Aegis aegis: a firewall blocklist

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

HELLO_wORLD

Very Senior Member
Ok, I worked on a way to find the right WAN interface, and finding the VPN/WG client tunnel if it is running.

Thank you particularly to @R. Gerrits , @KW. and @kamoj but also everybody here who is giving feedback for the help that allowed me to understand more about how VPN/WG is set up in the router, and about the WAN not always being brwan or the default route interface.

I made a test script to test my detection codes and I made it as easy as possible to use for you (one line to copy & past)
So if anyone wants to help and take a minute to test this and report:
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/test-vpn.sh | sh
It should tell the WAN interface brwan or ppp0
It should tell the VPN/WG interface if any

If the feedback is successful, I will be able to implement VPN/WG client protection in the next aegis release.

PS: I am not using ip route default methods because with WG, there is no default route.
 

Tom Brough

Regular Contributor
You are right, I meant @Tom Brough
Having a R7800, it should return IPQ8065 for him as well (my install script was testing that to figure out if the device is a R7800), but apparently it failed for him.

Anyway, the new method should work for him as well, and is simpler.
With former method, uname -p returns ‘unknown’ on R9000 and I had to make more tests based on device name (that might not even be R9000 if user changed it).
The cat /module_name is way simpler.

It still fails to install iprange via the script for me.

Uname -p gives IPQ8065
 

HELLO_wORLD

Very Senior Member

HELLO_wORLD

Very Senior Member
Ok, anyone having ppp0 as wan interface here?

If so, could you try the test I posted earlier:
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/test-vpn.sh | sh

So far, I had results from people using WireGuard and OpenVPN and none of them, and the TUN_IF is accurate.
However, everybody who made the test have brwan for WAN_IF, and it is accurate because all are using brwan, but I would need at least one person using ppp0 to make sure my detection is working fine in that case.

Also, could be interesting to have the feedback of someone using VPN server (but not client) to be sure it is not detected as a false positive,

This is the last info I need to implement my next release.
 
  • Like
Reactions: KW.

HELLO_wORLD

Very Senior Member
v1.1.0

Major changes in tables design.
Allows to protect WAN interface (brwan or ppp0) and WireGuard or OpenVPN clients.

use aegis clean; aegis upgrade; aegis update

I worked hard on that release, but I changed so many things that it might have bugs I did not notice. Please report any problem encountered and confirm it works fine with VPN and WG.
 

KW.

Regular Contributor
Thank you for your hard work.

The upgrade command did not work for me, installed it from your homepage instead. But seems to be a problem with WAN gateway bypass. (I use Wireguard, and adguard home)

Code:
aegis 1.1.0 - Verbose mode                                                                                              Status:                                                                                                                 - 'aegis' version: 1.1.0                                                                                                - 'iprange' is installed: iprange 1.0.4                                                                                 - 'aegis' is set and active for WAN interface (brwan) and VPN tunnel (wg0).                                             - Filtering 620081395 IP adresses.                                                                                      - Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details                            - Logging is on.                                                                                                        Detailed status:                                                                                                        - 'aegis' is in $PATH.                                                                                                  - 'firewall-start.sh' exists with correct settings.                                                                     - Actual router time: 2020-05-20 15:38:12                                                                               - Blocklist generation time: 2020-05-20 15:38:12                                                                        - Router firewall was last started 2020-05-20 15:38:12:                                                                      ipset blocklist was already loaded.                                                                                     iptables logging rules were set.                                                                                        iptables WAN rules were set.                                                                                            iptables VPN rules were set.                                                                                       - iptables rules are set:                                                                                                    WAN interface rules are set                                                                                             VPN tunnel interface rules are set                                                                                      iptables -N aegis_dst                                                                                                   iptables -N aegis_src                                                                                                   iptables -A INPUT -i brwan -m set --match-set aegis_bl src -j aegis_src                                                 iptables -A INPUT -i wg0 -m set --match-set aegis_bl src -j aegis_src                                                   iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -j aegis_src                                               iptables -A FORWARD -i wg0 -m set --match-set aegis_bl src -j aegis_src                                                 iptables -A FORWARD -o wg0 -m set --match-set aegis_bl dst -j aegis_dst                                                 iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -j aegis_dst                                               iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -j aegis_dst                                                iptables -A OUTPUT -o wg0 -m set --match-set aegis_bl dst -j aegis_dst                                                  iptables -A aegis_dst -j LOG --log-prefix "[aegis] "                                                                    iptables -A aegis_dst -j DROP                                                                                           iptables -A aegis_src -j LOG --log-prefix "[aegis] "                                                                    iptables -A aegis_src -j DROP                                                                                      - Logging is active.                                                                                                    - ipset blocklist is set:                                                                                                    Name: aegis_bl                                                                                                          Type: hash:net                                                                                                          Revision: 6                                                                                                             Header: family inet hashsize 16384 maxelem 54844                                                                        Size in memory: 1116564                                                                                                 References: 8                                                                                                           Number of entries: 54844                                                                                           - ipset whitelist is not set.                                                                                           - ipset WAN gateway bypass is not set.
 

jrbmw

Regular Contributor
This is what I get.Seems something not quite right.


Status:
- 'aegis' version: 1.1.0
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (ppp0) and VPN tunnel (tun21).
- Filtering 620081395 IP adresses.
- Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details
- Logging is on.
[email protected]:/$


/bin/ash: -: not found
[email protected]:/$ - Logging is on.
/bin/ash: -: not found
[email protected]:/$ [email protected]:/$
/bin/ash: [email protected]:/$: not found
[email protected]:/$ aegis -v status
aegis 1.1.0 - Verbose mode
Status:
- 'aegis' version: 1.1.0
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (ppp0) and VPN tunnel (tun21).
- Filtering 620081395 IP adresses.
- Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details
- Logging is on.
Detailed status:
- 'aegis' is in $PATH.
- 'firewall-start.sh' exists with correct settings.
- Actual router time: 2020-05-20 17:10:11
- Blocklist generation time: 2020-05-20 16:57:40
- Router firewall was last started 2020-05-20 17:08:14:
ipset blocklist was loaded from blocklist file.
iptables logging rules were set.
iptables WAN rules were set.
iptables VPN rules were set.
- iptables rules are set:
WAN interface rules are set
VPN tunnel interface rules are set
iptables -N aegis_dst
iptables -N aegis_src
iptables -A INPUT -i ppp0 -m set --match-set aegis_bl src -j aegis_src
iptables -A INPUT -i tun21 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -i ppp0 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -i tun21 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -o tun21 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A FORWARD -o ppp0 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A OUTPUT -o ppp0 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A OUTPUT -o tun21 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
iptables -A aegis_dst -j DROP
iptables -A aegis_src -j LOG --log-prefix "[aegis] "
iptables -A aegis_src -j DROP
- Logging is active.
- ipset blocklist is set:
Name: aegis_bl
Type: hash:net
Revision: 6
Header: family inet hashsize 32768 maxelem 54844
Size in memory: 1521592
References: 8
- ipset whitelist is not set.
- ipset WAN gateway bypass is not set.
[email protected]:/$
 

HELLO_wORLD

Very Senior Member
v1.1.1
fixed the ‘Something is not right with the WAN gateway bypass!’ message while there was no problem (@KW. & @jrbmw nothing is wrong with your setup even if it said that).

@KW. what happened with the automatic upgrade? How did it not work?
 

HELLO_wORLD

Very Senior Member
Good point.
Missed it since I don’t use symlink (I have /opt/bolemo/scripts in my $PATH)

The clean function is to remove traces of the aegis on the system and bring it to an aegis clean state, except removing the script itself and its net set files.
I should not remove the symlink with clean and maybe make an ‘uninstall’ parameter or ‘clean -deep’ option for that.

aegis clean also removes the symlink in /usr/bin

so the upgrade/update commands need to be executed with the full path.

So the correct commands would be:
Code:
aegis clean; /opt/bolemo/scripts/aegis upgrade; /opt/bolemo/scripts/aegis update
 

KW.

Regular Contributor
Sorry should have saved the output. But I belive
aegis upgrade was not not found.

But it works now, and it asked me to upgrade to 1.1 now too. So I probably messed up something. Its fine now
 

HELLO_wORLD

Very Senior Member
Sorry should have saved the output. But I belive
aegis upgrade was not not found.

But it works now, and it asked me to upgrade to 1.1 now too. So I probably messed up something. Its fine now
@R. Gerrits pointed the problem out. The clean function prevents to use aegis without full path /opt/bolemo/scripts/aegis
aegis update is restoring that.
Version 1.1.2 will fix that... :)
 

HELLO_wORLD

Very Senior Member
v1.1.2

aegis clean no longer removes the symlink allowing to use the command aegis without having to type /opt/bolemo/scripts/aegis

To remove symlink while using clean, use aegis clean -rm-path (should be used only when not wanting to use aegis anymore)

To update from 1.1.0 or 1.1.1, no need to use clean, just aegis upgrade
 

KW.

Regular Contributor
Yes working very fine. I love the short aegis commands too:) Thank you very much!

Code:
- 'aegis' version: 1.1.2   
 - 'iprange' is installed: iprange 1.0.4 
 - 'aegis' is set and active for WAN interface (brwan) and VPN tunnel (wg0).
 - Filtering 620081395 IP adresses.   
  - WAN gateway IP range does not need to be bypassed.
 

HELLO_wORLD

Very Senior Member

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top