Aegis Aegis (simple yet effective protection)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Jauger

Occasional Visitor
Awesome. I have been blocking DNS to all devices except the piholes ( Port 53 & 853 )under Netgear/Security/Block Services...your prerouting config should be exactly what I need...Edit: As I am at work right now it will be a few hours before I can get home to test. Was thinking though, is there a way to command line and revert Reject back to Drop for testing?? Thanks
 

HELLO_wORLD

Senior Member
Awesome. I have been blocking DNS to all devices except the piholes ( Port 53 & 853 )under Netgear/Security/Block Services...your prerouting config should be exactly what I need...Edit: As I am at work right now it will be a few hours before I can get home to test. Was thinking though, is there a way to command line and revert Reject back to Drop for testing?? Thanks
Yes, you can do:
If logging is off:
iptables -I aegis_dst 2 -j DROP

If logging is on:
iptables -I aegis_dst 3 -j DROP

Please note that aegis status will complain about that, but it would work for testing.
To get rid of those rules and go back to a clean aegis setup: aegis restart.

By the way, after testing the PREROUTING rules, to make them stick, you would have to put them in firewall-start.sh, or if you are using @kamoj Add-on, you can create a firewall-start-google_dns_redir.sh with only the rules about it in it. Without that, each time the internal firewall would be restarted, you would lose the custom rules.
Firewall start scripts go in /opt/scripts/
 

Jauger

Occasional Visitor
Ran home to do a few quick test....Prerouting causes Unbound errors.....It seems hardcooded devices just cant handle Reject as where they pass off Drop with no complaining...But not a big deal as I can stick with using Static Routes to get around this issue.....Appreciate your help and no need to change any of your hard work as my issue seems to be just my setup.....
 

HELLO_wORLD

Senior Member
Ok, apparently, it does not like the dport option.
dport option requires a protocol. So you can do this (I tested and it works for me):
Code:
iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p udp --dport 53 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p udp --dport 53 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A POSTROUTING -o br0 -s PIHOLEIP/32 -p udp --sport 53 -j SNAT --to-source 8.8.8.8
Alternative:
Code:
iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -j DNAT --to-destination PIHOLEIP
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -j DNAT --to-destination PIHOLEIP
This version changes the destination address for all ports of any packets going to 8.8.8.8 (and 8.8.4.4) to your PIHOLEIP address. The first version is doing only with dns (and is letting your Nvidia Shield that anything coming from your PIHOLE is from 8.8.8.8).
 
Last edited:

Jauger

Occasional Visitor
Success! Nice stable logs and no Unbound errors....I took the first option and used pihole1 then copied it again, changed udp to tcp and pointed it to pihole2...Thank you, sorry for the headache........(now off to figure out how to stick this on a usb to survive a reboot :) )
 

HELLO_wORLD

Senior Member
Success! Nice stable logs and no Unbound errors....I took the first option and used pihole1 then copied it again, changed udp to tcp and pointed it to pihole2...Thank you, sorry for the headache........(now off to figure out how to stick this on a usb to survive a reboot :) )
If in firewall-start.sh, it will survive reboots.
The USB post-mount.sh is to survive flashing firmwares.
 

HELLO_wORLD

Senior Member
wanting to backup nvram, what would be the command to save it and then put it back?

just to get a copy

i have the usb in / tmp / mnt / sdc1
Exactly like @kamoj said.

You can also install my nvram-utils script:https://www.snbforums.com/threads/r7800-utility-nvram-utils.63585/#post-575310

You don’t have to use the fix (that is there for deficient internal flash disks), but each time you use the command nvram-utils backup it saves a bin backup at the root of the flash disk, and a time stamped copy of it (bin and text format) in a nvram_backps folder at the root of your USB disk.
 

foo man

Occasional Visitor
or if you are using @kamoj Add-on, you can create a firewall-start-google_dns_redir.sh with only the rules about it in it. Without that, each time the internal firewall would be restarted, you would lose the custom rules.
Firewall start scripts go in /opt/scripts/
Sorry for being such a noob, but how exactly would i go about setting up that script in kamoj's add-on?
 

HELLO_wORLD

Senior Member
Sorry for being such a noob, but how exactly would i go about setting up that script in kamoj's add-on?
It is not a setup from the Addon. It is more a feature the Addon is offering.

When Kamoj’s Addon is installed, all scripts named firewall-start-[SOMETHING].sh placed in /opt/scripts/ will be loaded each time the internal firewall is started or restarted.

Without the Addon, the only file loaded is firewall-start.sh
 

foo man

Occasional Visitor
Just updated to kamoj's latest beta, so: uninstalled the beta, rebooted, installed latest beta and rebooted again. The settings survived all of that. AMAZING! Thanks again brother!

Voxel, kamoj, HELLO_wORLD ... I cannot thank you enough! Trying times this year, but hoping you all find someway to enjoy the upcoming holidays! Thanks for all you have given us! :)
 
Similar threads
Thread starter Title Forum Replies Date
HELLO_wORLD Aegis The future of Aegis NETGEAR AC Wireless 2
HELLO_wORLD Aegis aegis: a firewall blocklist NETGEAR AC Wireless 177

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top