What's new

Aegis aegis: a firewall blocklist

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ok, I worked on a way to find the right WAN interface, and finding the VPN/WG client tunnel if it is running.

Thank you particularly to @R. Gerrits , @KW. and @kamoj but also everybody here who is giving feedback for the help that allowed me to understand more about how VPN/WG is set up in the router, and about the WAN not always being brwan or the default route interface.

I made a test script to test my detection codes and I made it as easy as possible to use for you (one line to copy & past)
So if anyone wants to help and take a minute to test this and report:
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/test-vpn.sh | sh
It should tell the WAN interface brwan or ppp0
It should tell the VPN/WG interface if any

If the feedback is successful, I will be able to implement VPN/WG client protection in the next aegis release.

PS: I am not using ip route default methods because with WG, there is no default route.
 
You are right, I meant @Tom Brough
Having a R7800, it should return IPQ8065 for him as well (my install script was testing that to figure out if the device is a R7800), but apparently it failed for him.

Anyway, the new method should work for him as well, and is simpler.
With former method, uname -p returns ‘unknown’ on R9000 and I had to make more tests based on device name (that might not even be R9000 if user changed it).
The cat /module_name is way simpler.

It still fails to install iprange via the script for me.

Uname -p gives IPQ8065
 
Ok, anyone having ppp0 as wan interface here?

If so, could you try the test I posted earlier:
Code:
wget -qO- https://raw.githubusercontent.com/bolemo/firewall-blocklist/master/test-vpn.sh | sh

So far, I had results from people using WireGuard and OpenVPN and none of them, and the TUN_IF is accurate.
However, everybody who made the test have brwan for WAN_IF, and it is accurate because all are using brwan, but I would need at least one person using ppp0 to make sure my detection is working fine in that case.

Also, could be interesting to have the feedback of someone using VPN server (but not client) to be sure it is not detected as a false positive,

This is the last info I need to implement my next release.
 
  • Like
Reactions: KW.
v1.1.0

Major changes in tables design.
Allows to protect WAN interface (brwan or ppp0) and WireGuard or OpenVPN clients.

use aegis clean; aegis upgrade; aegis update

I worked hard on that release, but I changed so many things that it might have bugs I did not notice. Please report any problem encountered and confirm it works fine with VPN and WG.
 
Thank you for your hard work.

The upgrade command did not work for me, installed it from your homepage instead. But seems to be a problem with WAN gateway bypass. (I use Wireguard, and adguard home)

Code:
aegis 1.1.0 - Verbose mode                                                                                              Status:                                                                                                                 - 'aegis' version: 1.1.0                                                                                                - 'iprange' is installed: iprange 1.0.4                                                                                 - 'aegis' is set and active for WAN interface (brwan) and VPN tunnel (wg0).                                             - Filtering 620081395 IP adresses.                                                                                      - Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details                            - Logging is on.                                                                                                        Detailed status:                                                                                                        - 'aegis' is in $PATH.                                                                                                  - 'firewall-start.sh' exists with correct settings.                                                                     - Actual router time: 2020-05-20 15:38:12                                                                               - Blocklist generation time: 2020-05-20 15:38:12                                                                        - Router firewall was last started 2020-05-20 15:38:12:                                                                      ipset blocklist was already loaded.                                                                                     iptables logging rules were set.                                                                                        iptables WAN rules were set.                                                                                            iptables VPN rules were set.                                                                                       - iptables rules are set:                                                                                                    WAN interface rules are set                                                                                             VPN tunnel interface rules are set                                                                                      iptables -N aegis_dst                                                                                                   iptables -N aegis_src                                                                                                   iptables -A INPUT -i brwan -m set --match-set aegis_bl src -j aegis_src                                                 iptables -A INPUT -i wg0 -m set --match-set aegis_bl src -j aegis_src                                                   iptables -A FORWARD -i brwan -m set --match-set aegis_bl src -j aegis_src                                               iptables -A FORWARD -i wg0 -m set --match-set aegis_bl src -j aegis_src                                                 iptables -A FORWARD -o wg0 -m set --match-set aegis_bl dst -j aegis_dst                                                 iptables -A FORWARD -o brwan -m set --match-set aegis_bl dst -j aegis_dst                                               iptables -A OUTPUT -o brwan -m set --match-set aegis_bl dst -j aegis_dst                                                iptables -A OUTPUT -o wg0 -m set --match-set aegis_bl dst -j aegis_dst                                                  iptables -A aegis_dst -j LOG --log-prefix "[aegis] "                                                                    iptables -A aegis_dst -j DROP                                                                                           iptables -A aegis_src -j LOG --log-prefix "[aegis] "                                                                    iptables -A aegis_src -j DROP                                                                                      - Logging is active.                                                                                                    - ipset blocklist is set:                                                                                                    Name: aegis_bl                                                                                                          Type: hash:net                                                                                                          Revision: 6                                                                                                             Header: family inet hashsize 16384 maxelem 54844                                                                        Size in memory: 1116564                                                                                                 References: 8                                                                                                           Number of entries: 54844                                                                                           - ipset whitelist is not set.                                                                                           - ipset WAN gateway bypass is not set.
 
This is what I get.Seems something not quite right.


Status:
- 'aegis' version: 1.1.0
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (ppp0) and VPN tunnel (tun21).
- Filtering 620081395 IP adresses.
- Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details
- Logging is on.
root@R7800:/$


/bin/ash: -: not found
root@R7800:/$ - Logging is on.
/bin/ash: -: not found
root@R7800:/$ root@R7800:/$
/bin/ash: root@R7800:/$: not found
root@R7800:/$ aegis -v status
aegis 1.1.0 - Verbose mode
Status:
- 'aegis' version: 1.1.0
- 'iprange' is installed: iprange 1.0.4
- 'aegis' is set and active for WAN interface (ppp0) and VPN tunnel (tun21).
- Filtering 620081395 IP adresses.
- Something is not right with the WAN gateway bypass! Use 'aegis -v status' for more details
- Logging is on.
Detailed status:
- 'aegis' is in $PATH.
- 'firewall-start.sh' exists with correct settings.
- Actual router time: 2020-05-20 17:10:11
- Blocklist generation time: 2020-05-20 16:57:40
- Router firewall was last started 2020-05-20 17:08:14:
ipset blocklist was loaded from blocklist file.
iptables logging rules were set.
iptables WAN rules were set.
iptables VPN rules were set.
- iptables rules are set:
WAN interface rules are set
VPN tunnel interface rules are set
iptables -N aegis_dst
iptables -N aegis_src
iptables -A INPUT -i ppp0 -m set --match-set aegis_bl src -j aegis_src
iptables -A INPUT -i tun21 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -i ppp0 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -i tun21 -m set --match-set aegis_bl src -j aegis_src
iptables -A FORWARD -o tun21 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A FORWARD -o ppp0 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A OUTPUT -o ppp0 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A OUTPUT -o tun21 -m set --match-set aegis_bl dst -j aegis_dst
iptables -A aegis_dst -j LOG --log-prefix "[aegis] "
iptables -A aegis_dst -j DROP
iptables -A aegis_src -j LOG --log-prefix "[aegis] "
iptables -A aegis_src -j DROP
- Logging is active.
- ipset blocklist is set:
Name: aegis_bl
Type: hash:net
Revision: 6
Header: family inet hashsize 32768 maxelem 54844
Size in memory: 1521592
References: 8
- ipset whitelist is not set.
- ipset WAN gateway bypass is not set.
root@R7800:/$
 
v1.1.1
fixed the ‘Something is not right with the WAN gateway bypass!’ message while there was no problem (@KW. & @jrbmw nothing is wrong with your setup even if it said that).

@KW. what happened with the automatic upgrade? How did it not work?
 
Good point.
Missed it since I don’t use symlink (I have /opt/bolemo/scripts in my $PATH)

The clean function is to remove traces of the aegis on the system and bring it to an aegis clean state, except removing the script itself and its net set files.
I should not remove the symlink with clean and maybe make an ‘uninstall’ parameter or ‘clean -deep’ option for that.

aegis clean also removes the symlink in /usr/bin

so the upgrade/update commands need to be executed with the full path.

So the correct commands would be:
Code:
aegis clean; /opt/bolemo/scripts/aegis upgrade; /opt/bolemo/scripts/aegis update
 
Sorry should have saved the output. But I belive
aegis upgrade was not not found.

But it works now, and it asked me to upgrade to 1.1 now too. So I probably messed up something. Its fine now
 
Sorry should have saved the output. But I belive
aegis upgrade was not not found.

But it works now, and it asked me to upgrade to 1.1 now too. So I probably messed up something. Its fine now
@R. Gerrits pointed the problem out. The clean function prevents to use aegis without full path /opt/bolemo/scripts/aegis
aegis update is restoring that.
Version 1.1.2 will fix that... :)
 
v1.1.2

aegis clean no longer removes the symlink allowing to use the command aegis without having to type /opt/bolemo/scripts/aegis

To remove symlink while using clean, use aegis clean -rm-path (should be used only when not wanting to use aegis anymore)

To update from 1.1.0 or 1.1.1, no need to use clean, just aegis upgrade
 
Yes working very fine. I love the short aegis commands too:) Thank you very much!

Code:
- 'aegis' version: 1.1.2   
 - 'iprange' is installed: iprange 1.0.4 
 - 'aegis' is set and active for WAN interface (brwan) and VPN tunnel (wg0).
 - Filtering 620081395 IP adresses.   
  - WAN gateway IP range does not need to be bypassed.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top