Skynet Stats not generated and firewall not blocking anything

[BOFH]

Hi Guys,

I have the feeling that Skynet doesn't block anything and nothing is shown in the logs neither in the stats. I have reinstalled/restarted/reconfigured Skynet but with the same result.

Syslog config on router side:
- Default message log level, set to: Info
- Log only messages more urgent than, set to: debug


Example:

admin@xx:/tmp/mnt/JFFS/skynet#  ipset -L | grep 64.62.197.71
64.62.197.71 comment "BanMalware: blocklist_net_ua.ipset"

admin@xx:/tmp/mnt/JFFS/skynet#  ping 64.62.197.71
PING 64.62.197.71 (64.62.197.71): 56 data bytes
64 bytes from 64.62.197.71: seq=0 ttl=49 time=162.394 ms
64 bytes from 64.62.197.71: seq=1 ttl=49 time=159.376 ms

admin@xx:/tmp/mnt/JFFS/skynet#  iptables -L -n -t raw -v
Chain PREROUTING (policy ACCEPT 22455 packets, 2798K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  br+    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
    0     0 DROP       all  --  br+    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src
Chain OUTPUT (policy ACCEPT 11718 packets, 5624K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst


Name: Skynet-Whitelist
Type: hash:net
Revision: 6
Header: family inet hashsize 8192 maxelem 65536 comment
Size in memory: 1151258
Number of entries: 13154
Members:
Name: Skynet-Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 131072 maxelem 500000 comment
Size in memory: 14901215
Number of entries: 130691
Members:
Name: Skynet-BlockedRanges
Type: hash:net
Revision: 6
Header: family inet hashsize 4096 maxelem 200000 comment
Size in memory: 914914
Number of entries: 9559
Members:
Name: Skynet-IOT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 352
Number of entries: 0
Members:
Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
Number of entries: 0
Members:


drwxrwxrwx    2 admin    root          4096 Mar 23 00:20 .
drwxrwxrwx    4 admin    root          4096 Mar 23 00:14 ..
-rw-rw-rw-    1 admin    root        173077 Mar 22 14:47 chart.js
-rw-rw-rw-    1 admin    root          9752 Mar 22 14:47 chartjs-plugin-zoom.js
-rw-rw-rw-    1 admin    root         20765 Mar 22 14:47 hammerjs.js
-rw-rw-rw-    1 admin    root         40292 Mar 22 14:47 skynet.asp
-rw-rw-rw-    1 admin    root          3054 Mar 23 00:20 stats.js


Router Model; RT-AX88U
Skynet Version; v7.2.8 (19/10/2021) (cd9e05f9b3897f144dd71260906a761a)
iptables v1.4.15 - (eth0 @ 192.168.90.1)
ipset v7.6, protocol version: 7
IP Address; (192.168.0.10)
FW Version; 386.5_0 (Mar 2 2022) (4.1.51)
Install Dir; /tmp/mnt/JFFS/skynet (8.8G / 14.5G Space Available)
SWAP File; /tmp/mnt/JFFS/myswap.swp (2.0G)
Uptime; 0 days, 1 hours, 48 minutes.
Ram Available; (237M / 882M)


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Config File                         | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 6 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Enabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

18/18 Tests Sucessful              


################################################
## Generated By Skynet - Do Not Manually Edit ##
## Mar 23 00:46:42                            ##

## Installer ##
model="RT-AX88U"
localver="v7.2.8"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
logmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/JFFS/myswap.swp"

## Counters / Lists ##
blacklist1count="130691"
blacklist2count="9559"
customlisturl="http://changed/custom.list"
customlist2url="http://changed/custom.list"
countrylist=""
excludelists=""

## Settings ##
unbanprivateip="enabled"
loginvalid="enabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/tmp/syslog.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="disabled"
iotports=""
iotproto="udp"
lookupcountry="enabled"
cdnwhitelist="enabled"
displaywebui="enabled"

################################################

=============================================================================================================


[#] 130691 IPs (+0) -- 9559 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [2s]

 

[dave14305]

IP Address; (192.168.0.10)

You seem to have a double NAT situation where the Asus router is not directly exposed to the Internet. Skynet probably warns you about this during install.

I don’t understand why the ping works, however. It should be blocked in the OUTPUT chain of the raw table. Only if it was whitelisted should it be allowed, such has having a larger CIDR block that includes the address.

 

[BOFH]

Hi @dave14305 ,

Yep, the router is not exposed to outside directly but I have full control for that setup. Skynet detect that I have a local IP but should not disturb the base (iptables+ipset) it was working as expected until recently.

The evidence are simple as you said, why the ping is working for an IP that should be blocked by iptables as it's listed on the ipset. The IP is not whitelisted, also tested others IPs/ranges as well.

 

[dave14305]

Do you have any VPN client on the router?

 

[BOFH]

Not at all, neither client or server.

 

[Ronald Schwerer]

I just noticed the same thing. Stats and log have nothing new since Feb 11,2022. My RT-AX58U (192.168.1.1) is behind my ISP provided router so it has a local WAN IP address (192.168.0.60). Is this a problem? If so, what changed since it worked before.
I just now reset the skynet stats through amtm and the gui and now they are all blank. BTW, I got curious because I now have unfettered access to some sites that used to be blocked (like the Amazon app). The last time I used the amtm plug-in was about 1 month ago to try to whitelist amazon.com to get their app working. Maybe related?

 

[BOFH]

Any feedback in regards of this issue?

 

[dave14305]

Going back to your original test, is the IP in the whitelist set?

ipset test Skynet-Whitelist 64.62.197.71
ipset test Skynet-Master 64.62.197.71

 

[Tech Junky]

local WAN IP address (192.168.0.60)

RT-AX58U (192.168.1.1)

You have a double NAT situation here with 2 x RFC1918 IP's in different subnets.

(eth0 @ 192.168.90.1)

Plus your IPtables has another IP in a different subnet.

IP Address; (192.168.0.10)

I would be curious to see the output of iptables rules.v4 to see exactly what rules are setup.

cat /etc/iptables/rules.v4

My thought is you probably have everything set to ACCEPT rather than DROP.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

This DROP option forces everything to have a rule or it gets dropped and doesn't do anything.


There's a lot going on here.....

 

[dave14305]

I would be curious to see the output of iptables rules.v4 to see exactly what rules are setup.

cat /etc/iptables/rules.v4

My thought is you probably have everything set to ACCEPT rather than DROP.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

This DROP option forces everything to have a rule or it gets dropped and doesn't do anything.

Skynet lives in the raw table, so its drops should override any accepts in filter. That file doesn’t exist in Merlin firmware, btw.

 

[dave14305]

Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
Number of entries: 0
Members:

This looks like the problem. Skynet-Master should contain both Skynet-Blacklist and Skynet-BlockedRanges. This listing shows 0 entries/members. Should be 2, at least.

# ipset -L Skynet-Master
Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 184
References: 6
Number of entries: 2
Members:
Skynet-Blacklist
Skynet-BlockedRanges

Run these commands and look for errors:

ipset -A Skynet-Master Skynet-Blacklist
ipset -A Skynet-Master Skynet-BlockedRanges

Then test again.

 

[Tech Junky]

Skynet lives in the raw table, so its drops should override ant accepts in filter. that file doesn’t exist in Merlin firmware, btw.

Good to know. I don't use Asus but a DIY from scratch setup w/ Linux and have built IPtables from scratch. Same function but different location.