Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that

[Dee dee]

Hi All,

I just loaded Asus Merlin fimrware and love it!

I wanted to set up a specific routing rule and am confused on how to do it on the UI.

I basically wanted to set a specific internal IP(item on my network) (static) 192.168.2.26 (for example) to block all traffic outgoing ingoing to it.

Then allow only certain websites to access (siteexample.com) that device and not allow other sites and route the traffic on top of that through a VPN Server(NordVPN) ( which i setup on the VPN setting and have it working already).

I tried the firewall option and blocking the website name but the site and all subdomains are still pingable.

Any idea what I am doing wrong.

P.S. Also is there a log where i can see the traffic going from and to a device so i can better isolate the traffic(with a UI perhaps?)
Thanks in advance,
Dee

 

[Martineau]

I basically wanted to set a specific internal IP(item on my network) (static) 192.168.2.26 (for example) to block all traffic outgoing ingoing to it.

Then allow only certain websites to access (siteexample.com) that device and not allow other sites and route the traffic on top of that through a VPN Server(NordVPN) ( which i setup on the VPN setting and have it working already).

Not 100% sure if I correctly understand your requirements

e.g. say Website is 'www.ibm.com'

Requirement Option 1.​

Internet ==+==========>>Router      Allow www.ibm.com
          ¦^¦           + + + +
          ¦^¦           | ^ ^ ^
          ¦|¦           | | | |
    NordVPN Client      | | | |
          ¦^¦           | | | |
          ¦|¦           | v v v
          ¦|¦           | 192.168.2.xxx
          ¦|¦           |
          ¦|¦           |
          ¦|¦           v
          ¦|¦      192.168.2.26    (Selective Routing GUI rule: THISPC   192.168.2.26   0.0.0.0   VPN)
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
   ONLY www.ibm.com    ¦|¦
          ¦|¦          ¦|¦
          ¦|¦==========¦|¦
          ¦+------------+¦
          ¦==============¦

or

Requirement Option 2.​

Internet ==+==========>>Router      Allow www.ibm.com
          ¦^¦           + + + +
          ¦^¦           ^ ^ ^ ^
          ¦|¦           | | | |
    NordVPN Client      | | | |
          ¦^¦           | | | |
          ¦|¦           | v v v
          ¦|¦           | 192.168.2.xxx
          ¦|¦           |
          ¦|¦           |
          ¦|¦           +----+
          ¦|¦                |
          ¦|¦                |
          ¦|¦                v
          ¦|¦           192.168.2.26 (Selective Routing GUI rule: THISPC   192.168.2.26   'xxx.xxx.xxx.xxx'   VPN)
          ¦|¦              //                where xxx.xxx.xxx.xxx is the current IP for 'www.ibm.com'
          ¦|¦             //
          ¦|¦            //
          ¦|¦           //
          ¦|¦    ONLY www.ibm.com
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦==========¦|¦
          ¦+------------+¦
          ¦==============¦

either way you will need a script to add appropriate rules to the firewall.

i.e. you can't Selectively Route URL/Domains using the GUI as only IPs/CIDRs are allowed in the target 'Destination IP' field, and a single URL/Domain may resolve to a range of 10s if not 100s of IPs.

I tried the firewall option and blocking the website name but the site and all subdomains are still pingable.

Any idea what I am doing wrong.

The GUI 'Firewall - URL Filter' does not physically block PING traffic.

Also it is Global in scope, so if you filter say 'www.ibm.com', then the URL 'text-based' block is from ALL LAN devices - not just the device(s) Selectively Routed via the NordVPN Client.

PING blocking can be explicitly enabled (but isn't intuitive) on 'Firewall - Network Services Filter' GUI, however it too is Global, meaning it will be completely DISABLED from ANY LAN device(s) regardless of target URL/IP.

I wanted to set up a specific routing rule and am confused on how to do it on the UI.

see Wiki documentation for Asuswrt-merlin or even better see @Xentrk's Blog Site for a pictorial walk-through.

 

[Dee dee]

Not 100% sure if I correctly understand your requirements

e.g. say Website is 'www.ibm.com'

Requirement Option 1.​

Internet ==+==========>>Router      Allow www.ibm.com
          ¦^¦           + + + +
          ¦^¦           | ^ ^ ^
          ¦|¦           | | | |
    NordVPN Client      | | | |
          ¦^¦           | | | |
          ¦|¦           | v v v
          ¦|¦           | 192.168.2.xxx
          ¦|¦           |
          ¦|¦           |
          ¦|¦           v
          ¦|¦      192.168.2.26    (Selective Routing GUI rule: THISPC   192.168.2.26   0.0.0.0   VPN)
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
   ONLY www.ibm.com    ¦|¦
          ¦|¦          ¦|¦
          ¦|¦==========¦|¦
          ¦+------------+¦
          ¦==============¦

or

Requirement Option 2.​

Internet ==+==========>>Router      Allow www.ibm.com
          ¦^¦           + + + +
          ¦^¦           ^ ^ ^ ^
          ¦|¦           | | | |
    NordVPN Client      | | | |
          ¦^¦           | | | |
          ¦|¦           | v v v
          ¦|¦           | 192.168.2.xxx
          ¦|¦           |
          ¦|¦           |
          ¦|¦           +----+
          ¦|¦                |
          ¦|¦                |
          ¦|¦                v
          ¦|¦           192.168.2.26 (Selective Routing GUI rule: THISPC   192.168.2.26   'xxx.xxx.xxx.xxx'   VPN)
          ¦|¦              //                where xxx.xxx.xxx.xxx is the current IP for 'www.ibm.com'
          ¦|¦             //
          ¦|¦            //
          ¦|¦           //
          ¦|¦    ONLY www.ibm.com
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦          ¦|¦
          ¦|¦==========¦|¦
          ¦+------------+¦
          ¦==============¦

either way you will need a script to add appropriate rules to the firewall.

i.e. you can't Selectively Route URL/Domains using the GUI as only IPs/CIDRs are allowed in the target 'Destination IP' field, and a single URL/Domain may resolve to a range of 10s if not 100s of IPs.


The GUI 'Firewall - URL Filter' does not physically block PING traffic.

Also it is Global in scope, so if you filter say 'www.ibm.com', then the URL 'text-based' block is from ALL LAN devices - not just the device(s) Selectively Routed via the NordVPN Client.

PING blocking can be explicitly enabled (but isn't intuitive) on 'Firewall - Network Services Filter' GUI, however it too is Global, meaning it will be completely DISABLED from ANY LAN device(s) regardless of target URL/IP.

see Wiki documentation for Asuswrt-merlin or even better see @Xentrk's Blog Site for a pictorial walk-through.

Martineau,

Thank you for taking the time to reply to me. I looked at his blog but just a white page renders saying hello dude.

I dont really understand your diagrams but let me try to explain easier.

Device on network > only allowed to ping/http connect certain site no other sites while also routing all its traffic through nordvpn.

I know with vpn page I just click on add host on bottom and drop connection if vpn drops on top.

Is there a entware but package I can install that would help with the filtering I want.

Also, is there a way on the router itself to see http or dba requests from a device in the gui so I am sure I'm not blocking the wrong thing.

 

[Martineau]

I looked at his blog but just a white page renders saying hello dude.

Apologies, but I have several templates that I use to quickly compose thread posts and replies, so didn't physically check the pasted link.

Hmmm, @Xentrk's site may have been hacked?

so would advise everyone wait until @Xentrk is back online tomorrow.

 

[Grisu]

dont think its hacked, on http://www.x3mtek.com/ I see:
This domain name registration has expired and renewal or deletion are pending. If you are the registrant and want to renew the domain name, please contact your registration service provider.

 

[Martineau]

dont think its hacked, on http://www.x3mtek.com/ I see:
This domain name registration has expired and renewal or deletion are pending. If you are the registrant and want to renew the domain name, please contact your registration service provider.

Ahh OK, that is probably more reassuring, although the blank page only containing the message 'Helo Dude' is the type of thing kiddie scripters think is funny!

NOTE: The blog Table of Contents is available in Google cache but not the linked content.

 

[Martineau]

I dont really understand your diagrams but let me try to explain easier.

Device on network > only allowed to ping/http connect certain site no other sites while also routing all its traffic through nordvpn.

I know with vpn page I just click on add host on bottom and drop connection if vpn drops on top.

So presumably you have entered something similar in the VPN Client GUI?

i.e. criteria

1. 192.168.2.26 must NEVER use the WAN, and must honour the VPN KILL-switch if the VPN Client is DOWN

2. 192.168.2.26 may only access a limited number of specified Websites/Domains.

So essentially you require to implement the 'Requirements Option 1' diagram (unlike Option 2. where 192.168.2.26 always uses the WAN except for nominated IPs/domains via the VPN)​

The complete solution (criteria 2) requires you to manually add firewall rules to

1. BLOCK all internet websites from 192.168.2.26 thru the VPN Client tunnel by default.
2. Allow 192.168.2.26's nominated Domains/Websites as exceptions
​

Spoiler: Old-skool method - usually requiring multiple rules for each domain

e.g. Old-skool for 'www.ibm.com' and 'www.youtube.com'

iptables -I FORWARD -s 192.168.2.26 -o tun1+ -j DROP

iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.ibm.com      -j ACCEPT -m comment --comment www.ibm.com
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.youtube.com  -j ACCEPT -m comment --comment www.youtube.com
etc.

nslookup www.youtube.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.youtube.com
Address 1: 2a00:1450:4009:819::200e lhr48s09-in-x0e.1e100.net
Address 2: 216.58.213.14 ber01s14-in-f14.1e100.net
Address 3: 216.58.213.110 lhr25s02-in-f14.1e100.net
Address 4: 172.217.20.142 fra07s27-in-f142.1e100.net
Address 5: 172.217.169.14 lhr25s26-in-f14.1e100.net
Address 6: 172.217.169.46 lhr48s08-in-f14.1e100.net
Address 7: 172.217.169.78 lhr48s09-in-f14.1e100.net
Address 8: 216.58.204.238 par21s06-in-f14.1e100.net
Address 9: 216.58.210.206 lhr48s11-in-f14.1e100.net
Address 10: 216.58.210.238 mrs04s10-in-f238.1e100.net

In the example above, nslookup (for me) currently returns nine IPv4 addresses for 'www.youtube.com' - so with just two domains, we already have 10 rules.

Subsequently it is prudent to save all the domain IP addresses in an IPSET and rather have potentially hundreds of firewall rules have just one!

P.S. @Xentrk has scripts to collect all of the IPs for a selected domain see Xentrk GitHub

Here's how you can populate an IPSET manually:

e.g. for 'snbforums.com' and 'www.youtube.com'

modprobe -sv xt_comment.ko
 
ipset create Valid_VPN_IP hash:net comment

nslookup snbforums.com;for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' |   nslookup "$1" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2');do ipset add Valid_VPN_IP $IP comment snbforums.com;done;ipset list Valid_VPN_IP

nslookup www.youtube.com;for IP in $(nslookup "www.youtube.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' |   nslookup "$1" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk 'NR>2');do ipset add Valid_VPN_IP $IP comment www.youtube.com;done;ipset list Valid_VPN_IP

then for the ten (or even thousands of IPs) you only need one rule!

iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))"  -s 192.168.2.26 -o tun1+ -m set  --match-set Valid_VPN_IP dst -j ACCEPT

You can examine the firewall statistics to see if the restricted domain access is working as expected, and also interrogate the IPSET

ipset test Valid_VPN_IP snbforums.com

104.27.127.97 is in set Valid_VPN_IP.

Furthermore, rather than manually populate the IPSET, you can simply create an empty IPSET and have dnsmasq automatically (in real-time) add any new IPs associated with the selected domains,

Simply issue

echo "ipset=/snbforums.com/www.youtube.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add

service restart_dnsmasq

 

[Dee dee]

So presumably you have entered something similar in the VPN Client GUI?

View attachment 19868

i.e. criteria

1. 192.168.2.26 must NEVER use the WAN, and must honour the VPN KILL-switch if the VPN Client is DOWN

2. 192.168.2.26 may only access a limited number of specified Websites/Domains.

So essentially you require to implement the 'Requirements Option 1' diagram (unlike Option 2. where 192.168.2.26 always uses the WAN except for nominated IPs/domains via the VPN)​

The solution requires you to manually add firewall rules to

1. BLOCK all internet websites from 192.168.2.26 thru the VPN Client tunnel by default.
2. Allow 192.168.2.26's nominated Domains/Websites as exceptions
​

Spoiler: Old-skool method - usually requiring multiple rules for each domain

e.g. Old-skool for 'www.ibm.com' and 'www.youtube.com'

iptables -I FORWARD -s 192.168.2.26 -o tun1+ -j DROP

iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.ibm.com      -j ACCEPT -m comment --comment www.ibm.com
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -d www.youtube.com  -j ACCEPT -m comment --comment www.youtube.com
etc.

nslookup www.youtube.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.youtube.com
Address 1: 2a00:1450:4009:819::200e lhr48s09-in-x0e.1e100.net
Address 2: 216.58.213.14 ber01s14-in-f14.1e100.net
Address 3: 216.58.213.110 lhr25s02-in-f14.1e100.net
Address 4: 172.217.20.142 fra07s27-in-f142.1e100.net
Address 5: 172.217.169.14 lhr25s26-in-f14.1e100.net
Address 6: 172.217.169.46 lhr48s08-in-f14.1e100.net
Address 7: 172.217.169.78 lhr48s09-in-f14.1e100.net
Address 8: 216.58.204.238 par21s06-in-f14.1e100.net
Address 9: 216.58.210.206 lhr48s11-in-f14.1e100.net
Address 10: 216.58.210.238 mrs04s10-in-f238.1e100.net

In the example above, nslookup (for me) currently returns nine IPv4 addresses for 'www.youtube.com' - so with just two domains, we already have 10 rules.

Subsequently it is prudent to save all the domain IP addresses in an IPSET and rather have potentially hundreds of firewall rules have just one!

P.S. @Xentrk has scripts to collect all of the IPs for a selected domain see Xentrk GitHub

Here's how you can populate an IPSET manually:

e.g. for 'www.ibm.com' and 'www.youtube.com'

modprobe -sv xt_comment.ko
    
ipset create Valid_VPN_IP hash:net comment

nslookup www.ibm.com;for IP in $(nslookup "www.ibm.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add Valid_VPN_IP $IP comment www.ibm.com;done;ipset list Valid_VPN_IP

nslookup www.youtube.com;for IP in $(nslookup "www.youtube.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add Valid_VPN_IP $IP comment www.youtube.com;done;ipset list Valid_VPN_IP

then for the ten (or even thousands of IPs) you only need one rule!

iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))"  -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT

You can examine the firewall statistics to see if the restricted domain access is working as expected, and also interrogate the IPSET

ipset test Valid_VPN_IP www.ibm.com

104.84.254.38 is in set Valid_VPN_IP.

Furthermore, rather than manually populate the IPSET, you can simply create an empty IPSET and have dnsmasq automatically (in real-time) add any new IPs associated with the selected domains,

Simply issue

echo "ipset=/www.ibm.com/www.youtube.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add

service restart_dnsmasq

Thank you very much for the explanation.
I will try it tonight when home from work and advise if its not what I wanted. I will test it with a pc before I change the ip to what I wanted

 

[Dee dee]

Martineau
So essentially I am just doing the 2 things below:

So presumably you have entered something similar in the VPN Client GUI?
(YES I DID)

Then i SSH into my router with PUTTY and do the following commands( I am not too keen/good with these commands nor linux , sorry for any errors I type):
"
modprobe -sv xt_comment.ko

ipset create Valid_VPN_IP hash:net comment

echo "ipset=/www.siteiwanttoallow.com" >>/jffs/configs/dnsmasq.conf.add

iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT

service restart_dnsmasq
"
and this will persist over reboots?

Also what Do i want to do if I wanted to remove said rules from that IP in the future?

 

[Martineau]

Then i SSH into my router with PUTTY and do the following commands

Yes, PuTTY is fine, although you may wish to use a more feature-rich SSH client such as Xshell or MobaXterm but it should be a simple copy'n'paste into the command line.

The following has a typo:

echo "ipset=/www.siteiwanttoallow.com" >>/jffs/configs/dnsmasq.conf.add

you have omitted the IPSET name where the resolved 'www.siteiwanttoallow.com' IPs should be collated.
Change it to

echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add

see dnsmasq man page for the syntax

NOTE: You will need to manually edit '/jffs/configs/dnsmasq.conf.add' if you need to add or remove domains to be automatically resolved and added.

Also what Do i want to do if I wanted to remove said rules from that IP in the future?

List the firewall rule statistics

iptables  --line -t filter -nvL FORWARD

Delete the firewall rules

#!/bin/sh

IPADDR=192.168.2.26

VPN_ID=3                      # VPN Client 3
VPN_FWMARK="0x4000/0x4000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,[/COLOR][/FONT][/LEFT]

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK


iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null

and this will persist over reboots?

No. you will need to create scripts that will automatically get executed when the router reboots

e.g. Use nano editor on the router command line to create '/jffs/scripts/firewall-start' with the lines

#!/bin/sh

IPADDR=192.168.2.26

VPN_ID=3                      # VPN Client 3
VPN_FWMARK="0x4000/0x4000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK

# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

and create '/jffs/scripts/services-start'

#!/bin/sh

modprobe -sv xt_comment.ko
RC=$?
logger -st "($(basename $0))" $$  "Loading iptables 'comment' module xt_comment.ko rc=$RC"
modprobe -D xt_comment.ko >>/tmp/syslog.tmp

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment
RC=$?
logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rc=$RC"

and create '/jffs/scripts/wan-start'

#!/bin/sh

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

IPSET_NAME="Valid_VPN_IP"

Say "Paused for 2 secs....."
sleep 2

# These are optional, but if the domains are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

Say "Adding domains to IPSET '$IPSET_NAME'"
THIS="snbforums.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="speedtest.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="whatismyipaddress.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS;Say "'"$THIS"' $IP rc="$?;done

then make the scripts executable

chmod a+rx /jffs/scripts/*

P.S. There is a wealth of information in the RMerlin Wiki describing how to write scripts, and for descriptions of the various files such as 'firewall-start' see User scripts

 

[Dee dee]

Martineau,

I was looking over your lines to write and noticed this line wasn't there was it omitted? and where do put the ip's i want to allow?

echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add


Also I checked the website before where you posted the tutorial pics is still not available.

Thanks for your time

Yes, PuTTY is fine, although you may wish to use a more feature-rich SSH client such as Xshell or MobaXterm but it should be a simple copy'n'paste into the command line.

The following has a typo:

echo "ipset=/www.siteiwanttoallow.com" >>/jffs/configs/dnsmasq.conf.add

you have omitted the IPSET name where the resolved 'www.siteiwanttoallow.com' IPs should be collated.
Change it to

echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add

see dnsmasq man page for the syntax

View attachment 19870

NOTE: You will need to manually edit '/jffs/configs/dnsmasq.conf.add' if you need to add or remove domains to be automatically resolved and added.

List the firewall rule statistics

iptables  --line -t filter -nvL FORWARD

Delete the firewall rule

iptables -D FORWARD -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT

No. you will need to create a script that will automatically get executed when the router reboots

e.g. Use nano editor on the router command line to create '/jffs/scripts/firewall-start' with the five lines

#!/bin/sh

modprobe -sv xt_comment.ko

ipset create Valid_VPN_IP hash:net comment 2>/dev/null

iptables -D FORWARD -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s 192.168.2.26 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT

then make the script executable

chmod a+rx /jffs/scripts/*

P.S. There is a wealth of information in the RMerlin Wiki describing how to write scripts, and for descriptions of the various files such as 'firewall-start' see User scripts

 

[Martineau]

I checked the website before where you posted the tutorial pics is still not available.

I'm sure @Xentrk is aware of his Blog site access issues, and will restore access ASAP.

In the interim, this video How to setup Policy rules and KILL Switch is old but still quickly demonstrates how easy it is (only three clicks) to select a LAN device and route all of its traffic thru' the VPN tunnel.

where do put the ip's i want to allow?

If you have correctly created the IPSET, when you access 'www.siteiwanttoallow.com' its IP address(s) will automatically be added to IPSET Valid_VPN_IP.

However, if required, you can manually add them using

ipset add Valid_VPN_IP xxx.xxx.xxx.xxx

ipset list Valid_VPN_IP

 

[Xentrk]

I'm sure @Xentrk is aware of his Blog site access issues, and will restore access ASAP.

Yikes. Thanks for the heads up. I will get on top of the issue right away.

 

[Xentrk]

Yikes. Thanks for the heads up. I will get on top of the issue right away.

Site is online. The domain was expired. I set up a process to ensure it doesn't happen again.

 

[Dee dee]

Martineau Thanks for the wealth of information, I modified the firewall-start to now always go through the VPN and wanted to do that myself as per the video you posted on youtube.

So I modified the files thusly.

Let me know if I messed up anything before i implement them.

firewall-start file


IPADDR=192.168.2.26
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

Init-start file

modprobe -sv xt_comment.ko
IPSET_NAME="Valid_VPN_IP"
ipset create $IPSET_NAME hash:net comment 2>/dev/null
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;

then make them writable

 

[Dee dee]

Martineau These 2 rules didnt work or i did something wrong?

I used WINSCP to edit the folders and files and I get the following:

 

[dave14305]

Martineau These 2 rules didnt work or i did something wrong?

I used WINSCP to edit the folders and files and I get the following:

Do both scripts start with the necessary she-bang?

#!/bin/sh

 

[Dee dee]

dave14305,

Man do i feel like a dunce. I omitted that line.

I put that line back in and it ran just fine.

I didn't mess anything up in his code by removing those VPN lines did I?

Also I don't think this one ran as the ipset doesn't show right when I run the "ipset list VALID_VPN_IP". I get the following picture, What did I do wrong?

Do both scripts start with the necessary she-bang?

#!/bin/sh

 

[dave14305]

dave14305,

Man do i feel like a dunce. I omitted that line.

I put that line back in and it ran just fine.

I didn't mess anything up in his code by removing those VPN lines did I?

Also I don't think this one ran as the ipset doesn't show right when I run the "ipset list VALID_VPN_IP". I get the following picture, What did I do wrong?

I ran the init-start commands and it worked OK.

ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 1178
References: 0
Number of entries: 9
Members:
151.101.130.219 comment "speedtest.net"
104.27.126.97 comment "snbforums.com"
104.16.154.36 comment "whatismyipaddress.com"
104.27.127.97 comment "snbforums.com"
151.101.2.219 comment "speedtest.net"
104.16.155.36 comment "whatismyipaddress.com"
151.101.66.219 comment "speedtest.net"
75.75.75.75 comment "snbforums.com"
151.101.194.219 comment "speedtest.net"

What is the output of

nslookup snbforums.com

Maybe your router isn’t resolving the names correctly.

 

[Dee dee]

Attached are my outputs is anything named wrong?