Iptables, routes and ip a

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

johnathonm

Regular Contributor
Hi everyone,

I hope you are well. I am encountering behavior in my ax88u using the official non beta release build of the firmware. I am encountering what feels like a lag spike and issues where pages (like GitHub) occasionally fail to load. I am not sure what a hijack or poisoning would look like but I have taken a look at the iptables export, the routes in place, the ifconfig setup with the ports. Routes and one more thing.

It sounds like hundreds of pages of stuff but it’s not, but I was wondering if someone with more knowledge could maybe take a look at the data and let me know if they see anything off. I do know the iptables look like absolute dookie and there are things in there I have never seen nor really fully grasp. I have spent a lot of time trying to learn and reading but it’s not very clear cut.

Please let me know as it is making the network behave worse than I have ever encountered.

I thank you all in advance and I will post the txt dump in the next post. I might add a question In the piece just so I understand, I want to learn so I can also give back down the road too.

thanks again.

j
 

johnathonm

Regular Contributor
I tried to capture all I thought might be of value, if anything else helps let me know. They are actually txt files but for a tiny bit of security I renamed them as pdfs... it makes sense at 4 am.

Thank you all in advance.
 

Attachments

RMerlin

Asuswrt-Merlin dev
Try using different DNS servers.
 

dave14305

Part of the Furniture
Where do all those OUTPUT_DNS iptable rules come from?
 

ColinTaylor

Part of the Furniture
Where do all those OUTPUT_DNS iptable rules come from?
That was what I was wondering.

EDIT: I did think that perhaps all that hex-string matching might be slowing things down. But I did a little test and it didn't make any difference (and DNS requests are generally few and far between).

He also has a ridiculous number of NSFW rules that appear to do nothing AFAICT. Unless I'm missing something (which is quite possible), specifying a destination of 192.168.1.0/24 (his LAN subnet) means the rules will never be matched. Not that that would be the cause of his problem.
 
Last edited:

johnathonm

Regular Contributor
Hello all,

Colin, it's great to see you again. Merlin, it's awesome as always and Dave it's nice to meet you. This all that I did in the setup, I don't know why the rules and such exist.

I suppose first, since it's not clear, I setup each of the firewall port rules you see with the 192/24 in the GUI. As an end user the fields were, to me, inbound port which could be anything so leaving it blank in my logic was the equivalent of a wildcard aka *. and the incoming attacker etc., would be next to my network thus I was trying to block the enter range of the subnet, and finally the port itself which I did not want anything to enter. So SPT of threat packets -> source ip of threat -> to X computer in my network -> targeted port. I also added the ICMP 0 8.

I added some keywords too. After that, I installed ADAMM's skynet, blocked several countries and did not change any configuration. I expanded the blocklists at one point, but I cleared them within then software. I briefly had the ntp and scribe scripts installed but things were going to hell, so I removed them.

I don't even know what those rules are and I have never seen anything like them. I did not use any other script such outside basically what we use here. I did modify my dnsmaq.conf but I can't see how that would impact things. I did have the TLS enabled at one point, but I could never get it to work, so I disabled it.

I am so sorry for my being dumb here... but this is new to me in the data you're seeing.

I will attach my dnsmasq.conf as it stands. What do you think is the best course of action and/or what is a DNS_FLUSH?

Thanks guys. I owe you a case of your beverage of choice.

J
 
Last edited:

johnathonm

Regular Contributor
Of course the answer is obvious in the end...

Definitely ancient aliens. :)
 

johnathonm

Regular Contributor
But here are the other changes (I can send the nvram dump, sysctl, saved cfg and jffs in private or is that a moot point, just let me know).
 

Attachments

ColinTaylor

Part of the Furniture
Thanks for the extra info. That explains most of the rules.

FYI the Network Services Filter only effects LAN to WAN traffic, so the "destination" address would be that of a host on the internet. Likewise blocking ICMP and VPN's is only preventing you from using those services on the internet, it's not blocking them incoming.

I can see the Skynet stuff but that still leaves the mystery of the OUTPUT_DNS rules. Edit: See Merlin's reply below.

But none of this would really explain your issue. I think at the moment I'd go with Merlin's suggestion and try a different DNS provider.
 
Last edited:

johnathonm

Regular Contributor
Also, this is getting weirder.

I don't know what this is but I the fire wall manual bans are blocking a company Dosarrest, I could only read a little bit but it looks like they are doing something with Comcast. I feel like this was definitely compromised or an exploit. Would that be possible at the modem itself (it is crappy linksys afterall cm1000) or the modem itself?

I going to drop to google's DNS with just the the GUI settings. May I ask a question, unless one uses a custom DNSmasq merlin launches two instances of dnsmasq. It has been that way for awhile, and it seemed odd to me. It always happened with the dhcp script portion.


Thanks again and I think I should nuke this guy. In terms of data collection is there anything that would be useful for bug reporting or possible exploit?

J
 

RMerlin

Asuswrt-Merlin dev
I can see the Skynet stuff but that still leaves the mystery of the OUTPUT_DNS rules.
Security measures put in place by Asus in recent firmware releases. That is all I can say for now.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top