How to block all internet if vpn drops via firewall-start. script

[9988]

Please, can RMerlin or someone else advise me how to use firewall scrip to block traficc if vpn (openvpn) drops? I have an Asus RTAc68U

I am a noog here...


I created a firewall-start.sh, uploaded to /jffs/scripts, made it executable and nothing, unprotected internet traffic is not dropped.

I am much interested in simply stopping all traffic if vpn drops, checked that this can be done with a firewall script, but there so little info online about how to implement it, all I managed to find are script for tomato, but not advice how to implement this with merlin firmware.

I looked at the following scripts, dint work. I have found 0 advice on how to apply this kind of script for merlin firmware. These apparently work for Tomato..

#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth0 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Some help would be greatly apprciated

 

[Martineau]

Please, can RMerlin or someone else advise me how to use firewall scrip to block traficc if vpn (openvpn) drops? I have an Asus RTAc68U

I am a noog here...


I created a firewall-start.sh, uploaded to /jffs/scripts, made it executable and nothing, unprotected internet traffic is not dropped.

I am much interested in simply stopping all traffic if vpn drops, checked that this can be done with a firewall script, but there so little info online about how to implement it, all I managed to find are script for tomato, but not advice how to implement this with merlin firmware.

I looked at the following scripts, dint work. I have found 0 advice on how to apply this kind of script for merlin firmware. These apparently work for Tomato..

#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth0 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Some help would be greatly apprciated

I simply use the following rule to selectively block either a specific I/P address or a subnet (which could be your entire LAN)

$IP_RANGE='xxx.xxx.xxx.xxx/nn'

iptables -I FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP

I have a Fibre modem WAN connection hence the 'eth0' reference above, but if you have a PPoE then substitute 'PPP0' or whatever is appropriate for your connection.

Regards,

 

[cosmoxl]

I have fiber that requires pppoe over vlan 3265.

Every time my WAN resets while openvpn client is running everything is blocked anyway, I assume from the routing table openvpn setup and because my new WAN IP is different.