Prevent LAN access from OpenVPN

[MichaelR64]

RTFM

https://github.com/RMerl/asuswrt-merlin/wiki

See User Scripts under Usage

I am sorry if my vastly inferior IQ offended you in any way as to receive such a brisk and ferm answer...
That wiki does not describe what exactly to specify in the scripts.
Nor is there any mentioning of how to access the scripts or filesystem.
Perhaps it is written with a user in mind that has more specific knowledge about the workings.
For me it is not enough really. I need more of the basics explained.

 

[MichaelR64]

Ok,

So i have figured out some of the bits.
I use Interarchy to access the router, all scripts are located at /jiffs/scripts.
You have to enable SSH, and JIFFS scripts and format this partititon twice and reboot before you can access this.
This is done in the AC87 Rmerlins webgui.

This: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts explains the various events used to hook your scripts onto.
It is however unclear as to how it does this.
Do i have to name file like this , and if so what is the extension, or create a folder with this name ?

Then there is the issue what should be put in it.
Apparently it should start with this:
#!/bin/sh
It also mentions that you should perhaps run it manually first to test it. Do you that by entering this in Terminal ?

Now for the actual content.
This post here:
http://www.snbforums.com/threads/prevent-lan-access-from-openvpn.20058/#post-146272
and post #17 displays more insight on this.

But ... how do i actually do this?
What lines do i have to enter to block all traffic from one OpenVPN server(not both) to the intranet?

Because i read the F..king Manual as someone above suggested but this is not really described and i can not figure it out..

 

[MichaelR64]

Ok,

After the overwhelming response on this topic i went forward and tried some more.
Interarchy is also buggy since it crashed every time i tried to do something with scp such as deleting a file.

Anyway i managed to it with terminal.

So now i have a file at the proper location and there is something in it.(/jffs/scripts/firewall-start).
And used chmod to make it executable.
The router also parses it since it displays the loglines in the System Log pane.

But my router does not keep clients that enter my lan tru the second vpnserver from accessing the Intranet.
Contents of the file:

#!/bin/sh

# Output message to system log.
logger -t "($(basename $0))" $$ Firewall customization starting... " $0${*:+ $*}."


iptables -I FORWARD -s 10.8.1.0/24 -d 192.168.168.1/24 -j DROP

# Output message to system log.
logger -t "($(basename $0))" $$ Firewall customization ending... " $0${*:+ $*}."

Can somebody tell me what to enter to get this working ?

Btw: my router operates on 192.168.168.1, the to-be-blocked OpenVPN server subnet is on 10.8.1.0 .
The other one is on 10.8.0.0.

 

[brtravel]

Ok, After the overwhelming response on this topic i went forward and tried some more.

I've felt the same way about the scripts, the wiki is certainly not a step-by-step tutorial. Please continue to share what you learn and if you get this working.

 

[MichaelR64]

Ok,

So i have fixed it !
The rule listed above is correct and in the correct place/file.
However i remembered to have read something about Windows vs Unix line endings.
And i deleted any spaces and newlines between the statement and the logging line.
Now it runs properly.

The way i checked it was by checking tru terminal what iptable entries there were: iptables -L.
This will list all entries including any you created.
Since mine wasn't in the list i figured something went wrong parsing it because the log entries indicated the file itself was parsed.
So i pasted the line from my file in Terminal and reran the -L and there it was.
And indeed it started working.
As i said edited my file, reupload, reboot, and now its working.

Only problem i have now is that i can still access my routers page.
Does anybody know why ?

btw here is some info on iptables: http://explainshell.com/explain/8/iptables

 

[Martineau]

I've felt the same way about the scripts, the wiki is certainly not a step-by-step tutorial. Please continue to share what you learn and if you get this working.

I'm afraid I would have to disagree.

I learnt what little I know about scripting entirely from the Wiki and from examples posted in the forum - in fact the simple LEDs ON /OFF examples on the Wiki were the first I personally attempted/implemented!

e.g. Here is a very good example of the simple steps (without downloading additional compatible editing software) required to create a script using cut'n'paste...say from the Wiki
P.S. I searched the forum for 'tutorial'!

http://www.snbforums.com/threads/wan-connect-and-disconnect-using-script.11232/page-2#post-185023

So physically creating a script shouldn't take anyone over a week, but coding it will take time for complex problems or requirements!

 

[Martineau]

Ok,

So i have fixed it !
The rule listed above is correct and in the correct place/file.
However i remembered to have read something about Windows vs Unix line endings.
And i deleted any spaces and newlines between the statement and the logging line.
Now it runs properly.

The way i checked it was by checking tru terminal what iptable entries there were: iptables -L.
This will list all entries including any you created.
Since mine wasn't in the list i figured something went wrong parsing it because the log entries indicated the file itself was parsed.
So i pasted the line from my file in Terminal and reran the -L and there it was.
And indeed it started working.
As i said edited my file, reupload, reboot, and now its working.

Only problem i have now is that i can still access my routers page.
Does anybody know why ?

btw here is some info on iptables: http://explainshell.com/explain/8/iptables

Perfect way to get a response! I couldn't resist your sarcastic opening line in post #23:

'the overwhelming response on this'

Hmmm, wonder why that is?

Possibly because shamelessly bumping your own post is (in my view) considered bad forum etiquette.
Forum members will reply if they have relevant advice/experience about your issue or if they have the time to enter into a protracted dialogue.

So really this must be a record, over a week to create a 2 line firewall-start script given that all the information provided was clearly provided to you in post #18 etc.

Q. Do do you still stand by your 'glowing' (aka negative) review of the Wiki?

"That wiki does not describe what exactly to specify in the scripts.
Nor is there any mentioning of how to access the scripts or filesystem."

as I'm sure that must make RMerlin and the other generous/knowledgeable contributors to the Wiki feel really rewarded for their efforts.

e.g. On very Wiki page that I initially tersely referred you to, RMerlin wrote:

Creating scripts

Don't forget to set any script you create as being executable:

chmod a+rx /jffs/scripts/*

And like any Linux script, they need to start with a shebang:

#!/bin/sh

Also, you must save files with a UNIX encoding.
Note that Windows's Notepad cannot save with a UNIX encoding - get Notepad++ instead.
You can also directly edit it on the router through vi (included in the firmware) or nano (available through Optware/Entware)
to ensure that your scripts are saved in a valid format.

Hmm, could have saved you a lot of trouble eh?

Anyway, now that you have shown everyone how clever YOU are with iptables, for your latest plea, perhaps you need a DROP rule on the INPUT chain from tun1x to the router?
but you would see that on the output of the iptables query - right?

iptables -L -nv --line

...but hey, what do I know...?


PEBKAC4MACU

 

[MichaelR64]

Quote:
Perfect way to get a response! I couldn't resist your sarcastic opening line in post #23:

Well perhaps my response was fueled by the simple comment Read The F.cking Manual. Not everybody likes a first response to be including swearing.

'the overwhelming response on this'

Hmmm, wonder why that is?

Possibly because shamelessly bumping your own post is (in my view) considered bad forum etiquette.
What you call shamelessly bumping was just me describing my process of finding this out as i go along, so that other people might benefit from it.
Forum members will reply if they have relevant advice/experience about your issue or if they have the time to enter into a protracted dialogue.
I dont' expect anything more.
So really this must be a record, over a week to create a 2 line firewall-start script given that all the information provided was clearly provided to you in post #18 etc.
As i said before i had no experience in writing scripts/using Terminal/SHH all of that. And what made you think i spent an entire week on this ? I do have a life just as you yourself have said.

Q. Do do you still stand by your 'glowing' (aka negative) review of the Wiki?

"That wiki does not describe what exactly to specify in the scripts.
Nor is there any mentioning of how to access the scripts or filesystem."
It was not meant as criticism towards RMerlin or others, just stating that it was not clear enough for me to be useful to me.
It is in my view written by someone who has day-to-day experience with the topics described. And as such might have overlooked bits and pieces that might be overwhelming to newbies. Two line is hardly a glowing review but perhaps we see things differently.

as I'm sure that must make RMerlin and the other generous/knowledgeable contributors to the Wiki feel really rewarded for their efforts.
There are more ways than one to say thank you, and even though you might think otherwise i appreciate the effort put in it.

e.g. On very Wiki page that I initially tersely referred you to, RMerlin wrote:
Yes i have read that and later it made sense to me.


Hmm, could have saved you a lot of trouble eh?

Anyway, now that you have shown everyone how clever YOU are with iptables, for your latest plea, perhaps you need a DROP rule on the INPUT chain from tun1x to the router?
but you would see that on the output of the iptables query - right?
I have not shown how clever i am with iptables. If that was true i would not wrote any of these posts. Like many i get my knowledge from googling and as such value posts and people who contribute to their initial question with answers so that others who stumble upon them find the answers besides the questions. There are more questions on the internet than there are answers.
My question in that post was just that, a question and if someone wanted to answer that that would be great. .If not no harm done. And if i found the time to find it out for myself i would have come back and added another post just to add that information as well.

iptables -L -nv --line

...but hey, what do I know...?
A lot more than me on this subject that is clear. It is a pity that you see my posts and comments in such a negative way.

PEBKAC4MACU
End quote

Rgrds Mike

 

[jimf]

OK, let's see if I can work that out...pls bare in mind, that I am not a firewall rules instructor

I think you need an INPUT rule (and as you proved that a FORWARD does have no effect), because:

FORWARD rules apply to communication *between* interfaces or IP-Networks.
This is where routing takes place.
The gateway (router) hosting the interfaces is responsible for routing between networks, but its OS is a destination on these networks too.

Your VPN clients are on their own network and their gateway is associated with the tunX interface in the router.
Your ISP network is associated with the wan interface
Your Home-LAN is associated with the eth0/lan/br0 interface (br0 links the wlan side),

So your router has multiple interfaces at the same time.
These interfaces with different IPs have the same endpoint...the local OS of the router (with their gateway address of that network, associated with the local Interface).
The UI is available on dedicated ports on *all* interfaces (if not specifically set to lan only).
All packets to one of these interfaces do not need routing locally.
So a packet to the router-OS itself, like to the UI, from tun-side to the lan-side do not need to get routed.
The packet is "already there, at its destination" when it reaches the tunX IF and no FORWARD gets applied....unlike for other computers/destinations on your lan.

...rules using interfaces instead of network/IPs:
You can base rules on interfaces (-i parameter) or networks (IP).
As an interface is associated with an IP ( or more IPs if part of multiple networks) using rules for IPs also inherit (partly) a rule for interface(s).
A rule for an interface however will work regardless of the IPs/networks associated with it.
So yes, a rule with "-i tun+" will block *all* traffic from *all* tun IF (the "+" is a wildcard).
Your rule, based on a network for one VPN-Server inherits the *one* tunX interface in its rule,..but not *all* tunX.

Awesome thread! Solved my needs by adding 2 lines to /jffs/scripts/firewall-start:
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.2.0/24 -j DROP
iptables -I INPUT -s 10.8.0.0/24 -d 192.168.2.0/24 -j DROP
Where 10.8.0.0 is the VPN subnet to be restricted and 192.168.2.0 is the LAN.

Thanks to those who contributed to the answer.