search

Adamm00 / IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet.
https://www.snbforums.com/threads/release-skynet-router-firewall-security-enhancements.16798/
346 stars 61 forks source link

IPTables Rules: Failed + Lots of Rule Integrity Violations #148

Closed chaosmaou closed 2 months ago

chaosmaou commented 4 months ago
Brief Description Of Issue

Skynet installs but fails to run correctly.

Tried removing Skynet, rebooting the router, and doing a clean install to troubleshoot. Same result.

IPTables Rules                      | [Failed]

Lots of rule integrity violations listed in the debug:

[*] Rule Integrity Violation - [ #8 #9 #10 #21 #22 #23 ]
Output of ( sh /jffs/scripts/firewall debug info )
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            17/04/2024 - v7.5.9                                            #
#############################################################################################################

=============================================================================================================

Router Model; RT-AX3000
Skynet Version; v7.5.9 (17/04/2024) (e67f3413b6ff6b8e4e07cf5be2d7f741)
iptables v1.4.15 - (eth0 @ 192.168.50.1)
ipset v7.6, protocol version: 7
IP Address; (65.188.136.250) - (2603:6080:1502:43a1::/64)
FW Version; 388.7_1-gnuton0_beta1 (May 9 2024) (4.19.183)
Install Dir; /tmp/mnt/usb/skynet (48.2G / 56.1G Space Available)
SWAP File; /tmp/mnt/usb/myswap.swp (5.0G)
Syslog Location; (/jffs/syslog.log) (/jffs/syslog.log-1)
Uptime; 0 days, 0 hours, 17 minutes.
Ram Available; (294M / 497M)

---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------

*Redacted, not needed*

--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Config File                         | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Failed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]

-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
IOT Logging                         | [Enabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

17/18 Tests Sucessful

[*] Rule Integrity Violation - [ #8 #9 #10 #21 #22 #23 ]

=============================================================================================================

[#] 0 IPs (+0) -- 0 Ranges Banned (+0) ||  Inbound --  Outbound Connections Blocked! [debug] [2s]
Adamm00 commented 4 months ago

Skynet is complaining about the following rules missing;

iptables -t raw -C PREROUTING -i "$iface" -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP 2>/dev/null || fail="${fail}#8 " iptables -t raw -C PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP 2>/dev/null || fail="${fail}#9 " iptables -t raw -C OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP 2>/dev/null || fail="${fail}#10 " iptables -t raw -C PREROUTING -i "$iface" -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#21 " iptables -t raw -C PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#22 " iptables -t raw -C OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#23 "

As to why its complaining is another story... do you have any other scripts or "out of the ordinary" aspects to your setup? I see you are using gnuton0 firmware but I would assume everything there is identical to merlin. I am also assuming you have uninstalled Skynet via the menu and reinstalled via amtm to confirm everything is stock as intended.

chaosmaou commented 4 months ago

First I tried doing an uninstall of Skynet, followed by a reboot of the router and clean install. I even tried a full factory reset of the router + clean format of my USB with a clean install of Skynet afterwards.

The gnuton0 firmware support for my router is fairly new, so perhaps the issue doesn't lie with Skynet after all. Currently Skynet will not even install on the latest stable of gnuton0 firmware, so perhaps this issue is on that end of things (I run the latest pre-release). I have the Asus RT-AX3000_V2, which uses the same firmware as the RT-AX58U_V2.

Adamm00 commented 3 months ago

This is a firmware issue and has been fixed by @gnuton https://github.com/gnuton/asuswrt-merlin.ng/issues/559

This should be also fixed on the GT-BE98 in future builds