Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that

[RMerlin]

NOTE: The 'service' command stupidly always replies 'Done' for any junk command!

This is because the service command itself does not execute anything, it only puts the request into the rc process event queue then it exits. rc will run the command asynchronously.

I've recently changed init so it will report any unrecognized event into syslog.

Dec  5 14:52:08 rc_service: service 26130:notify_rc What_is_a_synonym_for_ended?
Dec  5 14:52:08 rc: received unrecognized event: What_is_a_synonym_for_ended?

 

[Martineau]

This is because the service command itself does not execute anything, it only puts the request into the rc process event queue then it exits. rc will run the command asynchronously.

I've recently changed init so it will report any unrecognized event into syslog.

Dec  5 14:52:08 rc_service: service 26130:notify_rc What_is_a_synonym_for_ended?
Dec  5 14:52:08 rc: received unrecognized event: What_is_a_synonym_for_ended?

Finally...well done, so that'll only be for v384.14 Beta then?

v384.13

Dec  5 20:10:41 RT-AC68U custom_script: Running /jffs/scripts/service-event (args:  What_is_a_synonym_for_ended?)
Dec  5 20:10:43 RT-AC68U (service-event): 6362 Script not defined for service event: -What_is_a_synonym_for_ended?
Dec  5 20:10:43 RT-AC68U custom_script: Running /jffs/scripts/service-event-end (args:  What_is_a_synonym_for_ended?)
Dec  5 20:10:44 RT-AC68U (service-event-end): 6733 Script not defined for service event: -What_is_a_synonym_for_ended?-end

 

[RMerlin]

Finally...well done, so that'll only be for v384.14 Beta then?

Yes, the commit dates back to last August, which was after the 384.13 release:

commit b7d2e68f2679a11a47ec1674c24b5f22ddcb5cc9
Author: Eric Sauvageau <merlin@asuswrt-merlin.net>
Date:   Tue Aug 13 15:13:10 2019 -0400

    rc: log unrecognized events to syslog

 

[Dee dee]

Martineau,

You understood what I wrote I hope.

I'm not good with this and getting so close lol

 

[Martineau]

Martineau,

No I still need to do the ipset rule specifically for that device so the rules still apply only for 1 device be it connecting via VPN through the script or if explicitly add it to the vpn.

I don't understand what this means im sorry..


Is there a way to merge both scripts 10/27 into one so I don't have to toggle?

I have gone through the posts and put the ones I am using below with my change noted( I just changed the sitenames for Proof Of Concept) below(If i am connecting via VPN Client 1, I put the 1 in both places right?:

Also I added the bottom line into the wan-start(IPSET IP's supercede actual Nslookup Records right?)

firewall-start (with logdrop added/updated)

#!/bin/sh

IPADDR=192.168.2.26

VPN_ID=1                      # VPN Client 3
VPN_FWMARK="0x1000/0x1000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK

# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j logdrop   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

Services-start

#!/bin/sh

modprobe -sv xt_comment.ko
RC=$?
logger -st "($(basename $0))" $$  "Loading iptables 'comment' module xt_comment.ko rc=$RC"
modprobe -D xt_comment.ko >>/tmp/syslog.tmp

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment
RC=$?
logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rc=$RC"

Wan-start

#!/bin/sh

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

IPSET_NAME="Valid_VPN_IP"

Say "Paused for 2 secs....."
sleep 2

# These are optional, but if the domains are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

Say "Adding domains to IPSET '$IPSET_NAME'"
THIS="site1toallow.com";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="site2toallow.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME $IP comment $THIS; Say "'"$THIS"' $IP rc="$?;done;
THIS="domainexample.subdomainexample.net";for IP in $(nslookup $THIS | awk 'NR==1, $1 == "Name:" {next}; {if ( $0 ~ /\./ ) print $3}');do ipset add $IPSET_NAME 127.0.0.1 comment $THIS;Say "'"$THIS"' $IP rc="$?;done

To allow it to add as a viewable site for the device.

Then do the following DNS spoofing

echo "address=/domainexample.subdomainexample.net/127.0.0.1" >>/jffs/configs/dnsmasq.conf.add

and then either reboot and/or do the service restart_dnsmasq?

... be it connecting via VPN through the script or if explicitly add it to the vpn.

No offence, but I'm lacking the intelligence to comprehend this latest rambling....through what 'script'?

Anyway you don't need to explain (at least not to me), as personally I now conclude you have been far too vague about your VPN intentions, with persistent reluctance to disclosed the App name/secretive websites etc. so I'll leave it to others to jump in and assist.

However, here is my final helpful contribution...if you change the rule that inserts (-I) a rule, then to prevent unnecessary duplicates, you need to ensure the delete (-D) rule that precedes the insert that they are both absolutely identical.

So change

iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null

to

iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j logdrop  -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null

Good luck in your endeavours.