Menu
What's new
By:
Filters Better Search

Only allow OpenVPN connections to the outside (iptables)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BryanLee

BryanLee

New Around Here
I have a computer on my local LAN that I wish to only be able to make DNS queries and OpenVPN connections to the outside world, everything else should be dropped. In other words, if it's VPN connection goes down, I want it cut off.

But I'm not sure how to do this... I thought this would work:
Code: 
# iptables -A OUTPUT -p udp -s 192.168.76.7 --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -A OUTPUT -s 192.168.76.7 -j DROP
I entered those manually, and was going to add them to /jffs/scripts/firewall-start

However, entering those didn't work. Well, the first two might be working, but the firewall is definitely not blocking all other traffic.

Here is the output of my iptables -L (before additional rules)
Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere          
PTCSRVLAN  all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere          

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ipttolan   all  --  anywhere             anywhere          
iptfromlan  all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere          
NSFW       all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
ACCEPT     all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination        

Chain FUPNP (0 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             gallifrey.ragon.org  tcp dpt:13945
ACCEPT     udp  --  anywhere             gallifrey.ragon.org  udp dpt:13945

Chain INPUT_ICMP (1 references)
target     prot opt source               destination        
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere          

Chain NSFW (1 references)
target     prot opt source               destination        

Chain PControls (0 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain PTCSRVLAN (1 references)
target     prot opt source               destination        

Chain PTCSRVWAN (1 references)
target     prot opt source               destination        

Chain SECURITY (0 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere          

Chain iptfromlan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere          

Chain logdrop (0 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Can anyone help?
 
BryanLee said:
I have a computer on my local LAN that I wish to only be able to make DNS queries and OpenVPN connections to the outside world, everything else should be dropped. In other words, if it's VPN connection goes down, I want it cut off.
Click to expand...
The FORWARD chain is for traffic passing through the router. The OUTPUT chain is for traffic that originates at the router itself. Try this?

/jffs/scripts/firewall-start
Code: 
#!/bin/sh
# iptables -I FORWARD -s 192.168.76.7 -j DROP
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 53 -j ACCEPT
 
Fitz Mutch said:
The FORWARD chain is for traffic passing through the router. The OUTPUT chain is for traffic that originates at the router itself. Try this?

/jffs/scripts/firewall-start
Code: 
#!/bin/sh
# iptables -I FORWARD -s 192.168.76.7 -j DROP
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 53 -j ACCEPT
Click to expand...

Works great, thank you! Both the rules, and the startup script (after enabling scripts in the web gui).
 
You must log in or register to reply here.

Similar threads

F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
873
ColinTaylor
C
v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
L
merlin default iptables. why are there strange logdrops for specific pattens and ips?
Replies
3
Views
1K
ColinTaylor
C
N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
926
nearlyheadlessarvie
N
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
Similar threads
Thread starter Title Forum Replies Date
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
A How to allow incoming WAN connections for WireGuard clients? Asuswrt-Merlin 5
postoronnim-v How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)? Asuswrt-Merlin 18
B Asus - RT-AX88U - USB Application - Network Place (Samba) Share / Cloud Disk - Problem when enabling Allow guest login Asuswrt-Merlin 4
N How to allow different VPN clients ping each other? Asuswrt-Merlin 5
S Prevent client from connecting to router but allow connection to internet via access point Asuswrt-Merlin 4
M Allow admin web GUI access on another interface (tailscale0) Asuswrt-Merlin 0
PR3MIUM WireGuard removing OpenVPN on ASUS Routers ? Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
N dedicated router for OpenVPN Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 751 (members: 26, guests: 725)
Top