Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that

[Martineau]

Martineau,

Newest Code Posted

ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# cd /jffs/scripts
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ls -lah *-start
-rwxr-xr-x    1 admin    root        2.1K Nov 22 11:59 firewall-start
-rwxr-xr-x    1 admin    root         181 Nov 22 11:03 init-start
-rwxr-xr-x    1 admin    root         859 Nov 22 11:03 wan-start
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 410
References: 2
Number of entries: 1
Members:
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./init-start
+ modprobe -sv xt_comment.ko
+ IPSET_NAME=Valid_VPN_IP
+ basename ./init-start
+ logger -st (init-start) 1817 Creating IPSET Valid_VPN_IP
(init-start): 1817 Creating IPSET Valid_VPN_IP
+ ipset create Valid_VPN_IP hash:net comment
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./firewall-start
+ IPADDR=192.168.2.26
+ IPSET_NAME=Valid_VPN_IP
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./wan-start
+ IPSET_NAME=Valid_VPN_IP
+ basename ./wan-start
+ logger -st (wan-start) 1842 Adding domains to IPSET Valid_VPN_IP
(wan-start): 1842 Adding domains to IPSET Valid_VPN_IP
+ nslookup snbforums.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.27.127.97 comment snbforums.com
+ ipset add Valid_VPN_IP 104.27.126.97 comment snbforums.com
+ nslookup speedtest.net
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 151.101.130.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.2.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.194.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.66.219 comment speedtest.net
+ nslookup whatismyipaddress.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.16.154.36 comment whatismyipaddress.com
+ ipset add Valid_VPN_IP 104.16.155.36 comment whatismyipaddress.com
admin@RT-AC68U-1340:/jffs/scripts#

Apologies, me trying to post (from memory without typos) on a phone and having a numpty moment is extremely embarrassing and must be extremely frustrating for you.

I have updated post #10 to correct the spurious DNS entries being added to the IPSET and all three scripts will now print progress messages to Syslog.

So please use the new script versions and replace/rename init-start with services-start.

Hopefully this should finally fix your issue, and Syslog will now show the progress during the boot to highlight/expose any 'timing' conflicts.

grep -E "*-start" /tmp/syslog.log

 

[Dee dee]

Martineau,

Thanks for the info.

I will create/update the files when I get home after 6pm EST.

Just a quick Q: do i delete all entries in the following files(not the files themselves just the contents)

/etc/dnsmasq.conf

/jffs/configs/dnsmasq.conf.add

and have the scripts repopulate them when i reboot, or I don't need to run any commands past these scripts, so I won't have outdated info/references anywhere?

Thanks,
David

Apologies, me trying to post (from memory without typos) on a phone and having a numpty moment is extremely embarrassing and must be extremely frustrating for you.

I have updated post #10 to correct the spurious DNS entries being added to the IPSET and all three scripts will now print progress messages to Syslog.

So please use the new script versions and replace/rename init-start with services-start.

Hopefully this should finally fix your issue, and Syslog will now show the progress during the boot to highlight/expose any 'timing' conflicts.

grep -E "*-start" /tmp/syslog.log

 

[Martineau]

Just a quick Q: do i delete all entries in the following files(not the files themselves just the contents)

/etc/dnsmasq.conf
/jffs/configs/dnsmasq.conf.add

You shouldn't normally edit/delete '/etc/dnsmasq.conf'.

Instead '/jffs/configs/dnsmasq.conf.add' is an end-user custom file which is preserved over reboots, so you can safely delete it if you want to reboot with a clean slate, and either let a boot script populate it, or you may manually edit the file, and (as per the Wiki) restarting dnsmasq

service restart_dnsmasq

will merge its contents (if it exists) into '/etc/dnsmasq.conf'.

 

[Dee dee]

Martineau,

I renamed the file and ran the debug scripts from before and changed the one from init-start > services-start.

Still no luck, debug below? any other ideas?

ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# cd /jffs/scripts
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ls -lah *-start
-rwxr-xr-x    1 admin    root        2.2K Nov 27 21:38 firewall-start
-rwxr-xr-x    1 admin    root         325 Nov 27 21:39 services-start
-rwxr-xr-x    1 admin    root         533 Nov 27 21:39 wan-start
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 460
References: 2
Number of entries: 2
Members:
104.27.126.97
104.27.127.97
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./services-start
+ modprobe -sv xt_comment.ko
+ RC=0
+ basename ./services-start
+ logger -st (services-start) 3012 Loading iptables 'comment' module xt_comment.ko rc=0
(services-start): 3012 Loading iptables 'comment' module xt_comment.ko rc=0
+ modprobe -D xt_comment.ko
+ IPSET_NAME=Valid_VPN_IP
+ ipset create Valid_VPN_IP hash:net comment
ipset v6.32: Set cannot be created: set with the same name already exists
+ RC=1
+ basename ./services-start
+ logger -st (services-start) 3012 Creating IPSET 'Valid_VPN_IP' rc=1
(services-start): 3012 Creating IPSET 'Valid_VPN_IP' rc=1
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./firewall-start
+ IPADDR=192.168.2.26
+ IPSET_NAME=Valid_VPN_IP
+ basename ./firewall-start
+ logger -st (firewall-start) 3020 Creating IPSET 'Valid_VPN_IP' rules
(firewall-start): 3020 Creating IPSET 'Valid_VPN_IP' rules
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ grep state INVALID
+ iptables -nvL FORWARD --line -t filter
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ grep state INVALID
+ cut -d  -f1
+ iptables -nvL FORWARD --line -t filter
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ cut -d  -f1
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./wan-start
+ IPSET_NAME=Valid_VPN_IP
+ basename ./wan-start
+ logger -st (wan-start) 3052 Adding domains to IPSET 'Valid_VPN_IP'
(wan-start): 3052 Adding domains to IPSET 'Valid_VPN_IP'
+ THIS=snbforums.com
+ nslookup snbforums.com
+ awk NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}
+ ipset add Valid_VPN_IP 104.27.127.97 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.27.126.97 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
admin@RT-AC68U-1340:/jffs/scripts#

 

[Dee dee]

Martineau,

More debug attached from a previous post / now the valid_vpn_ip is totally empty (I think).

ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1     1786  797K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                               /0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                               /0
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            udp dpt:53
6        0     0 ACCEPT     all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            match-set Valid_VPN_IP dst /* ALLOWED_thru_VPN */
7        0     0 DROP       all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_VPN */
8       97 31747 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
9       97 31747 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0                                                                               /0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state NEW
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2220 packets, 882K bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0                                                                               /0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            match-set Valid_VPN_IP dst MARK or 0x4000
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf
.add
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 316
References: 3
Number of entries: 0
Members:
admin@RT-AC68U-1340:/tmp/home/root#

 

[Martineau]

Martineau,

More debug attached from a previous post / now the valid_vpn_ip is totally empty (I think).

ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1     1786  797K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                               /0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                               /0
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            udp dpt:53
6        0     0 ACCEPT     all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            match-set Valid_VPN_IP dst /* ALLOWED_thru_VPN */
7        0     0 DROP       all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_VPN */
8       97 31747 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
9       97 31747 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0                                                                               /0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state NEW
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2220 packets, 882K bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0                                                                               /0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            match-set Valid_VPN_IP dst MARK or 0x4000
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf
.add
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 316
References: 3
Number of entries: 0
Members:
admin@RT-AC68U-1340:/tmp/home/root#

I find your results very confusing .....either the scripts are working or they are not....

i.e. in post #44

admin@RT-AC68U-1340:/jffs/scripts# sh -x ./wan-start

+ IPSET_NAME=Valid_VPN_IP
+ basename ./wan-start
+ logger -st (wan-start) 3052 Adding domains to IPSET 'Valid_VPN_IP'
(wan-start): 3052 Adding domains to IPSET 'Valid_VPN_IP'
+ THIS=snbforums.com
+ nslookup snbforums.com
+ awk NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}

+ ipset add Valid_VPN_IP 104.27.127.97 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added

+ ipset add Valid_VPN_IP 104.27.126.97 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added

so the IPSET Valid_VPN_IP apparently contains two entries, yet in your very next post #45

admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP

Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 316
References: 3
Number of entries: 0
Members:

the IPSET is suddenly empty.

OK, so one last attempt ....

I suggest you explicitly ensure the scripts are in Linux format.

dos2unix /jffs/scripts/firewall-start
dos2unix /jffs/scripts/services-start
dos2unix /jffs/scripts/wan-start

then reboot and post the contents of Syslog as per post #41
This should confirm if the scripts are being executed in the expected sequence during the boot process.

You should then again check if the firewall rules have been created, and if the IPSET has been populated.

 

[Dee dee]

Martineau,
Sys Log Dump

Nov 29 00:12:38 ntpd: Initial clock set
Nov 29 00:12:38 rc_service: ntpd_synced 646:notify_rc restart_diskmon
Nov 29 00:12:38 disk_monitor: Finish
Nov 29 00:12:41 disk_monitor: be idle
Nov 29 00:12:41 rc_service: ntpd_synced 646:notify_rc start_vpnserver1
Nov 29 00:12:45 ovpn-server1[824]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Nov 29 00:12:45 ovpn-server1[824]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Nov 29 00:12:45 ovpn-server1[825]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 29 00:12:45 ovpn-server1[825]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 29 00:12:45 ovpn-server1[825]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 29 00:12:45 ovpn-server1[825]: Diffie-Hellman initialized with 2048 bit key
Nov 29 00:12:45 ovpn-server1[825]: TUN/TAP device tun21 opened
Nov 29 00:12:45 ovpn-server1[825]: TUN/TAP TX queue length set to 1000
Nov 29 00:12:45 ovpn-server1[825]: /usr/sbin/ip link set dev tun21 up mtu 1500
Nov 29 00:12:46 ovpn-server1[825]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Nov 29 00:12:46 ovpn-server1[825]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:12:46 ovpn-server1[825]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 29 00:12:46 ovpn-server1[825]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 29 00:12:46 ovpn-server1[825]: setsockopt(IPV6_V6ONLY=0)
Nov 29 00:12:46 ovpn-server1[825]: UDPv6 link local (bound): [AF_INET6][undef]:443
Nov 29 00:12:46 ovpn-server1[825]: UDPv6 link remote: [AF_UNSPEC]
Nov 29 00:12:46 ovpn-server1[825]: MULTI: multi_init called, r=256 v=256
Nov 29 00:12:46 ovpn-server1[825]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Nov 29 00:12:46 ovpn-server1[825]: Initialization Sequence Completed
Nov 29 00:13:00 kernel: SHN Release Version: 2.0.1 890c91d
Nov 29 00:13:00 kernel: UDB Core Version: 0.2.18
Nov 29 00:13:00 kernel: sizeof forward pkt param = 192
Nov 29 00:13:00 BWDPI: fun bitmap = 3
Nov 29 00:13:04 rc_service: udhcpc 481:notify_rc start_firewall
Nov 29 00:13:05 rc_service: udhcpc 481:notify_rc stop_vpnserver1
Nov 29 00:13:05 rc_service: waitting "start_firewall" via udhcpc ...
Nov 29 00:13:05 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 29 00:13:05 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 29 00:13:05 (firewall-start): 1053 Creating IPSET 'Valid_VPN_IP' rules
Nov 29 00:13:06 rc_service: udhcpc 481:notify_rc start_vpnserver1
Nov 29 00:13:06 rc_service: waitting "stop_vpnserver1" via udhcpc ...
Nov 29 00:13:06 ovpn-server1[825]: event_wait : Interrupted system call (code=4)
Nov 29 00:13:06 ovpn-server1[825]: Closing TUN/TAP interface
Nov 29 00:13:06 ovpn-server1[825]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24
Nov 29 00:13:07 ovpn-server1[825]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:13:07 ovpn-server1[825]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Nov 29 00:13:07 ovpn-server1[825]: SIGTERM[hard,] received, process exiting
Nov 29 00:13:08 crond[245]: time disparity of 825127 minutes detected
Nov 29 00:13:12 dhcp_client: bound 192.168.1.4 via 192.168.1.1 during 86400 seconds.
Nov 29 00:13:13 ovpn-server1[1277]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Nov 29 00:13:13 ovpn-server1[1277]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Nov 29 00:13:13 ovpn-server1[1278]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 29 00:13:13 ovpn-server1[1278]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 29 00:13:13 ovpn-server1[1278]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 29 00:13:13 ovpn-server1[1278]: Diffie-Hellman initialized with 2048 bit key
Nov 29 00:13:13 ovpn-server1[1278]: TUN/TAP device tun21 opened
Nov 29 00:13:13 ovpn-server1[1278]: TUN/TAP TX queue length set to 1000
Nov 29 00:13:13 ovpn-server1[1278]: /usr/sbin/ip link set dev tun21 up mtu 1500
Nov 29 00:13:13 ovpn-server1[1278]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Nov 29 00:13:13 ovpn-server1[1278]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:13:13 ovpn-server1[1278]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 29 00:13:13 ovpn-server1[1278]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 29 00:13:13 ovpn-server1[1278]: setsockopt(IPV6_V6ONLY=0)
Nov 29 00:13:13 ovpn-server1[1278]: UDPv6 link local (bound): [AF_INET6][undef]:443
Nov 29 00:13:13 ovpn-server1[1278]: UDPv6 link remote: [AF_UNSPEC]
Nov 29 00:13:13 ovpn-server1[1278]: MULTI: multi_init called, r=256 v=256
Nov 29 00:13:13 ovpn-server1[1278]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Nov 29 00:13:13 ovpn-server1[1278]: Initialization Sequence Completed
Nov 29 00:13:43 rc_service: amas_lib 372:notify_rc restart_firewall
Nov 29 00:13:44 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 29 00:13:45 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 29 00:13:45 (firewall-start): 1359 Creating IPSET 'Valid_VPN_IP' rules

2 commands ran right after reboot

ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3950 1833K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2       96 15648 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
4        1    52 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
6        0     0 ACCEPT     all  --  br0    tun1+   192.168.2.26         0.0.0.0/0            match-set Valid_VPN_IP dst /* ALLOWED_thru_VPN */
7        0     0 DROP       all  --  br0    tun1+   192.168.2.26         0.0.0.0/0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_VPN */
8      160 20105 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
9       64  4457 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
11      96 15648 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 316
References: 3
Number of entries: 0
Members:
admin@RT-AC68U-1340:/tmp/home/root#

 

[Martineau]

Martineau,
Sys Log Dump

Nov 29 00:12:38 ntpd: Initial clock set
Nov 29 00:12:38 rc_service: ntpd_synced 646:notify_rc restart_diskmon
Nov 29 00:12:38 disk_monitor: Finish
Nov 29 00:12:41 disk_monitor: be idle
Nov 29 00:12:41 rc_service: ntpd_synced 646:notify_rc start_vpnserver1
Nov 29 00:12:45 ovpn-server1[824]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Nov 29 00:12:45 ovpn-server1[824]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Nov 29 00:12:45 ovpn-server1[825]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 29 00:12:45 ovpn-server1[825]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 29 00:12:45 ovpn-server1[825]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 29 00:12:45 ovpn-server1[825]: Diffie-Hellman initialized with 2048 bit key
Nov 29 00:12:45 ovpn-server1[825]: TUN/TAP device tun21 opened
Nov 29 00:12:45 ovpn-server1[825]: TUN/TAP TX queue length set to 1000
Nov 29 00:12:45 ovpn-server1[825]: /usr/sbin/ip link set dev tun21 up mtu 1500
Nov 29 00:12:46 ovpn-server1[825]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Nov 29 00:12:46 ovpn-server1[825]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:12:46 ovpn-server1[825]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 29 00:12:46 ovpn-server1[825]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 29 00:12:46 ovpn-server1[825]: setsockopt(IPV6_V6ONLY=0)
Nov 29 00:12:46 ovpn-server1[825]: UDPv6 link local (bound): [AF_INET6][undef]:443
Nov 29 00:12:46 ovpn-server1[825]: UDPv6 link remote: [AF_UNSPEC]
Nov 29 00:12:46 ovpn-server1[825]: MULTI: multi_init called, r=256 v=256
Nov 29 00:12:46 ovpn-server1[825]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Nov 29 00:12:46 ovpn-server1[825]: Initialization Sequence Completed
Nov 29 00:13:00 kernel: SHN Release Version: 2.0.1 890c91d
Nov 29 00:13:00 kernel: UDB Core Version: 0.2.18
Nov 29 00:13:00 kernel: sizeof forward pkt param = 192
Nov 29 00:13:00 BWDPI: fun bitmap = 3
Nov 29 00:13:04 rc_service: udhcpc 481:notify_rc start_firewall
Nov 29 00:13:05 rc_service: udhcpc 481:notify_rc stop_vpnserver1
Nov 29 00:13:05 rc_service: waitting "start_firewall" via udhcpc ...
Nov 29 00:13:05 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 29 00:13:05 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 29 00:13:05 (firewall-start): 1053 Creating IPSET 'Valid_VPN_IP' rules
Nov 29 00:13:06 rc_service: udhcpc 481:notify_rc start_vpnserver1
Nov 29 00:13:06 rc_service: waitting "stop_vpnserver1" via udhcpc ...
Nov 29 00:13:06 ovpn-server1[825]: event_wait : Interrupted system call (code=4)
Nov 29 00:13:06 ovpn-server1[825]: Closing TUN/TAP interface
Nov 29 00:13:06 ovpn-server1[825]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24
Nov 29 00:13:07 ovpn-server1[825]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:13:07 ovpn-server1[825]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Nov 29 00:13:07 ovpn-server1[825]: SIGTERM[hard,] received, process exiting
Nov 29 00:13:08 crond[245]: time disparity of 825127 minutes detected
Nov 29 00:13:12 dhcp_client: bound 192.168.1.4 via 192.168.1.1 during 86400 seconds.
Nov 29 00:13:13 ovpn-server1[1277]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Nov 29 00:13:13 ovpn-server1[1277]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Nov 29 00:13:13 ovpn-server1[1278]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Nov 29 00:13:13 ovpn-server1[1278]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 29 00:13:13 ovpn-server1[1278]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 29 00:13:13 ovpn-server1[1278]: Diffie-Hellman initialized with 2048 bit key
Nov 29 00:13:13 ovpn-server1[1278]: TUN/TAP device tun21 opened
Nov 29 00:13:13 ovpn-server1[1278]: TUN/TAP TX queue length set to 1000
Nov 29 00:13:13 ovpn-server1[1278]: /usr/sbin/ip link set dev tun21 up mtu 1500
Nov 29 00:13:13 ovpn-server1[1278]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Nov 29 00:13:13 ovpn-server1[1278]: updown.sh tun21 1500 1622 10.8.0.1 255.255.255.0 init
Nov 29 00:13:13 ovpn-server1[1278]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 29 00:13:13 ovpn-server1[1278]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 29 00:13:13 ovpn-server1[1278]: setsockopt(IPV6_V6ONLY=0)
Nov 29 00:13:13 ovpn-server1[1278]: UDPv6 link local (bound): [AF_INET6][undef]:443
Nov 29 00:13:13 ovpn-server1[1278]: UDPv6 link remote: [AF_UNSPEC]
Nov 29 00:13:13 ovpn-server1[1278]: MULTI: multi_init called, r=256 v=256
Nov 29 00:13:13 ovpn-server1[1278]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Nov 29 00:13:13 ovpn-server1[1278]: Initialization Sequence Completed
Nov 29 00:13:43 rc_service: amas_lib 372:notify_rc restart_firewall
Nov 29 00:13:44 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 29 00:13:45 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 29 00:13:45 (firewall-start): 1359 Creating IPSET 'Valid_VPN_IP' rules

What has the OpenVPN Server Syslog entries to to with your issue? - I requested the boot messages related to only the three scripts you created.

 

[Dee dee]

What has the OpenVPN Server Syslog entries to to with your issue? - I requested the boot messages related to only the three scripts you created.

Martineau,
Apologies for me not understanding.


Filtered logs below(Q. does it matter that the scripts run before the time/date is set correctly, does something not work correctly if not done that way?)

May  5 01:05:18 custom_script: Running /jffs/scripts/services-start
May  5 01:05:18 (services-start): 373 Loading iptables 'comment' module xt_comment.ko rc=0
May  5 01:05:18 (services-start): 373 Creating IPSET 'Valid_VPN_IP' rc=0
May  5 01:05:20 custom_script: Running /jffs/scripts/wan-start (args: 0)
May  5 01:05:20 (wan-start): 485 Adding domains to IPSET 'Valid_VPN_IP'
May  5 01:05:24 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
May  5 01:05:26 (firewall-start): 601 Creating IPSET 'Valid_VPN_IP' rules
Dec  1 00:26:57 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Dec  1 00:26:57 (firewall-start): 1036 Creating IPSET 'Valid_VPN_IP' rules
Dec  1 00:27:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Dec  1 00:27:37 (firewall-start): 1401 Creating IPSET 'Valid_VPN_IP' rules

I had to merge services-start and wan-start into 1 file (wan-start) and then the ipset list Valid_VPN_IP was populated with IP's(otherwise ipset Valid_VPN_IP was created but was blank.

WAN-START

#!/bin/sh

# These are optional, but if the domains are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment

logger -st "($(basename $0))" $$  "Adding domains to IPSET '$IPSET_NAME'"
THIS="snbforums.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS;done;
THIS="speedtest.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS;done;
THIS="whatismyipaddress.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS;done

this generates the following correct as i understand.

admin@RT-AC68U-1340:/tmp/home/root# ipset list
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 1012
References: 3
Number of entries: 8
Members:
151.101.194.219 comment "speedtest.net"
104.16.155.36 comment "whatismyipaddress.com"
151.101.130.219 comment "speedtest.net"
151.101.66.219 comment "speedtest.net"
151.101.2.219 comment "speedtest.net"
104.27.127.97 comment "snbforums.com"
104.16.154.36 comment "whatismyipaddress.com"
104.27.126.97 comment "snbforums.com"

Q: If the Ipset list is populated (by the above), I dont need to put the following lines on the bottom of the wan-start file(nor run them in any way) as the ipset rules apply independently of the masq correct and would just be double the info in 2 places correct?

219am(EST) edit:After re-reading this whole thread I think I am wrong and should be running this on bottom of wan-start file?

echo "ipset=/snbforums.com/www.speedtest.net/www.whatismyipaddress.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add

service restart_dnsmasq

I also noticed if i run the code in firewall-start in post 10 it generates the 3 correct lines below(which route through tun+1), but I wanted it to work like post #27, so after i replace the firewall-start with post #27 I get 1 line and no blocking lines/ unsure what I did wrong?)

POST # 10 firewall rules

admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1    14778 5644K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                               /0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                               /0
4       86 10052 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            udp dpt:53
6        0     0 ACCEPT     all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            match-set Valid_VPN_IP dst /* ALLOWED_thru_VPN */
7        0     0 DROP       all  --  br0    tun1+   192.168.2.26         0.0.0.0                                                                               /0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_VPN */
8      825  145K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
9      825  145K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0                                                                               /0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state NEW
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0

POST 27 Firewall rules

admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1248  457K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
6       84 32981 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
7       84 32981 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
9        0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

I debugged myself for a good 1-2 hours so as not to waste your time or infuriate you with things not working. I feel I am so close, I just dont get what I'm not getting?

Lastly, does it matter if I am rebooting via website reboot button versus command reboot in mobaxterm?

Is there anything else that is incorrect or am I just not getting it?

 

[Martineau]

Apologies for me not understanding.

I debugged myself for a good 1-2 hours so as not to waste your time or infuriate you with things not working.
I feel I am so close, I just dont get what I'm not getting?
Is there anything else that is incorrect or am I just not getting it?

You do not need to apologise

I too am frustrated (with myself more than anything ) but abject apologies for your wasted 2 hour silly-o-clock debugging session

My intention is to explain/demonstrate the three (simple) steps necessary to meet your firewall requirements:

i.e.

1. services-start: Create empty IPSET (If a backup exists on /jffs then it can be restored at this point)
2. firewall-start: Create BLOCKING/ALLOWED firewall rules (Can't do this if IPSET doesn't exist)
3. wan-start: Populate IPSET (can't do this with nslookup script or automatically

using dnsmasq if the WAN isn't UP)​

i.e. the timing/order in which the steps are implemented is critical, and to further complicate things, scripts firewall-start/wan-start may execute multiple times concurrently.

Q: If the Ipset list is populated [manually using a script], I dont need to put the following lines on the bottom of the wan-start file(nor run them in any way) as the ipset rules apply independently of the masq correct and would just be double the info in 2 places correct?

When you manually populate the IPSET, the nslookup command will retrieve the 'static' IP(s) returned from whichever DNS server replies at that precise moment in time.

i.e. Suppose the IP changes (perhaps the domain owner changes or adds another server/IP) then without the dnsmasq 'ipset=/' directive you would be BLOCKED as dnsmasq would be unable to automatically add the new IP to the authorised IPSET.

219am(EST) edit:After re-reading this whole thread I think I am wrong and should be running this on bottom of wan-start file?

echo "ipset=/snbforums.com/www.speedtest.net/www.whatismyipaddress.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

NO, '/jffs/configs/dnsmasq.conf.add' is persistent over a reboot so once it exists, simply add/remove entries using the 'nano' editor or WinSCP.

If IPSET Valid_VPN_IP can't be restored from a backup, a delay in wan-start is seemingly required before attempting to manually populate the IPSETs

e.g. I explicitly added a 2 second delay (see new verbose wan-start in post #10)

sleep 2

e.g.

May  5 06:05:24 custom_script: Running /jffs/scripts/services-start
May  5 06:05:24 (services-start): 1246 Loading iptables 'comment' module xt_comment.ko rc=0
May  5 06:05:24 (services-start): 1246 Creating VPN IPSETs ('/jffs/configs/IPSET_VPNrules.config') rc=0
May  5 06:05:24 (services-start): 1246 Creating IPSET 'Valid_VPN_IP' rc=0
May  5 06:05:24 (services-start): 1246 Restoring IPSET ('/jffs/configs/Valid_VPN_IP.ipset') rc=1

May  5 06:05:24 custom_script: Running /jffs/scripts/wan-start (args: 0)
May  5 06:05:24 (wan-start): 1393 Paused for 2 secs.....

May  5 06:05:24 custom_script: Running /jffs/scripts/nat-start

May  5 06:05:24 custom_script: Running /jffs/scripts/firewall-start (args: eth0)

May  5 06:05:26 (wan-start): 1393 Adding domains to IPSET 'Valid_VPN_IP'
May  5 06:05:27 (wan-start): 1393 'snbforums.com' 104.27.127.97 rc=0
May  5 06:05:27 (wan-start): 1393 'snbforums.com' 104.27.126.97 rc=0
May  5 06:05:27 (wan-start): 1393 'speedtest.net' 151.101.2.219 rc=0
May  5 06:05:27 (wan-start): 1393 'speedtest.net' 151.101.194.219 rc=0
May  5 06:05:27 (wan-start): 1393 'speedtest.net' 151.101.130.219 rc=0
May  5 06:05:27 (wan-start): 1393 'speedtest.net' 151.101.66.219 rc=0
May  5 06:05:27 (wan-start): 1393 'whatismyipaddress.com' 104.16.154.36 rc=0
May  5 06:05:27 (wan-start): 1393 'whatismyipaddress.com' 104.16.155.36 rc=0

Dec  1 15:09:31 (firewall-start): 1495 Creating IPSET 'Valid_VPN_IP' rules

So, to accommodate your change in requirements, the firewall rules in post #27 have been updated albeit without changing the IPSET name (i.e. 'Valid_VPN_IP' should really be changed to say 'Valid_IP' in all scripts to reflect that VPNs are no longer relevant despite the thread title.)

Lastly, does it matter if I am rebooting via website reboot button versus command reboot in mobaxterm?

In theory No, but I personally always use a 'Reboot.sh' script containing

service start_reboot

as the last line.

 

[Dee dee]

Martineau,

I think it works!!!!!!!!!!
i hardcoded myself as 192.168.2.26/255.255.255.0/gateway 192.168.2.1
primary dns 192.168.2.1

I can hit the snbforums.com/speedtest/whatismyip.

I can still ping cnn.com but it gets request timed out, and the browser doesn't render nor reddit ( but it resolves the IP) so I assume it's safe to connect and no data will be transmitted etc, Lastly, I just wanted to be sure even though I am able to ping no data is able to be sent correct?.

Also, There is no way to allow only certain ipset domains to get dns information.

Lastly is there a way to output to the log all ip's/dns req from the device(192.168.2.26 in the log) so i can be sure I can unblock other stuff I need?


Im quite happy with this and if you can PM me i can reddit gold you or venmo you something!

 

[Dee dee]

Also, Final debug (it's fine dnsmasq is empty right, from what you said earlier its better to do ipset if they change domain to 1.2.3.4 from 5.6.7.8 it would allow it based on that and with dnsmasq it's at that moment would be just 5.6.7.8 and it wouldn't resolve to new so I wouldn't be able to hit the site).

admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1135  221K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
4       46  1840 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
6        0     0 ACCEPT     all  --  br0    eth0    192.168.2.26         0.0.0.0/0            match-set Valid_VPN_IP dst /* ALLOWED */
7      186 16342 DROP       all  --  br0    eth0    192.168.2.26         0.0.0.0/0            ! match-set Valid_VPN_IP dst /* BLOCKED */
8       58  4350 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
9       58  4350 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
11       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2438 packets, 442K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 1084
References: 2
Number of entries: 8
Members:
151.101.194.219 comment "speedtest.net"
104.27.126.97 comment "snbforums.com"
151.101.130.219 comment "speedtest.net"
151.101.66.219 comment "speedtest.net"
104.16.154.36 comment "whatismyipaddress.com"
151.101.2.219 comment "speedtest.net"
104.27.127.97 comment "snbforums.com"
104.16.155.36 comment "whatismyipaddress.com"
admin@RT-AC68U-1340:/tmp/home/root#

Martineau,
Im quite happy with this and if you can PM me i can reddit gold you or venmo you something!

 

[Martineau]

I hardcoded myself as 192.168.2.26/255.255.255.0/gateway 192.168.2.1;primary dns 192.168.2.1

I think it works!!!!!!!!!!

I can hit the snbforums.com/speedtest/whatismyip

You can probably hit 'speedtest.net' but won't be able to run the actual tests - you should know why.

Lastly is there a way to output to the log all ip's/dns req from the device(192.168.2.26 in the log) so i can be sure I can unblock other stuff I need

Change the firewall-start 'blocking' rule from 'DROP' to 'logdrop'

iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j DROP      -m comment --comment "BLOCKED"

to

iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j logdrop   -m comment --comment "BLOCKED"

and you should see the 'blocked' details in Syslog.

I can still ping cnn.com

To explicitly block PING, you need to include this rule (see post #27)

iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT

 

[Dee dee]

Martineau,

It works really well.

My only 2 questions are:

Question 1:
1.If I use the firewall code for no 10 it works fine and DNS doesn't leak etc.
2.if I use the firewall code from post 27 I believe and add the mac to my VPN the rules don't apply and I can visit any site.

So for now I made 2 text files on my PC and when I need to I switch out firewall-start and reboot.

Question 2: if I add a new site to my wan start I believe and apply can I just execute a script with a ./ (Dot slash) command to run it rather than rebooting my router each time to apply all 3 files.

Sorry for the I believe typing on my cell phone at work


Sent from my SM-A505U1 using Tapatalk

 

[Martineau]

Martineau,

It works really well.

but.....

Question 1:

1.If I use the firewall code for no 10 it works fine and DNS doesn't leak etc.
2.if I use the firewall code from post 27 I believe and add the mac to my VPN the rules don't apply and I can visit any site.

So for now I made 2 text files on my PC and when I need to I switch out firewall-start a d reboot.

Why?

If you need to switch the firewall rules and suffer the inconvenience of a reboot then clearly the firewall rules do not meet your requirements.

Are you saying a combination of the rules from both post #10 and post #27 is actually needed?.

Please restate your actual definitive requirements.
i.e.

1. If ......… does match IPSET then .........
2. If ...…… doesn't match IPSET then .........​

Question 2:

If I add a new site to my wan start I believe and apply can I just execute a script with a ./ (Dot slash) command to run it rather than rebooting my router each time to apply all 3 files.

Yes, although there is no need to run firewall-start/services-start if you just modify wan-start to populate the IPSET with new domain IPs.

NOTE: It is always prudent to test any mods to the scripts on the command line, to ensure they will work during the next reboot.

The './' prefix is used if you are logged into the /jffs/scripts directory, if not you can use a full path reference

e.g.

sh /jffs/scripts/wan-start

 

[Dee dee]

Martineau,

After further debugging (and another issue, I didn't account for), I have understood the following:
1. IF 192.168.2.26 does match IPSET and connected either running script 10 or 27 allow only sites from IPSET and block all other sites.
2. IF 192.168.2.26 doesn't match IPSET block connection to site.

The issue was if I ran Script 27 (firewall-start), If i added the Mac address to VPN connection 1 by hand it wouldn't block the IPSET rules and allow all sites.

Secondly, another issue I ran into with (192.168.2.26) with DNS was that I have a list of DNS entries that need to be populated as such:
site1.com 127.0.0.1
sitex.com 127.0.0.1

As I believe the app's it uses need to think it can connect to those sites but not actually for the device to work(basically like it's own windows hosts file).

Sorry if not explained well previously and I hope the above explains it better.

 

[Dee dee]

So I tried the following last night to no avail.

In one post earlier you generated a incorrect ipset string to populate speedtest.net with 8.8.8.8

I used that as a example with the site I want to use and put in 127.0.0.1 and populated the ipset with that. I then hard coded my laptop to 192.168.2.26 and pinged it and got the real IP?

I then went to dnsmasq.conf.add and added a line I googled of address=/.websitetospoof.net/127.0
0.1

I then added the line of service dnsmasq_restart to the bottom of wan-start but the item I test still doesn't connect.

Did I do something weird or quite wrong in my idea.

Sorry for poor formatting on my phone at work.

 

[Martineau]

Martineau,
After further debugging (and another issue, I didn't account for), I have understood the following:
1. IF 192.168.2.26 does match IPSET and connected either running script 10 or 27 allow only sites from IPSET and block all other sites.
2. IF 192.168.2.26 doesn't match IPSET block connection to site.
The issue was if I ran Script 27 (firewall-start), If i added the Mac address to VPN connection 1 by hand it wouldn't block the IPSET rules and allow all sites.

The firewall scripts only apply to one specific IP that you originally specifed i.e. 192.168.2.26

If you need to apply the same access restriction for ANY device that is Selectively Routed through the VPN Client then you can either duplicate the rules for 192.168.2.26 for ALL of the LAN devices (i.e. CIDR subnet range), or simply use the VPN Client interface (rather than LAN device IPs) as the criteria to apply the IPSET filter blocking.

Does this comprehensively summarise your definitive requirements?

1. If the LAN device traffic is outbound via the WAN, DON'T apply the IPSET BLOCK filtering
2. If the LAN device traffic is outbound via ANY VPN        apply the IPSET BLOCK filtering

i.e. it would be convenient to have firewall rules that will decide to BLOCK/ALLOW access based on the VPN Selective Routing GUI contents?

Secondly, another issue I ran into with (192.168.2.26) with DNS was that I have a list of DNS entries that need to be populated as such:
site1.com 127.0.0.1
sitex.com 127.0.0.1
As I believe the app's it uses need to think it can connect to those sites but not actually for the device to work(basically like it's own windows hosts file).

Not sure which app you are using, but this works
e.g. Try nslookup

nslookup sitex.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      sitex.com
Address 1: 209.194.0.142

Create DNS spoofing

echo "address=/sitex.com/127.0.0.1" >>/jffs/configs/dnsmasq.conf.add

service restart_dnsmasq

and retry the nslookup

nslookup sitex.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      sitex.com
Address 1: 127.0.0.1 localhost.localdomain

​

 

[Martineau]

I then added the line of service dnsmasq_restart to the bottom of wan-start but the item I test still doesn't connect.

Did I do something weird or quite wrong in my idea.

Idea good, implementation incorrect.

Since '/jffs/configs/dnsmasq.conf.add' is persistent, it will be applied automatically during the reboot, so actually you don't need to explicitly restart dnsmasq.

However, unfortunately you have mistyped the command

service dnsmasq_restart

should be

service restart_dnsmasq

NOTE: The 'service' command stupidly always replies 'Done' for any junk command!

service What_is_a_synonym_for_ended?

Done.

 

[Dee dee]

Martineau,

No I still need to do the ipset rule specifically for that device so the rules still apply only for 1 device be it connecting via VPN through the script or if explicitly add it to the vpn.

I don't understand what this means im sorry..

it would be convenient to have firewall rules that will decide to BLOCK/ALLOW access based on the VPN Selective Routing GUI contents?

Is there a way to merge both scripts 10/27 into one so I don't have to toggle?

I have gone through the posts and put the ones I am using below with my change noted( I just changed the sitenames for Proof Of Concept) below(If i am connecting via VPN Client 1, I put the 1 in both places right?:

Also I added the bottom line into the wan-start(IPSET IP's supercede actual Nslookup Records right?)

firewall-start (with logdrop added/updated)

#!/bin/sh

IPADDR=192.168.2.26

VPN_ID=1                      # VPN Client 3
VPN_FWMARK="0x1000/0x1000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK

# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j logdrop   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

Services-start

#!/bin/sh

modprobe -sv xt_comment.ko
RC=$?
logger -st "($(basename $0))" $$  "Loading iptables 'comment' module xt_comment.ko rc=$RC"
modprobe -D xt_comment.ko >>/tmp/syslog.tmp

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment
RC=$?
logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rc=$RC"

Wan-start

#!/bin/sh

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

IPSET_NAME="Valid_VPN_IP"

Say "Paused for 2 secs....."
sleep 2

# These are optional, but if the domains are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

Say "Adding domains to IPSET '$IPSET_NAME'"
THIS="site1toallow.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="site2toallow.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="domainexample.subdomainexample.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME 127.0.0.1 comment $THIS;Say "'"$THIS"' $IP rc="$?;done

To allow it to add as a viewable site for the device.

Then do the following DNS spoofing

echo "address=/domainexample.subdomainexample.net/127.0.0.1" >>/jffs/configs/dnsmasq.conf.add

and then either reboot and/or do the service restart_dnsmasq?

The firewall scripts only apply to one specific IP that you originally specifed i.e. 192.168.2.26

If you need to apply the same access restriction for ANY device that is Selectively Routed through the VPN Client then you can either duplicate the rules for 192.168.2.26 for ALL of the LAN devices (i.e. CIDR subnet range), or simply use the VPN Client interface (rather than LAN device IPs) as the criteria to apply the IPSET filter blocking.

Does this comprehensively summarise your definitive requirements?

1. If the LAN device traffic is outbound via the WAN, DON'T apply the IPSET BLOCK filtering
2. If the LAN device traffic is outbound via ANY VPN        apply the IPSET BLOCK filtering

i.e. it would be convenient to have firewall rules that will decide to BLOCK/ALLOW access based on the VPN Selective Routing GUI contents?

Not sure which app you are using, but this works
e.g. Try nslookup

nslookup sitex.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      sitex.com
Address 1: 209.194.0.142

Create DNS spoofing

echo "address=/sitex.com/127.0.0.1" >>/jffs/configs/dnsmasq.conf.add

service restart_dnsmasq

and retry the nslookup

nslookup sitex.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      sitex.com
Address 1: 127.0.0.1 localhost.localdomain

​