Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

If you are a user of my 374.43 LTS fork, this will also require release V26E3 or newer (supported on the AC56U or AC68U)
[Fork] Asuswrt-Merlin 374.43 LTS releases

Oops, forgot to include your fork version, will add that now.

 

[MarCoMLXXV]

I have now pushed Skynet v5.1.0

Great news, looking forward to it. However, I'm not running 380.68 Alpha2 (yet). Will I run into trouble when the weekly Skynet update check is done?

 

[yk101]

Upgraded to 380.68a2, run upgrade of Skynet - no issues so far. Thanks @Adamm!

 

[Adamm]

Great news, looking forward to it. However, I'm not running 380.68 Alpha2 (yet). Will I run into trouble when the weekly Skynet update check is done?

Skynet will update as per usual on monday, but if it doesn't detect a compatible firmware it will fail to run and print a error message in syslog saying so. I suggest you turn off auto-updates for the time being until you are running a compatible firmware.

 

[Henrik!]

I don't understand why you have released a version which requires an alpha firmware?
I guess a lot of people will have trouble on monday when it auto updates, if they don't follow this thread.

 

[Adamm]

I don't understand why you have released a version which requires an alpha firmware?
I guess a lot of people will have trouble on monday when it auto updates, if they don't follow this thread.

No one is forced to use the new version, they can stay on v5.0.7 if they choose with old firmware. It will only affect the small minority of people who have autoupdating enabled (can be disabled at any time), at which point they will be informed by the script why it wasn't started.

I also think most people on these forums (or specifically using this script) are "tinkerers" and like to download the betas and alphas to have access to bleeding edge features, I am just supporting the addiction

 

[Viktor Jaep]

Skynet will update as per usual on monday, but if it doesn't detect a compatible firmware it will fail to run and print a error message in syslog saying so. I suggest you turn off auto-updates for the time being until you are running a compatible firmware.

Could you please let us know how to turn off auto-updates?

 

[Spydawg]

Found this error in log,

Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68_alpha1 / V26E3 Or Newer Firmware

I am currently running 380.68 alpha 2

 

[Spydawg]

Everthing looks ok?

Router Model: RT-AC3100
Skynet Version: v5.1.0 (03/08/2017)
iptables v1.4.14 - (eth0)
ipset v6.32, protocol version: 6
FW Version: 380.68_alpha2-g6527cb2 (Aug 3 2017)
Install Dir; /tmp/mnt/USB1/skynet (7.3G Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/USB1
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
IPSet Supports Comments
Autobanning Enabled
Debug Mode Disabled
No Duplicate Rules Detected In RAW
Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
Skynet IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet IPSet Detected
Skynet: [Complete] 128789 IPs / 2097 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 1 Inbound / 0 Outbound Connections Blocked! [7s]

 

[MarCoMLXXV]

Could you please let us know how to turn off auto-updates?

Simply re-run the install script by entering:

sh /jffs/scripts/firewall install

to reconfigure Skynet, choose No when asked if you want to enable weekly auto update.

 

[Adamm]

Found this error in log,

Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68_alpha1 / V26E3 Or Newer Firmware

I am currently running 380.68 alpha 2

That error must have been in your logs from before you updated to alpha 2. I say this because the same check during the debug info command returns a positive result along with showing Skynet working as per expected.

 

[Spydawg]

ok thanks for the info

 

[Viktor Jaep]

Simply re-run the install script by entering:

sh /jffs/scripts/firewall install

to reconfigure Skynet, choose No when asked if you want to enable weekly auto update.

Thank you!

 

[Henrik!]

Hi

When doing a iptables -L -t raw I get this output

admin@RT-AC68U-4300:/jffs/scripts# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             match-set Whitelist dst
LOG        all  --  anywhere             anywhere             match-set BlockedRanges dst LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - OUTBOUND] "
DROP       all  --  anywhere             anywhere             match-set BlockedRanges dst
LOG        all  --  anywhere             anywhere             match-set Blacklist dst LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - OUTBOUND] "
DROP       all  --  anywhere             anywhere             match-set Blacklist dst
ACCEPT     all  --  anywhere             anywhere             match-set Whitelist src
LOG        all  --  anywhere             anywhere             match-set BlockedRanges src LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - INBOUND] "
DROP       all  --  anywhere             anywhere             match-set BlockedRanges src
LOG        all  --  anywhere             anywhere             match-set Blacklist src LOG level warning tcp-sequence tcp-options ip-options prefix "[BLOCKED - INBOUND] "
DROP       all  --  anywhere             anywhere             match-set Blacklist src

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

It seems the entries are doubled ?
Is that an error and how do I remove the doubled ones ?

Output from "debug info"

Router Model: RT-AC68U-4300
Skynet Version: v5.0.7 (21/07/2017)
iptables v1.4.14 - (vlan101)
ipset v6.32, protocol version: 6
FW Version: 380.67_0 (Jul 16 2017)
Install Dir; /tmp/mnt/data/skynet (10.4G Space Available)
Boot Args; /jffs/scripts/firewall start debug banmalware usb=/tmp/mnt/data
Install Dir Writeable
Startup Entry Detected
Cronjobs Detected
Autobanning Enabled
Debug Mode Enabled
No Duplicate Rules Detected In RAW
No Duplicate Rules Detected In FILTER
Whitelist IPTable Detected
BlockedRanges IPTable Detected
Blacklist IPTable Detected
Whitelist IPSet Detected
BlockedRanges IPSet Detected
Blacklist IPSet Detected
Skynet: [Complete] 131586 IPs / 2509 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 398 Inbound / 308 Outbound Connections Blocked! [1s]

 

[Adamm]

It seems the entries are doubled ?
Is that an error and how do I remove the doubled ones ?

If you look closely, the top half are for "dst" (outgoing connections). Where as the second half are for "src" (incoming connections). This is completely normal for v5.0.7

One of the big changes for v.5.1.0 was halving the amount of rules/calculations required, so when you decided to jump ship it will look different again;

admin@RT-AC68U-EE20:/tmp/home/root# iptables --line -t raw -vnL
Chain PREROUTING (policy ACCEPT 2172K packets, 325M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    53540 5453K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist dst
2      203 16163 LOG        all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Skynet dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
3      203 16163 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Skynet dst
4    17039   14M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
5     1630  134K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Skynet src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
6     1630  134K DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set Skynet src

 

[Henrik!]

If you look closely, the top half are for "dst" (outgoing connections). Where as the second half are for "src" (incoming connections). This is completely normal for v5.0.7

One of the big changes for v.5.1.0 was halving the amount of rules/calculations required, so when you decided to jump ship it will look different again;

Sorry.. Should have looked closer.
I plan to upgrade to the Alpha firmware tonight when the girlfriend is to Robbie Williams concert, and then update to Skynet v5.1.0

 

[eclp]

@Adamm ...

I must come back again on it, sorry.
Is there really no way to permanently disable the dropped messages in the syslog?

 

[Adamm]

@Adamm ...

I must come back again on it, sorry.
Is there really no way to permanently disable the dropped messages in the syslog?

Yes, it's as simple as disabling debug mode during the install process.

 

[HardCat]

I have now pushed Skynet v5.1.0

This will require MerlinWRT v380.68_alpha2 (or newer) or Johns Fork V26E3 (or newer). Here are some of the changes;

Halve required IPTables rules and calculations
Optimized whitelisting shared domains
Optimize sed commands
More accurate boot arg printing
Show ban reason when using ( stats search ip xxx.xxx.xxx.xxx )
Better IPSet save management to prevent accidental loss of blacklists
More accurate entry removal
Try prevent cases where Skynet loads too fast and manipulates IPTables rules before they are flushed for a second time via the router (TL;DR less startup problems)

And finally the big change is Skynet has been rewritten so all entries now support comments. Whenever Skynet adds entries to either a Black or Whitelist it will have a comment associated with where it came from (for manual entries this is user defined, the example command list will be updated accordingly). No more wondering why something is on your Whitelist or Blacklist!

To update, please first install MerlinWRT v380.68_alpha2 (or newer) or Johns Fork V26E3 (or newer). Then follow normal Skynet update procedure via using; ( sh /jffs/scripts/firewall update )


Note: If users wish to take full advantage of the new comment benefits, unfortunately there is no way to convert old entries. Skynet will try manually do this for banmalware and bancountry entries the next time the commands are run, unfortunately the rest will be left without comments. If you are in the position to and wish to take advantage of these features for all your entries, I suggest flushing your Whitelist and Blacklists after updating.

@Adamm I have updated the router to the latest 380.68 alpha2 and Skynet to 5.1.1 without any issues, and as you suggested have flushed both Whitelist and Blacklists so they would get refreshed with the new comment feature of Skynet.

However while looking at the Whitelist I have noticed the comments for all "Shared-Whitelist:" entries are there, but nothing else appears such as what I would expect generated by these lines: (The IP's are in the Whitelist but the comments are not.)

                ipset -q -A Whitelist "$(nvram get wan0_ipaddr)"/32 comment "nvram: wan0_ipaddr"
                ipset -q -A Whitelist "$(nvram get lan_ipaddr)"/24 comment "nvram: lan_ipaddr"
                ipset -q -A Whitelist "$(nvram get wan_dns1_x)"/32 comment "nvram: wan_dns1_x"
                ipset -q -A Whitelist "$(nvram get wan_dns2_x)"/32 comment "nvram: wan_dns2_x"
                ipset -q -A Whitelist "$(nvram get wan_dns | awk '{print $1}')"/32 comment "nvram: wan_dns"
                ipset -q -A Whitelist "$(nvram get wan_dns | awk '{print $2}')"/32 comment "nvram: wan_dns"
                ipset -q -A Whitelist 192.168.1.0/24 comment "nvram: LAN Subnet"
                ipset -q -A Whitelist 151.101.96.133/32 comment "Github Content Server"

This is a great script! Thanks again.

 

[HardCat]

@Adamm I have updated the router to the latest 380.68 alpha2 and Skynet to 5.1.1 without any issues, and as you suggested have flushed both Whitelist and Blacklists so they would get refreshed with the new comment feature of Skynet.

However while looking at the Whitelist I have noticed the comments for all "Shared-Whitelist:" entries are there, but nothing else appears such as what I would expect generated by these lines: (The IP's are in the Whitelist but the comments are not.)

                ipset -q -A Whitelist "$(nvram get wan0_ipaddr)"/32 comment "nvram: wan0_ipaddr"
                ipset -q -A Whitelist "$(nvram get lan_ipaddr)"/24 comment "nvram: lan_ipaddr"
                ipset -q -A Whitelist "$(nvram get wan_dns1_x)"/32 comment "nvram: wan_dns1_x"
                ipset -q -A Whitelist "$(nvram get wan_dns2_x)"/32 comment "nvram: wan_dns2_x"
                ipset -q -A Whitelist "$(nvram get wan_dns | awk '{print $1}')"/32 comment "nvram: wan_dns"
                ipset -q -A Whitelist "$(nvram get wan_dns | awk '{print $2}')"/32 comment "nvram: wan_dns"
                ipset -q -A Whitelist 192.168.1.0/24 comment "nvram: LAN Subnet"
                ipset -q -A Whitelist 151.101.96.133/32 comment "Github Content Server"

This is a great script! Thanks again.

Oops, ignore my last post. I was able to fix it with:

./firewall whitelist remove

This created the correct entries in the Whitelist with comments for all.