What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

My telnet is not for the router, but for an old school bbs.
In this case there is no security issue.

Cool... have a friend that does something similar, so he set up a RaspPI to act as a terminal server (ssh into the PI, and then Telnet into the DOS machine running WWIV 5 telnet server)...
 
This script is a Godsend ! I'm in the middle of a DDOS on my website from some guys in Russia and the script worked wonders... Some queries are getting through but not as before... Thanks Adamm !
 
Well, it's listed as working for a 3100 so I assumed it worked with a 3200 :)

I adjusted the code somewhat and tried the multiple versions that are in the thread. One did finally worked for me.
 
AC68U with HGG. I followed your guide, and humpty dumpty fell. I have only had to use the reset once on the back. I can't get back in.

So.. after pasting the scripts in, and chmod a+x .. rebooting....
I never could shh and type firewall ... ... . I get unknown command or something.
ipset.txt missing comes back when typing sh firewall.


Started with random reboots every 5 minutes, then no route to host, no ip handed out to my desktop, etc.
Even with static ip I can't find the router's gui.

Did your script overclock by any chance? I thought I seen some kind of cfe message about it when first running something.
 
Well I got back in, I suspect I am overclocked as the routers GUI says 1200Mhz!
Did HGG's firmware do that or the script in this thread?

I guess its not important, but how do I go back to default cpu speed?

will:
nvram set clkfreq=800
nvram commit
reboot

work?
(link)
My problem is my router locks up between 5 seconds and 2 minutes after a reboot now.
I am worried it will do it in the middle of reinstalling firmware/factory reset.
The router's bootlader (cfe) is 1.0.2.0 (I'm not sure if it got changed I was using HGG 380.57.6-older driver, AC68U)

Final edit: The above nvram command works, router's gui shows 800Mhz after reboot. It still maybe the wrong freq, (I think there is 2 or 3 values after 800), but until someone replies back with correct default freq, I'll keep it.
 
Last edited:
Well, I still need help:

I have the firewall code up and running and added some tweaks to it like the option of banning an IP block with Mask e.g. 188.143.0.0/16 from the program commande line. And added the M$ anti-spying code from the wiki at the end.

It DOES work splendidly for attackers that are going for ports OTHER than 80. See, I have a website that's running on port 80 and some people out there are trying to hack it. Since I'm using the PortForward option in the GUI to open the http port and redirect to my PC, I have no control over who's getting in...

Now, what I would desperately need is a way to use the banned ipset's to filter an iptables FORWARD and PREROUTING set of rules instead of the GUI.

I found some code in SNB threads, code like this:
Code:
iptables -t nat -I PREROUTING -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
combined with this:
Code:
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT

Conceptually, what I would like is a FORWARD rule that's accepting a NOT -m set --match-set Maude src

Can someone help ?

EDIT:

This is what I'm trying now with PortForward disabled:
Code:
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -j VSERVER
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT

iptables -t nat -I PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP

PS: I can share the changes I made to the code through the website... Just ask for it...

Thanks !

Maude
 
Last edited:
Well, I still need help:

I have the firewall code up and running and added some tweaks to it like the option of banning an IP block with Mask e.g. 188.143.0.0/16 from the program commande line. And added the M$ anti-spying code from the wiki at the end.

It DOES work splendidly for attackers that are going for ports OTHER than 80. See, I have a website that's running on port 80 and some people out there are trying to hack it. Since I'm using the PortForward option in the GUI to open the http port and redirect to my PC, I have no control over who's getting in...

Now, what I would desperately need is a way to use the banned ipset's to filter an iptables FORWARD and PREROUTING set of rules instead of the GUI.

I found some code in SNB threads, code like this:
Code:
iptables -t nat -I PREROUTING -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
combined with this:
Code:
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT

Conceptually, what I would like is a FORWARD rule that's accepting a NOT -m set --match-set Maude src

Can someone help ?

EDIT:

This is what I'm trying now with PortForward disabled:
Code:
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -j VSERVER
iptables -t nat -D PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP
iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT

iptables -t nat -I PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP

PS: I can share the changes I made to the code through the website... Just ask for it...

Thanks !

Maude

Well...

This seems to be working... I've stopped the DoS on port 80...
 
Version 380.63 seems to have broken this script on my 5300, anyone else having this issue?

Thoughts?
 
Did you manage to get the script running for version 380.63? If so, could you please post the updated code, thanks!

Yes, but it has changed again in .65, which I am unable to look at due to other commitments, in .63, this is what I did in the firewall-start script.

Code:
#!/bin/sh
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
# Load ipset modules                                                     
ipset -v | grep -i "v4" > /dev/null 2>&1                                   
if [ $? -eq 0 ];                                                           
then                                                                 
   # old ipset                                                         
   ipsetv=4                                                           
   lsmod | grep "ipt_set" > /dev/null 2>&1 || \                       
   for module in ip_set ip_set_nethash ip_set_iphash ipt_set           
   do                                                                 
       insmod $module                                             
   done                                                               
else                                                                       
   # new ipset                                               
   ipsetv=6                                                   
   lsmod | grep "xt_set" > /dev/null 2>&1 || \               
   for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set 
   do                                                         
       insmod $module                                     
   done                                                       
fi
echo "0 * * * * /jffs/scripts/firewall save" > /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond

sleep 5
crond
sh /jffs/scripts/firewall
fi

Let us know if it works for you.

Kind Regards
 
errr thats not malware-filter if your gonna copy paste stuff do it right
Yes, but it has changed again in .65, which I am unable to look at due to other commitments, in .63, this is what I did in the firewall-start script.

Code:
#!/bin/sh
if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
# Load ipset modules                                                    
ipset -v | grep -i "v4" > /dev/null 2>&1                                  
if [ $? -eq 0 ];                                                          
then                                                                
   # old ipset                                                        
   ipsetv=4                                                          
   lsmod | grep "ipt_set" > /dev/null 2>&1 || \                      
   for module in ip_set ip_set_nethash ip_set_iphash ipt_set          
   do                                                                
       insmod $module                                            
   done                                                              
else                                                                      
   # new ipset                                              
   ipsetv=6                                                  
   lsmod | grep "xt_set" > /dev/null 2>&1 || \              
   for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
   do                                                        
       insmod $module                                    
   done                                                      
fi
echo "0 * * * * /jffs/scripts/firewall save" > /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond

sleep 5
crond
sh /jffs/scripts/firewall
fi

Let us know if it works for you.

Kind Regards
 
Yes please post the scripts needed to run on 380.65 I have ac68u waiting for the programming.....tia
Steve
 
Hope this is the right place.
Any way of blocking a range of ips.
For example 159.153.76.xxx
Im using ddwrt but also have merlin on the Ac88U which i switch over every week or few days.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top