Restrict PPTP Access & LAN Access

[TomT]

Hi.
My son connects via PPTP VPN from UNI to my LAN.

Is there any way I can restrict what internal IP Addresses he can access ?
He has a NAS setup here and that is all he needs access to.

I'd also like to add an IPtable rule to block access to the VPN from all IP addresses except his flat and Uni.
So the rule would need to be based on the first 3 octets of this public IP Address.

Any ideas ?
Thanks

 

[TomT]

Any one any idea how to do this.
I've set the router to only give one IP to the VPN user so I know what address he will be coming from..

How do I restrict it so he can only go to one address on the LAN ?

Thx

 

[sfx2000]

Thoughts here - box up his NAS and send it to him, and cut off his PPTP/VPN access into your network...

By having a VPN tunnel from the university LAN to your LAN, you're opening yourself up to a lot of problems that you basically don't need to have...

 

[coxhaus]

I don't know how on an ASUS router, maybe IPtables.

On my router I create one ACL, access control list. The ACL would be an allow statement with your son's source IP address and the destination of your NAS with an implied Deny Deny for all other.

 

[TomT]

Turning his nas off is not an option.

Is it possible to create an IP tables rules that routes everything from x.x.x.x to y.y.y.y regardless of where x.x.x.x attempts to go to ?

In my case x.x.x.x would be him vpn IP address and y.y.y.y would be his nas..

Thanks

 

[ColinTaylor]

What router? What firmware?

 

[TomT]

Hi Colin

Ac68u running firmware 378.54_2

I will always know what his vpn IP address(x.x.x.x) will be and where I want that to have access to (y.y.y.y)

Thanks

 

[TomT]

Would running openVPN make this easier ?
If it will I can do that, but what do I need to configure to only allow access to one IP Address on the LAN ?

 

[ColinTaylor]

Hi Tom,

I've been trying to get this to work with limited success. My main problem is that the only way I can test it is by using my mobile phone and it only has intermittent 3G connectivity where I am!

Anyway, here's my theory.

To restrict access to 1 IP on your network you need to modify /tmp/pptpd/ip-up and /tmp/pptpd/ip-down.

In ip-up change:

iptables -I INPUT -i $1 -j ACCEPT
iptables -I FORWARD -i $1 -j ACCEPT

to

iptables -I INPUT -i $1 -p udp -m udp --dport 53 -j ACCEPT
iptables -I FORWARD -i $1 -d 192.168.1.50 -j ACCEPT

and in ip-down change:

iptables -D INPUT -i $1 -j ACCEPT
iptables -D FORWARD -i $1 -j ACCEPT

to

iptables -D INPUT -i $1 -p udp -m udp --dport 53 -j ACCEPT
iptables -D FORWARD -i $1 -d 192.168.1.50 -j ACCEPT

where 192.168.1.50 is the destination IP address.

The INPUT chain is for traffic terminating on the router. You either need to remove the rule completely (disable all router access) or only allow DNS requests as I have done.

The FORWARD chain is where you restrict access to the rest of your LAN.

To restrict VPN access to a specific source you will have to modify the existing firewall rules. You can't modify the pptpd interface rules because as far as it is concerned everything is coming from 192.168.10.2.

It seems to work but like I said, I'm having trouble testing it.

Regards

I don't know about OpenVPN as I don't use it.

UPDATE: Fixed error in DNS lookup

 

[TomT]

Thanks for this.. I'll try it tomorrow and see how I get on.

 

[TomT]

Sorry - I've never had a chance to test this as my router started having issues around the new year.
I've reset it and it's now happy again, so I will be looking at this in the next few days.

I can test via 4G or get my son to do it from UNI. I'll let you know how I get on.
Thanks

 

[TomT]

Another quick thought as well as restricting access to one LAN device, can I restrict PPTP connection from a specific IP range ?

eg: Only allow connects to happen if they are from x.x.x.x range ?

Thanks

 

[ColinTaylor]

Another quick thought as well as restricting access to one LAN device, can I restrict PPTP connection from a specific IP range ?

Yes, I mentioned this at the end of post #9.

 

[TomT]

Hi Colin
I've applied the rules to ip-up & ip-down and I am now restricted to one device
Do I need add the rules to any other files are are they ok in /tmp/pptpd ?

Finally where do I edit the rule for access restriction ?
iptables shows:

ACCEPT tcp -- anywhere anywhere tcp dpt:1723

I assume I want to add a source range to this ? How ?
Thanks for your help

 

[ColinTaylor]

Hi Tom,

You'll have to replace the existing iptables rule with one that restricts the source. Something like this:

iptables -D INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
iptables -I INPUT 3 -i eth0 -p tcp -m tcp -s 111.222.333.444 --dport 1723 -j ACCEPT

This change along with the ones to ip-up/ip-down are only temporary and will be lost when the router is rebooted (maybe also when you make changes in the GUI). So you'll need to create a custom script that applies the changes automatically. I'll let you read about it here (https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files) and decide for yourself how you want to do that.

 

[TomT]

Thanks Colin.
I'm having a quick look at this now an hopefully will get it sorted.

 

[TomT]

I'm assuming I need to do something similar to :
create services-start in /jffs/scripts/ containing the following to update the ip-up & ip-down scripts :
ip-up_new & ip-down_new contain my amended code.

#!/bin/sh


/usr/bin/logger -t "($(basename $0))" $$ "Post-conf Starting ..... [$@]"

MYROUTER=$(nvram get computer_name)

CONFIG=$1

# Actually we don't want to edit the pptpd.conf file, but the associated PPTP script
#
#          ip-up

# to track PPTP connections with an e-mail

/usr/bin/logger -t "($(basename $0))" $$ "Modifying PPTP /tmp/pptpd/ip-up script....."

echo "/jffs/scripts/ip-up_new.sh" >> /tmp/pptpd/ip-up
echo "/jffs/scripts/ip-down_new.sh" >> /tmp/pptpd/ip-down

/usr/bin/logger -t "($(basename $0))" $$ "Post-conf complete ....."

and a new firewall-start containing the following which removes the entry for the VPN connection from anywhere and replaces it with a fixed range.

#!/bin/sh

/usr/bin/logger -t "($(basename $0))" $$ "Firewall rules update... [$@]"

/usr/bin/logger -t "($(basename $0))" $$ "Modifying PPP0 Remove ALL Source..."
iptables -D INPUT -i ppp0 -p tcp -m tcp --dport 1723 -j ACCEPT

/usr/bin/logger -t "($(basename $0))" $$ "Modifying PPP0 Add Source ..."
iptables -I INPUT 7 -i ppp0 -p tcp -m tcp -s xxx.xxx.xxx.xxx/24 --dport 1723 -j ACCEPT

/usr/bin/logger -t "($(basename $0))" $$ "Firewall rules complete ....."

Does that look about right ?
Thanks

 

[sfx2000]

Thoughts here - box up his NAS and send it to him, and cut off his PPTP/VPN access into your network...

reconsider this advice?

 

[TomT]

If I could get away with that I would!!

I'm trying to move him to an openVPN connection, hopefully that will be on the next couple of weeks when he finishes some exams.

 

[sfx2000]

If I could get away with that I would!!

I'm trying to move him to an openVPN connection, hopefully that will be on the next couple of weeks when he finishes some exams.

Know what you're going thru, been there myself...

we want to support them, but at some point, they need to get out of the nest, eh?