Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that
- Thread starter Dee dee
- Start date
Martineau
Part of the Furniture
Abject apologies
I was overzealous in splitting the original firewall-start functionality into the correct separate logical scripts
i.e. the firewall may be (re)started at anytime (meaning that the firewall-start script may be executed several times), so it would be prudent to move the creation of the IPSET to init-start which only fires once.
However, init-start executes before the WAN is up, so at this point (if the dnsmasq 'ipset=' directive isn't used) then extracting the IP's associated with a domain will obviously fail.
NOTE: Ideally, you would periodically save the contents of IPSET Valid_VPN_IP to a disk accessible to the router (such as Entware's /opt file-system), and simply restore it during the boot process in say script post-mount.
(I have updated the scripts in post #10)
Currently 192.168.1.26 (only if forced through the VPN) should only be able to open in a web browser 'snbforums.com' or 'reddit.com'?
Regardless if 192.168.1.26 can PING 'cnn.com' , can 192.168.1.26 actually open 'cnn.com' in a browser?
You should provide the output (enclosed in code tags) from the following diagnostic/debugging commands
Code:
iptables --line -t filter -nvL FORWARD
iptables --line -t mangle -nvL PREROUTING
ip rule
grep Valid_VPN_IP /etc/dnsmasq.conf
grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset list Valid_VPN_IP
Last edited:
Martineau,
Image attached.
Here is where I am confused.
If i remove the following lines from firewall-start (which I would like to do)
Does that mean "I" would define when the traffic woud route through the vpn not the rules?
Also if i am able to actually ping cnn.com, does that mean the device can send data to cnn.com (or any other domain) via a API request instead of standard TCP request for port 80, but I just wouldn't see it but the data would be being sent.
Im sorry for all these questions but I just wanted to do this right.
Image attached.
Here is where I am confused.
If i remove the following lines from firewall-start (which I would like to do)
Code:
VPN_ID=1 # VPN Client 3
VPN_FWMARK="0x1000/0x1000" # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,
IPSET_NAME="Valid_VPN_IP"
iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARKDoes that mean "I" would define when the traffic woud route through the vpn not the rules?
Also if i am able to actually ping cnn.com, does that mean the device can send data to cnn.com (or any other domain) via a API request instead of standard TCP request for port 80, but I just wouldn't see it but the data would be being sent.
Im sorry for all these questions but I just wanted to do this right.
Attachments
Martineau
Part of the Furniture
When supplying command output, don't use an image, simply copy and paste the relevant text from the terminal into dialog box
allowing members to construct a relevant reply by only copying the relevant text.
The rules would only apply if the original criteria you want are still a requirement, so you would only need to remove the rules if you change your mind as is your prerogative.
The PING protocol icmptype 8/0 is not the same as TCP 80/443 and in some rules need to be explicitly specified, but the blocking rules I provided defaults to ALL protocols.
However,
1. 192.168.1.26 is not forced through an ACTIVE VPN so is using the WAN, since you have not enabled a VPN KILL-switch.
2. There are no firewall BLOCKING rules for 192.168.1.26 to restrict access to domains thru VPNs
So basically what do you expect?
Last edited:
Martineau,
What rules Do I need to write so be it through VPN or not through VPN to only allow specific websites.
to enable this comment
dnsmasq.conf.add
EMPTY
firewall-start
init-start
wan-start
Also I don't think the wan-start section works as dnsmasq is empty
What rules Do I need to write so be it through VPN or not through VPN to only allow specific websites.
to enable this comment
Here are my current files
dnsmasq.conf.add
EMPTY
firewall-start
Code:
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPTinit-start
Code:
#!/bin/sh
modprobe -sv xt_comment.ko
IPSET_NAME="Valid_VPN_IP"
ipset create $IPSET_NAME hash:net comment 2>/dev/nullwan-start
Code:
#!/bin/sh
# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;Also I don't think the wan-start section works as dnsmasq is empty
Last edited:
Martineau
Part of the Furniture
If you want to apply the domain restriction to a specific LAN device for ANY interface them omit the VPN '-o tun1+' parameter.
firewall-start
Code:
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"
# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o eth0 -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED" 2>/dev/null
POS=$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))
# Rather than block ALL interfaces, apply rules to WAN (eth0) interface only
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED"
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED"
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT -m comment --comment "NoPING"
iptables -I FORWARD $POS -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPTAs shown in post #10 you have to execute the command to populate 'dnsmasq.conf.add' ONLY once as this file is permanent and its contents are preserved over a reboot - hence it is illogical to keep appending the same line at the end of the file at every boot/WAN start.
Last edited:
Martineau,
I followed all your steps and can't seem to figure out for the life of me what is still wrong. I updated the firewall file from the newest post above and made the other 2 files in step 10 as well as previously writing the
2 times one for cnn.com and one for snbforums.com
I then hardcoded my IP to be 192.168.2.26/255.255.255.0/192.168.2.1 and dns of 192.168.2.1
I then tried pinging foxnews.com and was able to connect via chrome as well as reddit.com and was able to connect via chrome.
I even did a ipconfig /flushdns and rebooted.
Is there anything else I am missing?
I appreciate you spending your time to help me with this.
P.S. here are my most recent logs from my last reboot is it weird that firewall start runs 2x.
I followed all your steps and can't seem to figure out for the life of me what is still wrong. I updated the firewall file from the newest post above and made the other 2 files in step 10 as well as previously writing the
Code:
echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.addI then hardcoded my IP to be 192.168.2.26/255.255.255.0/192.168.2.1 and dns of 192.168.2.1
I then tried pinging foxnews.com and was able to connect via chrome as well as reddit.com and was able to connect via chrome.
I even did a ipconfig /flushdns and rebooted.
Is there anything else I am missing?
I appreciate you spending your time to help me with this.
P.S. here are my most recent logs from my last reboot is it weird that firewall start runs 2x.
Code:
Nov 18 01:00:10 ntpd: Initial clock set
Nov 18 01:00:10 rc_service: ntpd_synced 620:notify_rc restart_diskmon
Nov 18 01:00:10 disk_monitor: Finish
Nov 18 01:00:12 disk_monitor: be idle
Nov 18 01:00:30 kernel: SHN Release Version: 2.0.1 890c91d
Nov 18 01:00:30 kernel: UDB Core Version: 0.2.18
Nov 18 01:00:30 kernel: sizeof forward pkt param = 192
Nov 18 01:00:30 BWDPI: fun bitmap = 3
Nov 18 01:00:34 rc_service: udhcpc 462:notify_rc start_firewall
Nov 18 01:00:36 dhcp_client: bound 192.168.1.4 via 192.168.1.1 during 86400 seconds.
Nov 18 01:00:36 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 18 01:00:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 18 01:00:42 crond[245]: time disparity of 809335 minutes detected
Nov 18 01:01:06 rc_service: amas_lib 364:notify_rc restart_firewall
Nov 18 01:01:07 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 18 01:01:08 custom_script: Running /jffs/scripts/firewall-start (args: eth0)Martineau
Part of the Furniture
It's not weird - simply working as designed.
The firmware may execute the firewall-start/nat-start scripts multiple times whenever it needs to (i.e. after a WAN start event), hence we explicitly accommodate this and ensure duplicate rules etc. are not added by our custom code.
I have updated the list of diagnostic/debugging commands in post #23, so you will need to provide the output of those commands when things appear 'weird'.
Martineau,
Debug Info added below from the commands requested along with the source of all 3 files I made with what is running at the moment.
P.S. I noticed in the wan-start there was no definition of IP nor IPSET_NAME so I created variables and added them in and rebooted.
For some reason now when I hardcoded the IP i lost ALL Internet on my device and wasn't able to ping any site.
I also noticed the IPSET was empty(I thought the wan start command would populate the IPSET automatically from dnsmasq as you said when I added the variables, but it didn't)
Thanks again for your time.
Debug Info added below from the commands requested along with the source of all 3 files I made with what is running at the moment.
P.S. I noticed in the wan-start there was no definition of IP nor IPSET_NAME so I created variables and added them in and rebooted.
For some reason now when I hardcoded the IP i lost ALL Internet on my device and wasn't able to ping any site.
I also noticed the IPSET was empty(I thought the wan start command would populate the IPSET automatically from dnsmasq as you said when I added the variables, but it didn't)
Thanks again for your time.
Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destina tion
1 42192 15M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0 /0 state RELATED,ESTABLISHED
2 0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0 /0
3 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0 /0
4 171 14396 DROP all -- * * 0.0.0.0/0 0.0.0.0 /0 state INVALID
5 0 0 ACCEPT udp -- br0 * 192.168.2.26 0.0.0.0 /0 udp dpt:53
6 2694 353K NSFW all -- * * 0.0.0.0/0 0.0.0.0 /0
7 2694 353K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0 /0
8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0 /0 ctstate DNAT
9 0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0 /0 state NEW
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
admin@RT-AC68U-1340:/tmp/home/root# iptables --line -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 59632 packets, 18M bytes)
num pkts bytes target prot opt in out source destination
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
ipset v6.32: The set with the given name does not exist
firewall-start
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_ANY" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
init-start
#!/bin/sh
modprobe -sv xt_comment.ko
IPSET_NAME="Valid_VPN_IP"
ipset create $IPSET_NAME hash:net comment 2>/dev/null
wan-start
#!/bin/sh
IP=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "cnn.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment cnn.com;done;
Last edited:
Martineau
Part of the Furniture
It appears that you are not creating IPSET Valid_VPN_IP (init-start) during the boot process, consequently you are missing the ACCEPT/BLOCK firewall rules, as they can't be created (firewall-start) if they refer to an invalid IPSET.
e.g. '-t filter FORWARD' chain to block 192.168.2.26 outbound through ANY interface should look something like this...
Code:
<snip>
9 1 80 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
10 0 0 ACCEPT udp -- br0 * 192.168.2.26 0.0.0.0/0 udp dpt:53
11 0 0 ACCEPT all -- br0 * 192.168.2.26 0.0.0.0/0 match-set Valid_VPN_IP dst /* ALLOWED_thru_ANY */
12 0 0 DROP all -- br0 * 192.168.2.26 0.0.0.0/0 ! match-set Valid_VPN_IP dst /* BLOCKED_thru_ANY */
Code:
chmod a+rx /jffs/scripts/init-start
chmod a+rx /jffs/scripts/wan-startThanks for the heads-up! I've updated wan-start code in post #10 which indeed omitted the name of the IPSET to store the retrieved domain IPs
Last edited:
Martineau,
Thanks for your help, Im sorry i wasn't able to post sooner, was busy. Here the most recent debug commands and my current files with the VPN section removed as i wanted to control that.
I readded
IPSET_NAME="Valid_VPN_IP"
to firewall start as it wasn't there in post 10.
I will reboot again now and see if all is correct.
Updated Debug Commands below:
wan-start file
firewall-start file
init-start file
I cleared out the dnsmasq.conf.add file , I rebooted the router to trigger all 3 files below to run, and then noticed the dnsmasq.conf.add was empty so i ran the following 3 lines one by one:
Thanks for your help, Im sorry i wasn't able to post sooner, was busy. Here the most recent debug commands and my current files with the VPN section removed as i wanted to control that.
I readded
IPSET_NAME="Valid_VPN_IP"
to firewall start as it wasn't there in post 10.
I will reboot again now and see if all is correct.
Updated Debug Commands below:
Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8490 2866K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 other2wan all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
4 20 920 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 0 0 ACCEPT udp -- br0 * 192.168.2.26 0.0.0.0/0 udp dpt:53
6 346 102K NSFW all -- * * 0.0.0.0/0 0.0.0.0/0
7 346 102K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
9 0 0 OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables --line -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 16569 packets, 3798K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 554
References: 0
Number of entries: 3
Members:
104.27.126.97
104.27.127.97
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/tmp/home/root#wan-start file
Code:
#!/bin/sh
# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
IPSET_NAME="Valid_VPN_IP"
logger -st "($(basename $0))" $$ "Adding domains to IPSET $IPSET_NAME"
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;firewall-start file
Code:
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPTinit-start file
Code:
#!/bin/sh
modprobe -sv xt_comment.ko
IPSET_NAME="Valid_VPN_IP"
logger -st "($(basename $0))" $$ "Creating IPSET $IPSET_NAME"
ipset create $IPSET_NAME hash:net comment 2>/dev/nullI cleared out the dnsmasq.conf.add file , I rebooted the router to trigger all 3 files below to run, and then noticed the dnsmasq.conf.add was empty so i ran the following 3 lines one by one:
Code:
echo "ipset=/www.snbforums.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.whatismyipaddress.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.speedtest.net/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasqIt appears that you are not creating IPSET Valid_VPN_IP (init-start) during the boot process, consequently you are missing the ACCEPT/BLOCK firewall rules, as they can't be created (firewall-start) if they refer to an invalid IPSET.
e.g. '-t filter FORWARD' chain to block 192.168.2.26 outbound through ANY interface should look something like this...
I suspect that not ALL of the scripts you have created are marked as 'executable'Code:<snip> 9 1 80 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 10 0 0 ACCEPT udp -- br0 * 192.168.2.26 0.0.0.0/0 udp dpt:53 11 0 0 ACCEPT all -- br0 * 192.168.2.26 0.0.0.0/0 match-set Valid_VPN_IP dst /* ALLOWED_thru_ANY */ 12 0 0 DROP all -- br0 * 192.168.2.26 0.0.0.0/0 ! match-set Valid_VPN_IP dst /* BLOCKED_thru_ANY */
Code:chmod a+rx /jffs/scripts/init-start chmod a+rx /jffs/scripts/wan-start
Thanks for the heads-up! I've updated wan-start code in post #10 which indeed omitted the name of the IPSET to store the retrieved domain IPs
Last edited:
Martineau,
Something is still off with firewall start as the other 3 lines in ip filter nvl forward don't show. Please look above at the current file. Case sensitivtiy matters for the ipname correct? I believe it's spelled the same in all 3 places.
Something is still off with firewall start as the other 3 lines in ip filter nvl forward don't show. Please look above at the current file. Case sensitivtiy matters for the ipname correct? I believe it's spelled the same in all 3 places.
Martineau
Part of the Furniture
Always - no exceptions.
How did you manage to get '8.8.8.8 comment "snbforums.com"' into IPSET Valid_VPN_IP?
I have to specify this logically incorrect command
Code:
for IP in $(nslookup "8.8.8.8" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add Valid_VPN_IP $IP comment snbforums.com;done;
Code:
cd /jffs/scripts
ls -lah *-start
ipset list Valid_VPN_IP
sh -x ./init-start
sh -x ./firewall-start
sh -x ./wan-start
dave14305
Part of the Furniture
I bet his WAN DNS is 8.8.8.8 and grabbing it from nslookup Server: line.How did you manage to get '8.8.8.8 comment "snbforums.com"' into IPSET Valid_VPN_IP?
Code:
# nslookup snbforums.com
Server: 9.9.9.9
Address 1: 9.9.9.9 dns9.quad9.net
Name: snbforums.com
Address 1: 2606:4700:20::681b:7e61
Address 2: 104.27.126.97
Address 3: 104.27.127.97
# nslookup snbforums.com | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
9.9.9.9
9.9.9.9
104.27.126.97
104.27.127.97Martineau
Part of the Furniture
dave14305
Part of the Furniture
When I ran it, my dns was 75.75.75.75 also added as snbforums.comDoh!
Martineau,
Newest Code Posted
Newest Code Posted
Code:
ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# cd /jffs/scripts
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ls -lah *-start
-rwxr-xr-x 1 admin root 2.1K Nov 22 11:59 firewall-start
-rwxr-xr-x 1 admin root 181 Nov 22 11:03 init-start
-rwxr-xr-x 1 admin root 859 Nov 22 11:03 wan-start
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 410
References: 2
Number of entries: 1
Members:
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./init-start
+ modprobe -sv xt_comment.ko
+ IPSET_NAME=Valid_VPN_IP
+ basename ./init-start
+ logger -st (init-start) 1817 Creating IPSET Valid_VPN_IP
(init-start): 1817 Creating IPSET Valid_VPN_IP
+ ipset create Valid_VPN_IP hash:net comment
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./firewall-start
+ IPADDR=192.168.2.26
+ IPSET_NAME=Valid_VPN_IP
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./wan-start
+ IPSET_NAME=Valid_VPN_IP
+ basename ./wan-start
+ logger -st (wan-start) 1842 Adding domains to IPSET Valid_VPN_IP
(wan-start): 1842 Adding domains to IPSET Valid_VPN_IP
+ nslookup snbforums.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.27.127.97 comment snbforums.com
+ ipset add Valid_VPN_IP 104.27.126.97 comment snbforums.com
+ nslookup speedtest.net
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 151.101.130.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.2.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.194.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.66.219 comment speedtest.net
+ nslookup whatismyipaddress.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.16.154.36 comment whatismyipaddress.com
+ ipset add Valid_VPN_IP 104.16.155.36 comment whatismyipaddress.com
admin@RT-AC68U-1340:/jffs/scripts#Similar threads
Similar threads
Similar threads
-
Where to Download GNUton's Asus Merlin For DSL-AC68U
- Started by Combe_Charmer
- Replies: 5
-
ASUS RT-AC68U not working after Merlin firmware update, did I brick it?- Started by dbaser
- Replies: 15
-
Asus RT-AC68U SSH not responsive after time, reboot not helping.
- Started by Heronimos
- Replies: 4
-
Solved ASUS RT-AC68U router can't reach specific website - known issue?- Started by Run5k
- Replies: 6
-
-
-
Two Asus RT-AC68U routers with Merlin software, connected via VPN - dhcp problem.
- Started by bartasmosina
- Replies: 5
-
How to auto-restart remote clients (an Asus RT-AC68U) OpenVPN client
- Started by sipankh
- Replies: 45
-
In asus rt-ac68u router under VPN Client - VPN Server List missing OpenVPN
- Started by Jgafa10
- Replies: 30
-
Setting ASUS DSL-N17U and RT-AC68U in Bridge Mode
- Started by Turgut Kalfaoglu
- Replies: 9