Menu
What's new
By:
Filters Better Search

Block everything from outside (except maybe VPN when I travel)?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

B

Bamsefar

Senior Member
So I have this script that blocks certain countries, and another script that keeps a watch on port scans and such things and blocks IPs that "behave bad".

However what I realize is that I actually don't need access from external WWW to my router - normally I only allow (a few protocols) traffic from the inside to outside. I do not have a web server or anything like that.

So from a simple point of view:
  1. Block anything from external WWW that tries to connect or something onto my router
  2. Maybe, when I travel, allow my mobile phone (MAC adress I guess) would be allowed to connect over VPN to my router from the country I KNOW (like US) - but this is optional (I rather have all closed down than expose my router if that is what it takes)

Any ideas how to do this?
 
Bamsefar said:
Any ideas how to do this?
Click to expand...
I've been thinking about it too.
  1. Allow all Internet host traffic for established connections.
  2. Block all Internet hosts who try to connect, when they're coming from the outside.
  3. Use TOR hidden service to access your home router, when you're coming from the outside.
That's all we know.
 
DrPozo said:
I've been thinking about it too.

1. Allow all Internet host traffic for established connections.
2. Block all Internet hosts who try to connect, when they're coming from the outside.
3. Use TOR hidden service to access your home router.

That's all we know.
Click to expand...

Or use something like the port knocking infrastructure/techniques to only open the SSH socket (ie other connections are refused before even authenticating) for hosts that signal to do so in some specific way.

That way the router blocks all the ports ("stealth closed" as normal) including SSH except for hosts that know how to open it... probably more secure than MAC address, if a little more hassle, but looking into knockd may contain some handy hints on how to do this even without implementing knocking.

Of course, the problem is that people then reply on knocking or similar obscuring techniques (such as my running SSH on 443) to protect weak passwords ... but I'm sure the OP is smarter than do that.

--
Tim
 
Here is my INPUT chain, which I think one could minimize somewhat - why go over countries and stuff since well no one are allowed anyway:
Code: 
admin@RT-AC88U:/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target  prot opt source  destination
DROP  all  --  anywhere  anywhere  match-set TorNodes src
ACCEPT  all  --  anywhere  anywhere  match-set Whitelist src
DROP  all  --  anywhere  anywhere  match-set BlockedCountries src
DROP  all  --  anywhere  anywhere  match-set Blacklist src
DROP  all  --  anywhere  anywhere  match-set TorNodes src
ACCEPT  all  --  anywhere  anywhere
ACCEPT  udp  --  anywhere  anywhere  udp dpt:1194
logdrop  icmp --  anywhere  anywhere  icmp echo-request
logdrop  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  udp  --  anywhere  anywhere  udp spt:bootps dpt:bootpc
ACCEPT  icmp --  anywhere  anywhere  icmp !echo-request
logdrop  all  --  anywhere  anywhere
 
Bamsefar said:
Here is my INPUT chain, which I think one could minimize somewhat - why go over countries and stuff since well no one are allowed anyway:
Click to expand...

Personally, I would put the DROPs after this, for performance reasons:

Code: 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED

That way, you will only check if a packet should be dropped when it first tries to connect to you, not on every single packet that goes in.
 
Thnaks RMerlin! I'll change it :)

However, I still wonder if one could do just something like:

Code: 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
or with VPN allowed (and now I am only guessing, so I most likly very wrong now):
Code: 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere
ACCEPT  udp  --  anywhere  anywhere  udp dpt:1194
DROP all -- anywhere anywhere

Even though I wonder what the line with "ACCEPT all -- anywhere anywhere" realy does - is it needed (this line and the udp dpt:1194 are added when I turn on VPN, and removed when I tunr VPN off)?

I am trying, from time to time, to understand how this all works. Sometimes I make progress (I learn something maybe), but then again - like this with the VPN row above - I seem to get lost....
 
Let me add a few more lines:
Code: 
admin@RT-AC88U:/tmp/home/root# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target  prot opt in  out  source  destination
  0  0 ACCEPT  all  --  tun21  *  0.0.0.0/0  0.0.0.0/0
  0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp dpt:1194
  0  0 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set TorNodes src
 963K  73M ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set Whitelist src
 7240  337K DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set BlockedCountries src
 293K  18M DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set Blacklist src
  0  0 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set TorNodes src
  3  196 logdrop  icmp --  eth0  *  0.0.0.0/0  0.0.0.0/0  icmptype 8
 2779  117K logdrop  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state INVALID
 745K  205M ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state RELATED,ESTABLISHED
 475K  81M ACCEPT  all  --  lo  *  0.0.0.0/0  0.0.0.0/0  state NEW
 9520  436K ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0  state NEW
  0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp spt:67 dpt:68
  0  0 ACCEPT  icmp --  *  *  0.0.0.0/0  0.0.0.0/0  icmp !type 8
 1451 87105 logdrop  all  --  *  *  0.0.0.0/0  0.0.0.0/0
 
Bamsefar said:
owever, I still wonder if one could do just something like:
Click to expand...

Adding your own rule for established and related conntrack states might indeed be simpler than trying to insert your other rules in the middle of the chain.

Bamsefar said:
Even though I wonder what the line with "ACCEPT all -- anywhere anywhere" realy does - is it needed (this line and the udp dpt:1194 are added when I turn on VPN, and removed when I tunr VPN off)?
Click to expand...

That output is non verbose, you are missing the interface context in that "ACCEPT all all" rule.

The OpenVPN rule gets added/removed whenever you stop or start the OpenVPN server.
 
Bamsefar said:
Code: 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
or with VPN allowed (and now I am only guessing, so I most likly very wrong now):
Code: 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere
ACCEPT  udp  --  anywhere  anywhere  udp dpt:1194
DROP all -- anywhere anywhere
Click to expand...
The first might work, but the 2nd will open up for connection from anyware? And well VPN for my mobile in one country yes that is nice. But I would like to DROP all countrys not allowed. Is this doable?
 
You must log in or register to reply here.

Similar threads

B
Solved What VPN Director rule should i use to be able to connect outside my home to my VPN provider?
Replies
2
Views
619
brodas
B
Z
Sudden VPN client issues with RX-AX82U
Replies
5
Views
275
eibgrad
eibgrad
T
Troubles with VPN Client + DDNS Setup on GT-BE98
Replies
5
Views
357
Tuntenfisch
T
B
Firewall lan - vpn?
Replies
0
Views
516
blast
B
B
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
Replies
1
Views
253
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
K Solved "Block internet access" does nothing Asuswrt-Merlin 7
R Addition of Block Internet Access Asuswrt-Merlin 5
K How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)? Asuswrt-Merlin 12
M URL block List Asuswrt-Merlin 5
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
elrengo RT-AX88U Pro - Block YouTube on Smart TV Asuswrt-Merlin 12
L "Block internet access" toggle in Client Status GUI doesn't stick Asuswrt-Merlin 3
C Is there any easy solution in Merlin for a VPN server that is hard to block/detect? Asuswrt-Merlin 13
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
S Asus merlin: How to block communication between two device on the network? Asuswrt-Merlin 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 779 (members: 18, guests: 761)
Top