Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

I just ran 35 parallel curl sessions here, without any problem.

You might want to limit the number of concurrent sessions however - firing 32 parallel connections at that one single server might eventually get you blacklisted for abuse. 4 is considered more polite, 8 would be the absolute limit.

I actually limited this on the AC86U to single downloads and still run into the error . It also seems curl is the only thing triggering it, whereas other CPU/Ram intensive commands execute just fine.

 

[Adamm]

I get this:

I can't replicate this, is there any out of the ordinary conditions which led to this?

Thanks for the tip. That worked, but I'm still getting this:

Does this show after you run the following and wait about 20s?;

sh /jffs/scripts/firewall restart

During the firewall-restart event IPTables rules get flushed multiple times, on previous models I overcome this via waiting a mandatory 20s before loading in the new rules, on the AC86U we may need to extend this timer.

 

[RMerlin]

Just retested, this time with 50 parallels curl sessions all aimed at a jpeg file on a remote site, not a single error.

 

[Adamm]

@.TT. @SeaConn I've pushed another fix. This time I've tried limiting the ipset processes earlier in the script. Let me know if this makes any difference

 

[.TT.]

@.TT. @SeaConn I've pushed another fix. This time I've tried limiting the ipset processes earlier in the script. Let me know if this makes any difference

Updated and ran banmalware without issue.
Note that i still have swap enabled and i am using 0-5Mb of it.

 

[Adamm]

Updated and ran banmalware without issue.
Note that i still have swap enabled and i am using 0-5Mb of it.

Mind giving it a try without the swap file to see if we can track down how to fix this without one? Thanks

 

[.TT.]

Mind giving it a try without the swap file to see if we can track down how to fix this without one? Thanks

No luck, iptables says failed without it.
I am happy to use a swap for now.
Perhaps @SeaConn has 1 or 2 Mb more left over.

 

[.TT.]

Did another test with ipv6 disabled in ab. Did free up some memory but still not enough. (fork error)
Installed beta 3 and enabled swap again.

 

[Andy1932]

I can't replicate this, is there any out of the ordinary conditions which led to this?



Does this show after you run the following and wait about 20s?;

sh /jffs/scripts/firewall restart

During the firewall-restart event IPTables rules get flushed multiple times, on previous models I overcome this via waiting a mandatory 20s before loading in the new rules, on the AC86U we may need to extend this timer.

Same result. Still failing.

 

[Adamm]

Did another test with ipv6 disabled in ab. Did free up some memory but still not enough. (fork error)
Installed beta 3 and enabled swap again.

Crazy that the AC86U has such little left over resources that it can't preform basic tasks even though it has twice the ram of previous models. Not sure there's anything left I can do at this point besides get people to use a swap file . Lets hope Asus work on this in future updates.

Same result. Still failing.

Strange.. Can you give me the output of;

sh /jffs/scripts/firewall debug info

 

[Andy1932]

Crazy that the AC86U has such little left over resources that it can't preform basic tasks even though it has twice the ram of previous models. Not sure there's anything left I can do at this point besides get people to use a swap file . Lets hope Asus work on this in future updates.



Strange.. Can you give me the output of;

sh /jffs/scripts/firewall debug info

Router Model; RT-AC86U
Skynet Version; v5.4.5 (2/11/2017)
iptables v1.4.14 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 382.1_beta2-gc21d7dd (Oct 24 2017) (4.1.27)
Install Dir; /tmp/mnt/disk/skynet (14.3G Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/disk
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking OpenVPN-Event Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Failed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Failed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]

Skynet: [Complete] 63525 IPs / 1115 Ranges Banned. 0 New IPs / 0 New Ranges Bann                                                                                        ed.  Inbound /  Outbound Connections Blocked! [0s]

 

[Adamm]

Router Model; RT-AC86U
Skynet Version; v5.4.5 (2/11/2017)
iptables v1.4.14 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
FW Version; 382.1_beta2-gc21d7dd (Oct 24 2017) (4.1.27)
Install Dir; /tmp/mnt/disk/skynet (14.3G Space Available)
Boot Args; /jffs/scripts/firewall start banmalware autoupdate usb=/tmp/mnt/disk
No Lock File Found

Checking Install Directory Write Permissions...         [Passed]
Checking Firewall-Start Entry...                        [Passed]
Checking OpenVPN-Event Entry...                         [Passed]
Checking CronJobs...                                    [Passed]
Checking IPSet Comment Support...                       [Passed]
Checking Log Level 5 Settings...                        [Passed]
Checking Autobanning Status...                          [Passed]
Checking Debug Mode Status...                           [Failed]
Checking For Duplicate Rules In RAW...                  [Passed]
Checking For Duplicate Rules In Filter...               [Passed]
Checking Skynet IPTable...                              [Failed]
Checking Whitelist IPSet...                             [Passed]
Checking BlockedRanges IPSet...                         [Passed]
Checking Blacklist IPSet...                             [Passed]
Checking Skynet IPSet...                                [Passed]

Skynet: [Complete] 63525 IPs / 1115 Ranges Banned. 0 New IPs / 0 New Ranges Bann                                                                                        ed.  Inbound /  Outbound Connections Blocked! [0s]

Looks like everything installed correctly, my only guess is the IPTables rule is being flushed during the restart_firewall event, but its strange you are the only one to report it using the AC86U. Can you give me a snippet of the syslog where Skynet starts up? If there's nothing obvious I will extend the rule timer.

 

[Andy1932]

Looks like everything installed correctly, my only guess is the IPTables rule is being flushed during the restart_firewall event, but its strange you are the only one to report it using the AC86U. Can you give me a snippet of the syslog where Skynet starts up? If there's nothing obvious I will extend the rule timer.

This is all I see...

Nov  2 07:04:33 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/disk )
.
.
.
Nov  2 07:04:54 Skynet: [Complete] 63525 IPs / 1115 Ranges Banned. 63525 New IPs / 1115 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [21s]

 

[Adamm]

This is all I see...

Nov  2 07:04:33 Skynet: [INFO] Startup Initiated... ( banmalware autoupdate usb=/tmp/mnt/disk )
.
.
.
Nov  2 07:04:54 Skynet: [Complete] 63525 IPs / 1115 Ranges Banned. 63525 New IPs / 1115 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [21s]

Nothing after the second entry relating to services like miniupnp or similar services that may flush IPTables rules?

Also, do the following commands issue any errors;

        iptables -t raw -I PREROUTING -i eth0 -m set ! --match-set Whitelist src -m set --match-set Skynet src -j DROP
        iptables -t raw -I PREROUTING -i br0 -m set ! --match-set Whitelist dst -m set --match-set Skynet dst -j DROP

 

[Andy1932]

Nothing after the second entry relating to services like miniupnp or similar services that may flush IPTables rules?

Also, do the following commands issue any errors;

        iptables -t raw -I PREROUTING -i eth0 -m set ! --match-set Whitelist src -m set --match-set Skynet src -j DROP
        iptables -t raw -I PREROUTING -i br0 -m set ! --match-set Whitelist dst -m set --match-set Skynet dst -j DROP

Nov  2 07:04:54 Skynet: [Complete] 63525 IPs / 1115 Ranges Banned. 63525 New IPs / 1115 New Ranges Banned.  Inbound /  Outbound Connections Blocked! [21s]
Nov  2 07:05:00 crond[787]: time disparity of 376504 minutes detected
Nov  2 07:17:48 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

iptables: No chain/target/match by that name.

 

[Adamm]

iptables: No chain/target/match by that name.

Okay this gives us a better idea, for some reason you cant insert rules to the raw chain.

Please give me the output of the following, this should give me all I need to produce a fix;

iptables --line -t raw -vnL

iptables -vnL

 

[Andy1932]

Okay this gives us a better idea, for some reason you cant insert rules to the raw chain.

Please give me the output of the following, this should give me all I need to produce a fix;

iptables --line -t raw -vnL

iptables -vnL

Chain PREROUTING (policy ACCEPT 106K packets, 37M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 51047 packets, 18M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    30 logdrop    icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
30957 6715K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  342 21573 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 9559 1807K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
 8287  680K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
 8287  680K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 8934 1763K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  625 44029 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
50593   27M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 logdrop    all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
  456 19579 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
 2031  153K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
 2031  153K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 43569 packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain ACCESS_RESTRICTION (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ICMP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 13
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain NSFW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PTCSRVLAN (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PTCSRVWAN (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x02
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
    0     0 logdrop    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x17/0x04
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
    0     0 logdrop    icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain default_block (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "--log-p"
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (8 references)
 pkts bytes target     prot opt in     out     source               destination
  305 18649 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport sports 80,443,143,993,110,995,25,465 state INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    6   555 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x19
  416 17396 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x11
    2    80 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x04
   27  1140 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x3F/0x14
    1    44 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID LOG flags 7 level 4 prefix "[BLOCKED - NEW BAN] "
  668 47391 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[Adamm]

iptables snippet

Found the issue, you are running the original Beta 2 firmware release which didn't have xt_set enabled. Update to Beta 3 (or the updated Beta 2) and this should be fixed.

Totally slipped my mind that RMerlin re-released it.

 

[Andy1932]

Found the issue, you are running the original Beta 2 firmware release which didn't have xt_set enabled. Update to Beta 3 (or the updated Beta 2) and this should be fixed.

Totally slipped my mind that RMerlin re-released it.

Ah, thank you. Didn't know there was a Beta3. Sorry about wasting your time with this!!!

 

[RMerlin]

Beta 3 was only soft released 12 hours ago (and it wasn't officially released at that time because of issues with Mediafire, so it would have gone unnoticed by most).

I should have a more formal release for it later today (assuming Mediafire really fixed their outage).