What's new

Only allow OpenVPN connections to the outside (iptables)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BryanLee

New Around Here
I have a computer on my local LAN that I wish to only be able to make DNS queries and OpenVPN connections to the outside world, everything else should be dropped. In other words, if it's VPN connection goes down, I want it cut off.

But I'm not sure how to do this... I thought this would work:
Code:
# iptables -A OUTPUT -p udp -s 192.168.76.7 --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -A OUTPUT -s 192.168.76.7 -j DROP
I entered those manually, and was going to add them to /jffs/scripts/firewall-start

However, entering those didn't work. Well, the first two might be working, but the firewall is definitely not blocking all other traffic.

Here is the output of my iptables -L (before additional rules)
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere          
PTCSRVLAN  all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere          

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ipttolan   all  --  anywhere             anywhere          
iptfromlan  all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere          
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere          
NSFW       all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
ACCEPT     all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination        

Chain FUPNP (0 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             gallifrey.ragon.org  tcp dpt:13945
ACCEPT     udp  --  anywhere             gallifrey.ragon.org  udp dpt:13945

Chain INPUT_ICMP (1 references)
target     prot opt source               destination        
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere          

Chain NSFW (1 references)
target     prot opt source               destination        

Chain PControls (0 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain PTCSRVLAN (1 references)
target     prot opt source               destination        

Chain PTCSRVWAN (1 references)
target     prot opt source               destination        

Chain SECURITY (0 references)
target     prot opt source               destination        
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere          

Chain iptfromlan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.76.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere          

Chain logdrop (0 references)
target     prot opt source               destination        
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Can anyone help?
 
I have a computer on my local LAN that I wish to only be able to make DNS queries and OpenVPN connections to the outside world, everything else should be dropped. In other words, if it's VPN connection goes down, I want it cut off.
The FORWARD chain is for traffic passing through the router. The OUTPUT chain is for traffic that originates at the router itself. Try this?

/jffs/scripts/firewall-start
Code:
#!/bin/sh
# iptables -I FORWARD -s 192.168.76.7 -j DROP
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 53 -j ACCEPT
 
The FORWARD chain is for traffic passing through the router. The OUTPUT chain is for traffic that originates at the router itself. Try this?

/jffs/scripts/firewall-start
Code:
#!/bin/sh
# iptables -I FORWARD -s 192.168.76.7 -j DROP
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 1194 -j ACCEPT
# iptables -I FORWARD -i br0 -p udp -s 192.168.76.7 --dport 53 -j ACCEPT

Works great, thank you! Both the rules, and the startup script (after enabling scripts in the web gui).
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top