Skynet Skynet - Router Firewall & Security Enhancements

[bayern1975]

Okay now this makes a whole lot more sense. Recently I switched from blocking every interface to just the value of "nvram get wan0_ifname" as it was conflicting with IPv6 setups. Clearly this doesn't work for users with similar setups to yours.

Whats the output of;

nvram show | grep ppp0

admin@RT-AC3200-7180:/tmp/home/root# nvram show | grep ppp0
size: 61824 bytes (3712 left)
wan0_gw_ifname=ppp0
wan0_pppoe_ifname=ppp0

 

[Adamm]

admin@RT-AC3200-7180:/tmp/home/root# nvram show | grep ppp0
size: 61824 bytes (3712 left)
wan0_gw_ifname=ppp0
wan0_pppoe_ifname=ppp0

Okay thanks that gives me something to work with, I'll work on a possible solution in the morning.

 

[faria]

admin@RT-AC3200-7180:/tmp/home/root# nvram show | grep ppp0
size: 61824 bytes (3712 left)
wan0_gw_ifname=ppp0
wan0_pppoe_ifname=ppp0

Im also having the same issue. 0 bans , my interfaces are the same as bayern1975

 

[perkins1724]

Hi Adamm and all. Been working through trying to understand a couple of issues I have had with access to sites and the blacklist.

With one of them I was getting a run of about 20 block entries in the log over about a 10min window. Long (long) story short, it turns out one of my devices in the house was trying to update its podcast list but the server hosting the podcast list was in the malware blacklist. The device was requesting updates fine and the remote server got the requests fine but the firewall blocked the replies (as is intended of course). Because the internal device was timing out it kept trying every 30sec for 10min before giving up for 12hrs. Then repeat.

Given that replies from blacklist addresses are always going to be blocked it occurred to me that it would probably be in order to block packets going out to blocked addresses, not just coming in. It then occurred to me that it might be (super) nice to be able to positively communicate that back to whoever / whatever is making the request from inside the network. What I have added to my local setup is the following iptable rule:

iptables -t nat -I PREROUTING -p tcp -m set --match-set Blacklist dst -j DNAT --to-destination local_ip_address:local_port

Where local_ip_address and local_port point to a local website I created on my LAN that just returns generic 403 FORBIDDEN to everything it gets sent. I am hoping it will be possible to get the Merlin code / router to serve the 403 FORBIDDEN page instead so it is a practical solution (obviously this rule in its current form will only work for my setup) but I haven't worked that bit out yet. Perhaps someone here might be able to point me in the right direction?

The second issue was just the school website being blocked. I just initially assumed it was down because it would time out but after a week I realised something was up. Having a 403 FORBIDDEN response would assist in recognising that something was getting actively blocked rather than timing out.

In case anyone is curious, both of these were professional web hosting companies (one of which is hosting over 40000 websites it appears). It appears that if one of their sites gets hacked and starts spamming malware that they (predictably) get their IP addresses added to the blocklist - of course this in turn results in all their co-located behaving websites getting blocked as well.

 

[Adamm]

I've pushed a fix for ppp0 connections @bayern1975 @faria . Let me know how it goes

 

[Adamm]

Where local_ip_address and local_port point to a local website I created on my LAN that just returns generic 403 FORBIDDEN to everything it gets sent. I am hoping it will be possible to get the Merlin code / router to serve the 403 FORBIDDEN page instead so it is a practical solution (obviously this rule in its current form will only work for my setup) but I haven't worked that bit out yet. Perhaps someone here might be able to point me in the right direction?

Not a bad idea, but you're right in saying this would only work on a non-default setup. I'll have to think on this one and any potentially adverse consequences (dos maybe?).

In case anyone is curious, both of these were professional web hosting companies (one of which is hosting over 40000 websites it appears). It appears that if one of their sites gets hacked and starts spamming malware that they (predictably) get their IP addresses added to the blocklist - of course this in turn results in all their co-located behaving websites getting blocked as well.

That's unfortunately the downside of shared hosting. Its usually cheap and oversold to maximise profits for the host (I used to work for a reputable provider, its bad ). Usually they attract the wrong kind of customer and get the IP flagged in various databases. Not much we can do there besides whitelist websites you think are incorrectly being blocked (after investigating why it was in the first place)

 

[bayern1975]

i installed that new 4.7.6 version but it is same as yesterday....no logging for blocked, banned addresses in syslog......i have no idea what is my problem....installation was fine as always...

ASUSWRT-Merlin RT-AC3200 380.67-alpha2-g1bd1e71 Wed May 31 18:55:23 UTC 2017
admin@RT-AC3200-7180:/tmp/home/root# iptables --line -vL -nt raw
Chain PREROUTING (policy ACCEPT 947 packets, 133K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       20  3155 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
2        0     0 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src LOG flags 7 level 4 prefix "[BLOCKED - RAW] "
3        0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src
4        0     0 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src LOG flags 7 level 4 prefix "[BLOCKED - RAW] "
5        0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

Chain OUTPUT (policy ACCEPT 1207 packets, 1130K bytes)
num   pkts bytes target     prot opt in     out     source               destination
admin@RT-AC3200-7180:/tmp/home/root# cd /jffs/scripts

 

[Adamm]

i installed that new 4.7.6 version but it is same as yesterday....no logging for blocked, banned addresses in syslog......i have no idea what is my problem....installation was fine as always...

How frustrating

Try run the following, this will print (not block) matches on any interface so we can see where the requests are actually coming from.

iptables -t raw -I PREROUTING -m set --match-set Blacklist src -j LOG --log-prefix "[Debug Block] " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[bayern1975]

How frustrating

Try run the following, this will print (not block) matches on any interface so we can see where the requests are actually coming from.

iptables -t raw -I PREROUTING -m set --match-set Blacklist src -j LOG --log-prefix "[Debug Block] " --log-tcp-sequence --log-tcp-options --log-ip-options

with adding this command i got something in syslog....

iptables -t raw -I PREROUTING -m set --match-set Blacklist src -j LOG --log-prefix "[Debug Block] " --log-tcp-sequence --log-tcp-options --log-ip-options

there are double writing, debug block and blocked-raw?

Jun  7 10:07:07 Skynet: [IP Banning Started] ... ... ...
Jun  7 10:07:07 kernel: ip_set: protocol 6
Jun  7 10:07:09 Skynet: [Complete]  IPs /  Ranges banned. 0 New IPs / 0 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [3s]
Jun  7 10:07:51 Skynet: [Complete] 128739 IPs / 5322 Ranges banned. 128739 New IPs / 5322 New Ranges Banned. 0 IP / 0 Range Connections Blocked! [30s]
Jun  7 10:08:50 kernel: [Debug Block] IN=ppp0 OUT= MAC= SRC=46.118.226.28 DST=X.X.X.X LEN=40 TOS=0x08 PREC=0x00 TTL=48 ID=53032 PROTO=TCP SPT=14216 DPT=23 SEQ=3243089241 ACK=0 WINDOW=51046 RES=0x00 SYN URGP=0
Jun  7 10:09:18 Skynet: [Complete] 128739 IPs / 5322 Ranges banned. 0 New IPs / 0 New Ranges Banned. 1 IP / 0 Range Connections Blocked! [1s]
Jun  7 10:09:29 Skynet: [Complete] 128739 IPs / 5322 Ranges banned. 0 New IPs / 0 New Ranges Banned. 1 IP / 0 Range Connections Blocked! [1s]
Jun  7 10:09:33 kernel: [Debug Block] IN=ppp0 OUT= MAC= SRC=195.39.86.85 DST=X.X.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54953 PROTO=TCP SPT=40976 DPT=13389 SEQ=3268837309 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jun  7 10:09:33 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=195.39.86.85 DST=X.X.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54953 PROTO=TCP SPT=40976 DPT=13389 SEQ=3268837309 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jun  7 10:12:58 kernel: [Debug Block] IN=ppp0 OUT= MAC= SRC=61.160.212.117 DST=X.X.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=1498 PROTO=TCP SPT=52520 DPT=9074 SEQ=1515568113 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
Jun  7 10:12:58 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=61.160.212.117 DST=X.X.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=1498 PROTO=TCP SPT=52520 DPT=9074 SEQ=1515568113 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

admin@RT-AC3200-7180:/jffs/scripts# iptables --line -vL -nt raw
Chain PREROUTING (policy ACCEPT 3732 packets, 408K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        6   240 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src LOG flags 7 level 4 prefix "[Debug Block] "
2       82 11039 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Whitelist src
3        2    80 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src LOG flags 7 level 4 prefix "[BLOCKED - RAW] "
4        2    80 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set BlockedRanges src
5        4   160 LOG        all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src LOG flags 7 level 4 prefix "[BLOCKED - RAW] "
6        4   160 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            match-set Blacklist src

Chain OUTPUT (policy ACCEPT 6113 packets, 7399K bytes)
num   pkts bytes target     prot opt in     out     source               destination

 

[Adamm]

there are double writing, debug block and blocked-raw?

That means the update was working after all (the extra rule was printing the same thing as the regular rules). Restart your firewall (or reboot) and everything should be working as expected.

 

[bayern1975]

That means the update was working after all (the extra rule was printing the same thing as the regular rules). Restart your firewall (or reboot) and everything should be working as expected.

i didn`t have time to reply because i was busy but i think the script working now....will reporting if something goes wrong...

 

[faria]

I've pushed a fix for ppp0 connections @bayern1975 @faria . Let me know how it goes

Hi Adamm, All working here now. Thanks for the quick fix.
Jun 7 23:31:32 Skynet: [Complete] 129412 IPs / 10826 Ranges banned. 1 New IPs / 0 New Ranges Banned. 68 IP / 16 Range Connections Blocked! [6s]
Jun 7 23:32:04 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=163.172.169.24 DST=5.42.129.87 LEN=429 TOS=0x00 PREC=0x00 TTL=52 ID=47384 DF PROTO=UDP SPT=5185 DPT=5081 LEN=409
Jun 7 23:33:08 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=163.172.64.146 DST=5.42.129.87 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=31728 PROTO=TCP SPT=46832 DPT=5038 SEQ=327477513 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0

 

[perkins1724]

Not a bad idea, but you're right in saying this would only work on a non-default setup. I'll have to think on this one and any potentially adverse consequences (dos maybe?).

I'm not 100% sure about the dos angle so I added a rule on raw prerouting to drop anything inbound on wan with a destination on the blacklist just to be sure, like:

iptables -t raw -I PREROUTING -i ppp0 -p tcp -m set --match-set Blacklist dst -j DROP

I cant seem to work out how the internal webservice is configured but entware comes with nginx so instead of pointing to a 403 server on my network I setup nginx with a 403 site on local ip port 81. Hopefully the explicit message will make it easier to educate the other home users so that they understand when they try to do something it is getting actively blocked rather than just 'why isnt the internet working'.

 

[Adamm]

As of v4.8.2 Skynet now fully supports outbound connection blocking and stats. I debated weather this was necessary for a long time but finally decided to add support. I think the feature is pretty self-explanatory, if you find any issues with it let me know as always and I'll fix it soon as possible.

 

[MarCoMLXXV]

Thanks for your hard work @Adamm and your excellent support. One more feature request, should you ever get bored: me don't want to sound ungrateful, but me thinks one new version check a day is way to little... Maybe make it configurable, so every one can adjust it to his or her own preferences?

 

[Adamm]

Thanks for your hard work @Adamm and your excellent support. One more feature request, should you ever get bored: me don't want to sound ungrateful, but me thinks one new version check a day is way to little... Maybe make it configurable, so every one can adjust it to his or her own preferences?

The end goal is to make it check weekly or biweekly, but while development changes so frequently I have it daily for the time being. But I'm gradually running out of things to add so this will more than likely be sooner then later once I decide its "stable".

EDIT; I just saw you wrote little, If you would like even more frequent checking for the time being you can just add a cronjob to firewall-start.

cru a Firewall_autoupdate "25 1 * * * sh /jffs/scripts/firewall update"

You can base it off the pre-existing one above and modify it to your liking.

 

[MarCoMLXXV]

The end goal is to make it check weekly or biweekly, but while development changes so frequently I have it daily for the time being

I was actually just teasing you, given the amount of daily updates and the fact that you seem unstoppable

I'm monitoring this thread constantly so as soon you push a new version, I run an update

As for the future, I'd stick with weekly unless development is truly stable.

 

[TheUntouchable]

Interesting for you? I am on the latest version

Skynet: [INFO] Disabling Skynet ... ... ...
firewall: line 926: arithmetic syntax error

Wanted to test my router security with shields up..

 

[Adamm]

Interesting for you? I am on the latest version

Not a function I use often clearly .

I pushed a fix, it was simply trying to calculate hits after the IPTables rules had been removed so it had nowhere to get the data. I added a cleaner exit plus removed some cronjobs that I previously forgot to.

 

[TheUntouchable]

Same here, using that function the second time I think Thanks for fixing it