Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    11,273
    Location:
    San Diego, CA
    Telnet shouldn't be exposed to the outside world - very insecure - better to run Dropbear or OpenSSH, which are far better for remote shells...
     
  2. Poopiepants

    Poopiepants Occasional Visitor

    Joined:
    Dec 4, 2015
    Messages:
    10
    My telnet is not for the router, but for an old school bbs.
    In this case there is no security issue.
     
  3. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    11,273
    Location:
    San Diego, CA
    Cool... have a friend that does something similar, so he set up a RaspPI to act as a terminal server (ssh into the PI, and then Telnet into the DOS machine running WWIV 5 telnet server)...
     
  4. Maude

    Maude Occasional Visitor

    Joined:
    Nov 14, 2015
    Messages:
    28
    This script is a Godsend ! I'm in the middle of a DDOS on my website from some guys in Russia and the script worked wonders... Some queries are getting through but not as before... Thanks Adamm !
     
  5. Kronyx

    Kronyx Regular Contributor

    Joined:
    Jan 25, 2016
    Messages:
    64
    Hi ! Does it work with a RT-AC3200 ? I don't see it in the list: RT-AC66U/RT-AC56U/RT-AC68U
     
  6. Maude

    Maude Occasional Visitor

    Joined:
    Nov 14, 2015
    Messages:
    28
    Well, it's listed as working for a 3100 so I assumed it worked with a 3200 :)

    I adjusted the code somewhat and tried the multiple versions that are in the thread. One did finally worked for me.
     
  7. Cake

    Cake Senior Member

    Joined:
    Jun 20, 2014
    Messages:
    234
    AC68U with HGG. I followed your guide, and humpty dumpty fell. I have only had to use the reset once on the back. I can't get back in.

    So.. after pasting the scripts in, and chmod a+x .. rebooting....
    I never could shh and type firewall ... ... . I get unknown command or something.
    ipset.txt missing comes back when typing sh firewall.


    Started with random reboots every 5 minutes, then no route to host, no ip handed out to my desktop, etc.
    Even with static ip I can't find the router's gui.

    Did your script overclock by any chance? I thought I seen some kind of cfe message about it when first running something.
     
  8. Cake

    Cake Senior Member

    Joined:
    Jun 20, 2014
    Messages:
    234
    Well I got back in, I suspect I am overclocked as the routers GUI says 1200Mhz!
    Did HGG's firmware do that or the script in this thread?

    I guess its not important, but how do I go back to default cpu speed?

    will:
    nvram set clkfreq=800
    nvram commit
    reboot

    work?
    (link)
    My problem is my router locks up between 5 seconds and 2 minutes after a reboot now.
    I am worried it will do it in the middle of reinstalling firmware/factory reset.
    The router's bootlader (cfe) is 1.0.2.0 (I'm not sure if it got changed I was using HGG 380.57.6-older driver, AC68U)

    Final edit: The above nvram command works, router's gui shows 800Mhz after reboot. It still maybe the wrong freq, (I think there is 2 or 3 values after 800), but until someone replies back with correct default freq, I'll keep it.
     
    Last edited: Feb 20, 2016
  9. Maude

    Maude Occasional Visitor

    Joined:
    Nov 14, 2015
    Messages:
    28
    Well, I still need help:

    I have the firewall code up and running and added some tweaks to it like the option of banning an IP block with Mask e.g. 188.143.0.0/16 from the program commande line. And added the M$ anti-spying code from the wiki at the end.

    It DOES work splendidly for attackers that are going for ports OTHER than 80. See, I have a website that's running on port 80 and some people out there are trying to hack it. Since I'm using the PortForward option in the GUI to open the http port and redirect to my PC, I have no control over who's getting in...

    Now, what I would desperately need is a way to use the banned ipset's to filter an iptables FORWARD and PREROUTING set of rules instead of the GUI.

    I found some code in SNB threads, code like this:
    Code:
    iptables -t nat -I PREROUTING -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
    
    combined with this:
    Code:
    -A FORWARD -i eth0 -m state --state INVALID -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i ! br0 -o eth0 -j DROP
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    -A FORWARD -i br0 -j ACCEPT
    
    Conceptually, what I would like is a FORWARD rule that's accepting a NOT -m set --match-set Maude src

    Can someone help ?

    EDIT:

    This is what I'm trying now with PortForward disabled:
    Code:
    iptables -t nat -D PREROUTING -d 192.222.217.133/32 -j VSERVER
    iptables -t nat -D PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
    iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
    iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
    iptables -D FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP
    iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    
    iptables -t nat -I PREROUTING -d 192.222.217.133/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.190:80
    iptables -I FORWARD -m conntrack --ctstate DNAT -j ACCEPT
    iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set BlockedCountries src -j DROP
    iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Blacklist src -j DROP
    iptables -I FORWARD -m conntrack --ctstate DNAT -m set --match-set Maude src -j DROP
    
    PS: I can share the changes I made to the code through the website... Just ask for it...

    Thanks !

    Maude
     
    Last edited: Feb 20, 2016
  10. Maude

    Maude Occasional Visitor

    Joined:
    Nov 14, 2015
    Messages:
    28
    Well...

    This seems to be working... I've stopped the DoS on port 80...
     
  11. Pos22

    Pos22 Occasional Visitor

    Joined:
    Jul 2, 2015
    Messages:
    30
    Version 380.63 seems to have broken this script on my 5300, anyone else having this issue?

    Thoughts?
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    2,926
    Location:
    UK
  13. HardCat

    HardCat Regular Contributor

    Joined:
    Sep 14, 2013
    Messages:
    85
    Location:
    Nova Scotia, Canada
    Pos22 likes this.
  14. Pos22

    Pos22 Occasional Visitor

    Joined:
    Jul 2, 2015
    Messages:
    30
  15. Perogen

    Perogen New Around Here

    Joined:
    Feb 6, 2017
    Messages:
    1
    Did you manage to get the script running for version 380.63? If so, could you please post the updated code, thanks!
     
  16. Pos22

    Pos22 Occasional Visitor

    Joined:
    Jul 2, 2015
    Messages:
    30
    Yes, but it has changed again in .65, which I am unable to look at due to other commitments, in .63, this is what I did in the firewall-start script.

    Code:
    #!/bin/sh
    if [ "$(ipset --swap malware-filter malware-filter 2>&1 | grep -E 'Unknown set|The set with the given name does not exist')" != "" ]; then
    # Load ipset modules                                                     
    ipset -v | grep -i "v4" > /dev/null 2>&1                                   
    if [ $? -eq 0 ];                                                           
    then                                                                 
       # old ipset                                                         
       ipsetv=4                                                           
       lsmod | grep "ipt_set" > /dev/null 2>&1 || \                       
       for module in ip_set ip_set_nethash ip_set_iphash ipt_set           
       do                                                                 
           insmod $module                                             
       done                                                               
    else                                                                       
       # new ipset                                               
       ipsetv=6                                                   
       lsmod | grep "xt_set" > /dev/null 2>&1 || \               
       for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set 
       do                                                         
           insmod $module                                     
       done                                                       
    fi
    echo "0 * * * * /jffs/scripts/firewall save" > /var/spool/cron/crontabs/admin
    [ -n "`pidof crond`" ] && killall -q crond
    
    sleep 5
    crond
    sh /jffs/scripts/firewall
    fi
    Let us know if it works for you.

    Kind Regards
     
  17. swetoast

    swetoast Guest

    Joined:
    Apr 12, 2016
    Messages:
    804
    errr thats not malware-filter if your gonna copy paste stuff do it right
     
  18. Pos22

    Pos22 Occasional Visitor

    Joined:
    Jul 2, 2015
    Messages:
    30
  19. Two Potatoe

    Two Potatoe New Around Here

    Joined:
    Jun 7, 2016
    Messages:
    4
    Hi all,

    Can anyone confirm (or repost) the scripts that work with 380.65?

    Thanks!
     
    skeal likes this.
  20. skeal

    skeal Senior Member

    Joined:
    Apr 30, 2016
    Messages:
    225
    Location:
    Moose Jaw Saskatchewan Canada
    Yes please post the scripts needed to run on 380.65 I have ac68u waiting for the programming.....tia
    Steve
     

Share This Page