming. You can’t see your page.

I think there are two different areas where you can reject an inbound connection. You would want to allow Established connections to proceed, but still block initial connection requests.

 

[DonnyJohnny]

I think there are two different areas where you can reject an inbound connection. You would want to allow Established connections to proceed, but still block initial connection requests.

Maybe it is possible but not with Skynet as it block the ip at raw tables.
The existing firewall rules already allow only established or related packet and drop the rest.

 

[Adamm]

Hi,
Wow this is nice
is it possible to block countries only on incomming packets? what i mean is that the websites are viewable
if I block cn now I can't go to websited from china.

or is this not possible?

Unfortunately blocking is two way for the time being.

 

[M@rco]

Unfortunately blocking is two way for the time being.

Just curious: what would happen if a country is blocked through Skynet and a domain within that country would be whitelisted in AB-Solution? Both scripts share whistelisted addresses, right? Would the country block in IPSet overrule the whitelisted domain?

 

[DonnyJohnny]

Just curious: what would happen if a country is blocked through Skynet and a domain within that country would be whitelisted in AB-Solution? Both scripts share whistelisted addresses, right? Would the country block in IPSet overrule the whitelisted domain?

I tested it. The whitelist will override the country block. I blocked Germany.. lol.. blocked my game which used Germany server. I whitelist and it is good. But end of day removed Germany as it has too many common sites hosting from its servers.

Think for me min is blocking all middle east, Africa, south America and some Europe and other third world countries.

 

[Adamm]

Just curious: what would happen if a country is blocked through Skynet and a domain within that country would be whitelisted in AB-Solution? Both scripts share whistelisted addresses, right? Would the country block in IPSet overrule the whitelisted domain?

Whitelisting takes priority over any type of ban.

 

[el pescador]

Will give this a try.
Need to block and unblock game servers when certain routes are playing up but the GUI option seems to let things through.
Will it make any difference if my AC88U is after my isp all in one modem router?

I runt he isp unit a dmz tot he asus and run the nat etc from the asus?

 

[thelonelycoder]

Whitelisting takes priority over any type of ban.

In AB3.x I look up the blacklist, whitelist and blocking file to check if an entry to black/whitelist needs to be added and if found present a menu to either force add it or not to add.
In Skynet you simply remove the listing in the other list and add it which I find a better way.
Example Skynet:
Banning (blacklisting) asdf.com --> gets added to the blacklist
Whitelisting asdf.com --> gets added to whitelist, blacklist entry is removed silently
Blacklisting asdf --> gets added to blacklist, whitelist entry remains, with whitelist having preference.

I am inclined to do the same for AB4 but with the difference that I either comment the blacklist entry out or remove it outright if it is added to the whitelist.

 

[Adamm]

In AB3.x I look up the blacklist, whitelist and blocking file to check if an entry to black/whitelist needs to be added and if found present a menu to either force add it or not to add.
In Skynet you simply remove the listing in the other list and add it which I find a better way.
Example Skynet:
Banning (blacklisting) asdf.com --> gets added to the blacklist
Whitelisting asdf.com --> gets added to whitelist, blacklist entry is removed silently
Blacklisting asdf --> gets added to blacklist, whitelist entry remains, with whitelist having preference.

I am inclined to do the same for AB4 but with the difference that I either comment the blacklist entry out or remove it outright if it is added to the whitelist.

Yeah, also in the event an entry exists in both the blacklist and whitelist, the whitelist entry will still take priority from how the IPTables rules are configured.

Will give this a try.
Need to block and unblock game servers when certain routes are playing up but the GUI option seems to let things through.
Will it make any difference if my AC88U is after my isp all in one modem router?

I runt he isp unit a dmz tot he asus and run the nat etc from the asus?

Any routing from the Asus unit should be covered, can't say I've tested the exact scenario but I would assume so.

 

[thelonelycoder]

Yeah, also in the event an entry exists in both the blacklist and whitelist, the whitelist entry will still take priority from how the IPTables rules are configured.

Exactly, as mentioned in the example.
In AB I have to handle that case differently as I cannot set a higher preference to either of the lists. Hence I likely remove or at least comment out the blacklist entry with a comment added to say so.

 

[Adamm]

Exactly, as mentioned in the example.
In AB I have to handle that case differently as I cannot set a higher preference to either of the lists. Hence I likely remove or at least comment out the blacklist entry with a comment added to say so.

Oops, I clearly cant read

 

[tweakertje]

I have raad somewhere that or should be possible but I can't find the link anymore

Verstuurd vanaf mijn SM-G930F met Tapatalk

 

[clvk07]

Can Skynet ban by MAC address? Dont seem to find that option

 

[clvk07]

Getting dozens of requests from a particular mac (and different IPs, very strange)

Feb 07 06:13:37 xxxxxasuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=77.72.82.179 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=47375 PROTO=TCP SPT=57906 DPT=33923 SEQ=702345863 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:14:42 
xxxxx.asuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=112.124.123.115 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=26026 PROTO=TCP SPT=48544 DPT=1433 SEQ=1698475832 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:15:28 xxxxxxx.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=211.233.46.76 DST=XXXXXXLEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=63148 PROTO=TCP SPT=43992 DPT=3389 SEQ=2127312026 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 07 06:15:33 xxxxx.asuscomm.com kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=1c:b7:2c:74:0e:20:00:17:10:95:6e:16:08:00 SRC=14.134.100.6 DST=XXXXXLEN=52 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=16603 DPT=55116 SEQ=3558742493 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030001010402

 

[SMS786]

I have a list of malicious coin mining IP addresses that I manually import on a regular basis (in case anyone is interested: https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/MiningServerIPList.txt)..

I was wondering if there was a setting that I'm missing within the menu to automatically import this list on, say, a weekly basis? I can't seem to find it...

 

[skeal]

I have a list of malicious coin mining IP addresses that I manually import on a regular basis (in case anyone is interested: https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/MiningServerIPList.txt) I was wondering if there was a setting that I'm missing within the menu to automatically import this list on, say, a weekly basis? I can't seem to find it...

Does the average user have to worry about coin mining though? I'm new to this coin mining and don't practice any myself.