What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks! It is actually not that unique... I get a few thousands hits through the firewall, but then rejected by postfix DNS BL check every day (the same exact list I used in the ipset!). This actually makes me think that anything being forwarded to an internal host/port by the router may not be subject to rules set by ipset. Is that at all possible?

From my understanding, all networking is handled via IPTables, being the IPSet blacklist is inserted at the top of the input chain, it _should_ take priority over all other rules for incoming traffic. Every example of IPSet blocking I can find uses the same method
Adamm, I looked at the script, but can't see where it is being set (this may be because I'm a noob in sh scripting). I removed all of the sets from FW and re-run the script (v3.0)
Looking at the logging I see the following confirmation of my previous 64k limit assumption:

Code:
Apr 25 14:47:27 Firewall: [Complete] 1 IPs currently banned. -55700 New IP's Banned. [0s]
Apr 25 14:48:28 Firewall: [Complete] 2 IPs currently banned. 1 New IP's Banned. [0s]
Apr 25 14:52:55 Firewall: [Complete] 63260 IPs currently banned. 63258 New IP's Banned. [236s]
Apr 25 15:00:28 Firewall: [Complete] 63270 IPs currently banned. 10 New IP's Banned. [28s]
Apr 25 16:00:28 Firewall: [Complete] 63331 IPs currently banned. 61 New IP's Banned. [28s]
Apr 25 16:22:22 Firewall: [Complete] 63358 IPs currently banned. 27 New IP's Banned. [7s]
Apr 25 16:49:41 Firewall: [Complete] 65537 IPs currently banned. 2179 New IP's Banned. [383s]
Apr 25 16:55:53 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 17:00:04 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [4s]
Apr 25 17:01:40 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [2s]
Apr 25 18:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]
Apr 25 19:00:05 Firewall: [Complete] 65537 IPs currently banned. 0 New IP's Banned. [5s]

Once the count hits 65537 (64k), new bans are not being added. Is it possible that something is broken in ipset 6?

This is because you're importing configuration for an IPSet without maxelem specified. Manually edit your /jffs/scripts/ipset.txt file so you have a line similar to this;

Code:
create Blacklist hash:ip family inet hashsize 4096 maxelem 500000

Then run;

Code:
ipset destroy Blacklist
ipset -q -R  < /jffs/scripts/ipset.txt
 
From my understanding, all networking is handled via IPTables, being the IPSet blacklist is inserted at the top of the input chain, it _should_ take priority over all other rules for incoming traffic. Every example of IPSet blocking I can find uses the same method


This is because you're importing configuration for an IPSet without maxelem specified. Manually edit your /jffs/scripts/ipset.txt file so you have a line similar to this;

Code:
create Blacklist hash:ip family inet hashsize 4096 maxelem 500000

Then run;

Code:
ipset destroy Blacklist
ipset -q -R  < /jffs/scripts/ipset.txt

Thanks! Will try that.
 
Thanks! Will try that.

Okay so I had some free time and decided to look into this issue again as it was bugging me and I think I found the issue.

These requests (among others like http) are handled by the FOWARD chain which wasn't being filtered by the IPSet. I went ahead and did a quick change to the script so it also filters this chain also. This should fix the issue and block those requests. Give it a try and let me know.
 
yes, sadly none of the authors have picked me up on my offer to put up official installation instructions on the wiki

but its almost like all the other scripts get the script from this post

https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

  • Enable and format JFFS through WEB UI first (if not already enabled)

  • Then place the content to /jffs/scripts/IPSET_Block.sh

  • Then make it executable:
chmod +x /jffs/scripts/IPSET_Block.sh

  • Finally call this at the end of your existing /jffs/firewall-start:
# Load ipset filter rules
sh /jffs/scripts/IPSET_Block.sh

  • then append the following line to /jffs/scripts/services-start:
cru a dynamic-filter "0 */4 * * * /jffs/scripts/IPSET_Block.sh"

this is just an example of how to but it should work

@Martineau that should cover it, shouldn't it ?

Thanks for this information. Sadly when applying those settings this error pops up.

Code:
admin@RT-AC66U:/jffs/scripts# sh firewall
#!/bin/sh
#################################################################################################
## - 02/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.1 -                     #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                 #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules         #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules             #
###################################################################################################################

##############################
###         Commands          ###
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
BANMALWARE="banmalware"      # <-- Bans various malware domains
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"            # <-- Create new IPSet Blacklist
##############################

Correct Settings Detected.
Correct Settings Detected.
Enabled Firewall Logging
firewall: line 196: echo: Bad address
[IP Banning Started] ... ... ...
firewall: line 196: can't open /jffs/scripts/ipset.txt: no such file
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
firewall: line 196: echo: Bad address
ipset v4.5: Unknown set
expr: syntax error
[Complete] -6 IPs currently banned.  New IP's Banned. [8s]
expr: syntax error

Fixed the missing file /jffs/script/ipset.txt already, but the other errors I dont understand. Using this script on AC66U Merlinwrt
 
Last edited:
Thanks for this information. Sadly when applying those settings this error pops up.

Code:
admin@RT-AC66U:/jffs/scripts# sh firewall
#!/bin/sh
#################################################################################################
## - 02/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.1 -                     #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                 #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules         #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules             #
###################################################################################################################

##############################
###         Commands          ###
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
BANMALWARE="banmalware"      # <-- Bans various malware domains
WHITELIST="whitelist"        # <-- Add IPs from path to Whitelist
NEWLIST="new"            # <-- Create new IPSet Blacklist
##############################

Correct Settings Detected.
Correct Settings Detected.
Enabled Firewall Logging
firewall: line 196: echo: Bad address
[IP Banning Started] ... ... ...
firewall: line 196: can't open /jffs/scripts/ipset.txt: no such file
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--match-set'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.8: Unknown arg `--add-set'
Try `iptables -h' or 'iptables --help' for more information.
firewall: line 196: echo: Bad address
ipset v4.5: Unknown set
expr: syntax error
[Complete] -6 IPs currently banned.  New IP's Banned. [8s]
expr: syntax error

Fixed the missing file /jffs/script/ipset.txt already, but the other errors I dont understand. Using this script on AC66U Merlinwrt

This is because you are using a non ARM based router that uses an older ipset version. I may add support in future when I get some spare time.

I believe Martineau's version of this script supports your router which is what the post you quoted was referring to.
 
Ahhhh thanks for your prompt reply! Will see if you add mips support in the future... in the meanwhile I'll try and look in the Martineau's thread
 
This script is now hosted on GitHub, you can follow the most recent changes here.

I suggest all users update. I added some features today like a update function (painless script updating), debug mode (show whats actually being blocked in syslog) and a disable command.
 
Sorry if this is stupid, but is this supported on the AC87U? I'm led to believe its ARM based on specs, but wanted to be sure!
 
Sorry if this is stupid, but is this supported on the AC87U? I'm led to believe its ARM based on specs, but wanted to be sure!

I haven't been able to personally test this as I don't have the device, but in theory it should work. Feel free to give it a try and let me know.
 
Is this also OK to run on the router itself, or should a USB be used for the jffs scripts? I read somewhere that nvram commit calls will wear the flash?
 
There was some testing done a long time ago around this debate and it was a general consensus that these type of scripts running from jffs shouldn't do any long term damage.
 
Ok thanks. If i wanted to point ipset etc. to usb, presumably I just have to change the paths in your script?
 
Also, the line below, is this needed if I'm not running anything in that subnet?

ipset -q -A Whitelist 192.168.1.0/24
 
Ok thanks. If i wanted to point ipset etc. to usb, presumably I just have to change the paths in your script?
Yes it would be as simple as modifying the paths in firewall / firewall-start, but that will be up to you to modify. I also like to symlink /jffs/scripts/firewall to /opt/bin for easier execution.

Also, the line below, is this needed if I'm not running anything in that subnet?

ipset -q -A Whitelist 192.168.1.0/24

Sure but I keep it as a hardcoded failsafe as the SPI firewall sometimes blocks you out for whatever reason.
 
I'm guessing opt is if running optware? Which I'm not atm, wasn't sure what advantages there were to it.

Would I need to adapt that line to my actual subnet? e.g. 10.14.16.0/24 ?
 
I'm guessing opt is if running optware? Which I'm not atm, wasn't sure what advantages there were to it.

Would I need to adapt that line to my actual subnet? e.g. 10.14.16.0/24 ?

Entware which is a modern version of optware which can be installed fairly easily.

The script should detect your subnet from nvram in the following line for any non default configurations. It wouldn't hurt to leave that line in too.

Code:
ipset -q -A Whitelist `nvram get lan_ipaddr`/24
 
I suggest anyone using this update to the latest version, I have rewritten it to use case statements as they are slightly faster (and more flexible). I have also been cleaning up various parts of code throughout the week and adding new features.

Both /jffs/scripts/firewall and /jffs/scripts/firewall-start need to be updated!
 
Last edited:
I suggest anyone using this update to the latest version, I have rewritten it to use case statements as they are slightly faster (and more flexible). I have also been cleaning up various parts of code throughout the week and adding new features.

Both /jffs/scripts/firewall and /jffs/scripts/firewall-start need to be updated!

Hey buddy, I think there is a typo in the script - check the spelling for "banmalware" case - you have "balmalware", otherwise great work! Thanks.

Code:
admin@RT-AC88U:/jffs/scripts# sh -x ./firewall banmalware

+ date +%s
+ start_time=1494205019
+ cat /jffs/scripts/firewall
+ head -29
#!/bin/sh
#################################################################################################
## - 08/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.4.1 -          #
##                     https://github.com/Adamm00/IPSet_ASUS            #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                  #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
###      Commands      ###
##############################

#      "unban"        # <-- Remove Single IP From Blacklist
#      "unbanall"        # <-- Remove All Entries From Blacklist
#      "save"        # <-- Save Blacklists to /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist
#       "country"        # <-- Adds entire country to blacklist
#      "bancountry"        # <-- Bans specified countries in this file
#      "banmalware"        # <-- Bans various malware domains
#      "whitelist"        # <-- Add IP range to whitelist
#      "import"        # <-- Import and merge IPSet save to firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Enable/Disable Debug Output
#      "update"        # <-- Update Script to latest version (check github for changes)
#      "start"        # <-- Initiate Firewall
##############################

+ echo Command not found, please try again.

Command not found, please try again.
+ Logging
+ nvram get Blacklist
+ OLDIPS=39
+ nvram get BlockedRanges
+ OLDRANGES=0
+ ipset -L Blacklist
+ wc -l
+ expr 60 - 7
+ nvram set Blacklist=53
+ ipset -L BlockedRanges
+ wc -l
+ expr 7 - 7
+ nvram set BlockedRanges=0
+ nvram get Blacklist
+ NEWIPS=53
+ nvram get BlockedRanges
+ NEWRANGES=0
+ nvram commit
+ iptables --line -nvL INPUT
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL INPUT
+ grep -E set.*BlockedRanges
+ awk {print $2}
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*BlockedRanges
+ expr 66 + 0 + 185 + 0
+ HITS=251
+ date +%s
+ expr 1494205020 - 1494205019
+ start_time=1
+ expr 53 - 39
+ expr 0 - 0
+ echo 1
+ logger -st Firewall [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Firewall: [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
 
Hey buddy, I think there is a typo in the script - check the spelling for "banmalware" case - you have "balmalware", otherwise great work! Thanks.

Code:
admin@RT-AC88U:/jffs/scripts# sh -x ./firewall banmalware

+ date +%s
+ start_time=1494205019
+ cat /jffs/scripts/firewall
+ head -29
#!/bin/sh
#################################################################################################
## - 08/05/2017 ---        RT-AC56U/RT-AC68U Firewall Addition By Adamm v3.4.1 -          #
##                     https://github.com/Adamm00/IPSet_ASUS            #
###################################################################################################################
###                  ----- Make Sure To Edit The Following Files -----                  #
### /jffs/scripts/firewall-start                    <-- Sets up cronjob/iptables rules          #
### /jffs/scripts/firewall                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                    <-- Banned IP List/IPSet Rules              #
###################################################################################################################

##############################
###      Commands      ###
##############################

#      "unban"        # <-- Remove Single IP From Blacklist
#      "unbanall"        # <-- Remove All Entries From Blacklist
#      "save"        # <-- Save Blacklists to /jffs/scripts/ipset.txt
#      "ban"            # <-- Adds Entry To Blacklist
#       "country"        # <-- Adds entire country to blacklist
#      "bancountry"        # <-- Bans specified countries in this file
#      "banmalware"        # <-- Bans various malware domains
#      "whitelist"        # <-- Add IP range to whitelist
#      "import"        # <-- Import and merge IPSet save to firewall
#      "disable"        # <-- Disable Firewall
#      "debug"        # <-- Enable/Disable Debug Output
#      "update"        # <-- Update Script to latest version (check github for changes)
#      "start"        # <-- Initiate Firewall
##############################

+ echo Command not found, please try again.

Command not found, please try again.
+ Logging
+ nvram get Blacklist
+ OLDIPS=39
+ nvram get BlockedRanges
+ OLDRANGES=0
+ ipset -L Blacklist
+ wc -l
+ expr 60 - 7
+ nvram set Blacklist=53
+ ipset -L BlockedRanges
+ wc -l
+ expr 7 - 7
+ nvram set BlockedRanges=0
+ nvram get Blacklist
+ NEWIPS=53
+ nvram get BlockedRanges
+ NEWRANGES=0
+ nvram commit
+ iptables --line -nvL INPUT
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL INPUT
+ grep -E set.*BlockedRanges
+ awk {print $2}
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*Blacklist
+ awk {print $2}
+ iptables --line -nvL FORWARD
+ grep -E set.*BlockedRanges
+ expr 66 + 0 + 185 + 0
+ HITS=251
+ date +%s
+ expr 1494205020 - 1494205019
+ start_time=1
+ expr 53 - 39
+ expr 0 - 0
+ echo 1
+ logger -st Firewall [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Firewall: [Complete] 53 IPs / 0 Ranges banned. 14 New IPs / 0 New Ranges Banned. 251 Connections Blocked! [1s]
Thanks, pushed the fix.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top