Block access to network hard drive for specific clients

[margentieri]

Hi all,

I have an ac68u running merlin 378.51.

A little background info first:
I have both OpenVPN servers running. One of the two servers I have set up for some of my friends currently living abroad to use (i.e. China), and because I'm not the one using this VPN, I want to limit access to my LAN and NAS for all clients connected to my network through this 2nd VPN. This VPN's port is 1195, and subnet is 10.2.0.0

I have successfully set an iptables rule in my firewall-start script to block access to my LAN for these clients. The specific rule I used is

iptables -I FORWARD -s 10.2.0.0/24 -d 192.168.1.0/24 -j DROP

I also have a hard drive plugged into my router to serve as NAS. My above rule does not prevent access to this drive.

So my question to you all: how can I completely block all access to this drive for clients connecting through this VPN? All forms of connection including Samba and DLNA should be blocked.

Is there a way I can assign a single port through which all traffic to the USB port in the router that this drive is attached to must pass through? Or some other way to explicitly identify the USB port / hard drive in question? Or any other way to achieve my goal really.

Thanks!

 

[margentieri]

bump. anyone? I would really appreciate any kind of insight or suggestions here.

 

[margentieri]

I was thinking that what I want to accomplish would be possible if the VPN connection in question was treated as a guest network. I have a guest network already enabled. Would it be possible to VPN into this existing guest network or to set up a dedicated guest network for the VPN?

 

[martinr]

I was thinking that what I want to accomplish would be possible if the VPN connection in question was treated as a guest network. I have a guest network already enabled. Would it be possible to VPN into this existing guest network or to set up a dedicated guest network for the VPN?

Correct me if I've misunderstood, but your guest network is for requests originating behind your router on your wireless guest network; the response, when it comes back, is NAT'd back to the same device on the wireless guest network.

With your friends using your vpn, the request originates on the public, Internet side of your router and the request pops through your router and back out, unencrypted, onto the Internet. So your internal wireless guest network has nothing to do with that process. Yes?

And, if you have a read through the following 2 topics, you may well get some answers, depending how deep you are willing to delve:

http://www.snbforums.com/threads/prevent-lan-access-from-openvpn.20058/#post-145074

http://www.snbforums.com/threads/openvpn-pre-configured.21793/#post-157870

 

[margentieri]

That first link is actually an old thread of mine if you noticed. That's where I got the iptables rule mentioned above; however, all this rule does is prevent those VPN clients from communicating with other clients on the network. It unfortunately does nothing to prevent access to my network hard drive.

As for the second link, I failed to find that thread in my searches, but it looks like he is still having the same problem I am currently having, which is VPN clients are still able to access the network hard drive.

You are correct that the VPN is originating from the WAN, whereas the wireless guest network is a wireless LAN network. That being said, the guest network accomplishes for wireless LAN clients exactly what I am seeking to accomplish for VPN clients. Just how wireless guest network clients are prevented from accessing the network hard drive, I wish to prevent these VPN clients from accessing these network resources as well. The ONLY access I want these VPN clients to have is internet access routed through my machine. This may seem silly to some (the whole point of a VPN is to remotely connect to another private network after all), but when you have friends dealing with the Great Firewall of China, VPNs become rather necessary for accessing an uncensored internet

 

[martinr]

That first link is actually an old thread of mine if you noticed. .....
.......This may seem silly to some (the whole point of a VPN is to remotely connect to another private network after all), but when you have friends dealing with the Great Firewall of China, VPNs become rather necessary for accessing an uncensored internet

Sorry: I didn't notice the first link was yours. You've been looking for an answer for a while, then. And, no, it doesn't seem silly at all. In fact, it seems a perfectly logical thing to do. I wouldn't mind it myself: one vpn server for encrypted (to home router) browsing (eg from public wifi) with LAN access blocked, and the other vpn server for LAN access (possibly with WAN access blocked). Makes perfect sense.

Here's hoping you get a quick solution.

 

[john9527]

I haven't tested it, but you could try making an smb.postconf file in /jffs/scripts with the following (and make it executable)

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "[global]" "hosts deny = 0.0.0.0/0" $CONFIG
pc_insert "[global]" "hosts allow = 127.0.0.1 192.168.1.0/24" $CONFIG

 

[margentieri]

I haven't tested it, but you could try making an smb.postconf file in /jffs/scripts with the following (and make it executable)

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_insert "[global]" "hosts deny = 0.0.0.0/0" $CONFIG
pc_insert "[global]" "hosts allow = 127.0.0.1 192.168.1.0/24" $CONFIG

Thanks, I'll have to try this when I get home; however, I imagine that this would only block accessing the network drive via Samba. What about DLNA? Any ideas for that?
Sorry, I actually don't know much about the workings of DLNA, so this might be a silly question.

 

[john9527]

Thanks, I'll have to try this when I get home; however, I imagine that this would only block accessing the network drive via Samba. What about DLNA? Any ideas for that?
Sorry, I actually don't know much about the workings of DLNA, so this might be a silly question.

minidlna doesn't have any concept of restricted access, so that one is tougher. I tend to stumble around a bit when it comes to iptables (lots of trial and error), but you may want to try something like this

iptables -I OUTPUT -d 10.2.0.0/24 -p tcp -m tcp --sport 8200 -j DROP
iptables -I INPUT -s 10.2.0.0/24 -p udp -m udp --dport 1900 -j DROP

This will kill their ability to use upnp (if that works over the VPN tunnel, I'm not sure if it does)