1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Custom firewall rules executed multiple times

Discussion in 'Asuswrt-Merlin' started by nick_max, Jun 30, 2020.

  1. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Hello,

    I have a slight issue regarding my custom firewall rules - they are executed 3 times at every router reboot:

    Jun 30 18:53:10 ovpn-server1[4125]: Initialization Sequence Completed
    Jun 30 18:53:11 asus: ===========< OpenVPN fw rlz applied >===========
    Jun 30 18:53:19 asus: ===========< OpenVPN fw rlz applied >===========
    Jun 30 18:53:23 uiDivStats: Mounting uiDivStats WebUI page as user2.asp
    Jun 30 18:53:35 kernel: bcm_i2c: bus 0: Failed to detect SFP: 100 retries exhausted
    Jun 30 18:53:36 asus: ===========< OpenVPN fw rlz applied >===========


    I have my custom rules in /jffs/scripts/firewall-start file.
    I have added a logger comment to see the confirmation in the syslog and I also set a 30 second sleep delay at the beginning of the file.

    Does anybody know why is this happening, please?

    My router is Asus AX88U.

    Many thanks.
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    It is normal that the firewall script is run more than once on boot. Usually it's because that state of the WAN connection changes or some other service has made a change to the network configuration. This should not be a problem because the previous firewall rules are removed before the script runs again.
     
    Vexira likes this.
  3. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Thanks for your reply.

    Unfortunately it is a problem because these custom rules are inserted 3 times into the INPUT chain. I can see that when I run the iptables -t filter -L INPUT -n -v command.

    If the firewall-start file is not a good place to put my custom rules, is there a way for these rules to be applied only once at the end of router initialization?

    Many thanks.
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    Then something strange is going on. I've been using a firewall-start script to insert rules into the INPUT chain for years without any duplication problems. The firewall-start script is the correct place to do this.

    Are you using dual-WAN?
     
  5. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Nope, no dual-WAN in my router
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    Try using this simple firewall-start script (without any sleep commands) and see what parameter is being passed each time it runs:
    Code:
    #!/bin/sh
    logger -t "$(basename $0)" "$1"
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    I've just noticed that in your initial post it said "OpenVPN fw rlz". If you're trying to insert rules that relate to the OpenVPN server the firewall-start script is the wrong place to do it (as I learnt from experience :rolleyes:). The reason being that the OpenVPN servers are (re)started independently of the WAN interface. For that you need to use openvpn-event with some conditional logic.

    EDIT: I posted a crude example here of how to block certain IP addresses from connecting to the OpenVPN servers:
    Code:
    #!/bin/sh
    if [ "$1" = "tun21" ] || [ "$1" = "tun22" ] || \
       [ "$1" = "tap21" ] || [ "$1" = "tap22" ]
    then
        logger -t openvpn-event "Apply additional firewall rules"
        iptables -D INPUT -s 185.200.118.0/24 -j DROP
        iptables -I INPUT -s 185.200.118.0/24 -j DROP
    fi
     
    Last edited: Jun 30, 2020
  8. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Many thanks for your input, I have renamed the file from firewall-start to openvpn-event, I've added your logger line and I've deleted the sleep command.
    The openvpn-event script is called 3 times in the log:

    Jun 30 20:12:06 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:12:06 openvpn-event: tun21
    ...
    Jun 30 20:12:20 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:12:20 openvpn-event: tun21
    ---
    Jun 30 20:12:23 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:12:23 openvpn-event: tun21


    Interestingly, my firewall rules are applied now twice in the iptables INPUT chain.

    My custom openvpn firewall rules are below (I have replaced the IPs and port with xxx):
    logger -t "$(basename $0)" "$1"
    iptables -I INPUT 1 -p tcp -i ppp0 -s x.x.x.x --dport xxx -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I INPUT 2 -p tcp -i ppp0 -s x.x.x.x --dport xxx -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -I INPUT 3 -p tcp -i ppp0 --dport xxx -j DROP
    logger "===========< OpenVPN fw rlz applied >==========="


    Thank you.
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    What do you see from the firewall-start logger commands? What is/are the interface names?
     
  10. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    I have renamed my file from firewall-start to openvpn-event. Now there's no more firewall-start.
    Should I rename back, reboot and see the parameters?
     
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    Just create another copy of that file so you have both firewall-start and openvpn-event. I think I know what 's happening but I want to confirm it.
     
  12. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    All right, I did what you asked and this is what the syslog shows:

    Jun 30 20:56:59 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:56:59 openvpn-event: tun21
    Jun 30 20:56:59 asus: ===========< OpenVPN fw rlz applied >===========
    ...
    May 5 08:05:35 custom_script: Running /jffs/scripts/firewall-start (args: )
    May 5 08:05:35 firewall-start:
    May 5 08:05:35 asus: ===========< OpenVPN fw rlz applied >===========
    ...
    May 5 08:05:43 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
    May 5 08:05:43 firewall-start: ppp0
    May 5 08:05:43 asus: ===========< OpenVPN fw rlz applied >===========
    ...
    Jun 30 20:58:20 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:58:20 openvpn-event: tun21
    Jun 30 20:58:20 asus: ===========< OpenVPN fw rlz applied >===========
    ...
    Jun 30 20:58:28 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
    Jun 30 20:58:28 firewall-start xx: ppp0
    Jun 30 20:58:28 rc_service: ip-up 2168:notify_rc stop_vpnserver1
    Jun 30 20:58:28 rc_service: ip-up 2168:notify_rc start_vpnserver1
    Jun 30 20:58:28 rc_service: waitting "stop_vpnserver1" via ip-up ...
    Jun 30 20:58:28 asus: ===========< OpenVPN fw rlz applied >===========
    Jun 30 20:58:28 custom_script: Running /jffs/scripts/service-event (args: stop vpnserver1)
    Jun 30 20:58:28 ovpn-server1[2787]: Closing TUN/TAP interface
    Jun 30 20:58:28 ovpn-server1[2787]: /sbin/ifconfig tun21 0.0.0.0
    Jun 30 20:58:28 ovpn-server1[2787]: updown.sh tun21 1500 1624 192.168.110.1 255.255.255.0 init
    Jun 30 20:58:28 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:58:28 openvpn-event: tun21
    Jun 30 20:58:28 asus: ===========< OpenVPN fw rlz applied >===========
    ...
    Jun 30 20:58:32 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
    Jun 30 20:58:32 openvpn-event: tun21
    Jun 30 20:58:32 asus: ===========< OpenVPN fw rlz applied >===========


    My firewall rules are applied now thrice in the iptables INPUT chain.
    I could paste the full syslog in a pastebin if it helps.

    Thank you
     
  13. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    If you're simply trying to restrict access to the VPN server to specific IP addresses you don't need the conntrack stuff AFAIK. So delete your firewall-start script and use the following as your openvpn-event script.
    Code:
    #!/bin/sh
    
    if [ "$dev" = "tun21" ]
    then
        if [ "$script_type" = "up" ]; then
            iptables -I INPUT 1 -s x.x.x.x -p tcp --dport xxx -j ACCEPT
            iptables -I INPUT 2 -s x.x.x.x -p tcp --dport xxx -j ACCEPT
            iptables -I INPUT 3 -p tcp --dport xxx -j DROP
        elif [ "$script_type" = "down" ]; then
            iptables -D INPUT -s x.x.x.x -p tcp --dport xxx -j ACCEPT
            iptables -D INPUT -s x.x.x.x -p tcp --dport xxx -j ACCEPT
            iptables -D INPUT -p tcp --dport xxx -j DROP
        fi
    fi
    
    Disclaimer: I haven't tested this script.
     
    Last edited: Jun 30, 2020
  14. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Cheers!
    That's exactly what I'm trying to do: block everything except 2 IPs to my OpenVPN server.

    I will definitely try your script and let you know.

    Many thanks :)
     
  15. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Hi Colin,

    After a couple of days of seeing what's happening with the new script, I have noticed that after reboot, the iptables rules get applied successfully, but after a while these rules get automatically deleted.
    My assumption is that even though the rules are applied at reboot, somewhere along the way the firewall gets restarted and the rules go away.

    That was the reason of placing my custom iptables rules in the firewall-start file, so that they get applied every time some service decides to restart the firewall.

    Do you think that there might be a workaround for this, please?

    Thank you.
     
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    Yes, sorry you are correct. I encountered that problem myself and updated my scripts accordingly but didn't read my notes properly when replying in this thread. :rolleyes:

    Let me review what I actually did, rather than what I thought I did.
     
    L&LD and dave14305 like this.
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    @nick_max Could you post the output of this command please? The way the VPN firewall rules are implemented is slightly different between Merlin's and John's firmware. I don't have Merlin's firmware on my router and I don't want to post something that doesn't work for both.
    Code:
    cat /etc/openvpn/fw/server1-fw.sh
     
  18. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Hi Colin,

    Please see below:

    #!/bin/sh
    iptables -t nat -I PREROUTING -p tcp --dport xxx -j ACCEPT
    iptables -I INPUT -p tcp --dport xxx -j ACCEPT
    iptables -I OVPN -i tun21 -d 192.168.1.0/24 -j ACCEPT
    iptables -t mangle -I PREROUTING -i tun21 -j MARK --set-mark 0x01/0x7
     
  19. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,101
    Location:
    UK
    That's excellent, thanks. I think I've found a better way of doing this than I had before. ;)

    OK try this. Remove/delete any changes you may still have in firewall-start and openvpn-event.

    Create a /jffs/scripts/openvpnserver1.postconf file as follows:
    Code:
    #!/bin/sh
    
    CONFIG="/etc/openvpn/fw/server1-fw.sh"
    source /usr/sbin/helper.sh
    
    # Do not use rule numbers. Insert rules in reverse order.
    pc_append "iptables -I INPUT -p tcp --dport 9999 -j DROP" $CONFIG
    pc_append "iptables -I INPUT -s 222.222.222.222 -p tcp --dport 9999 -j ACCEPT" $CONFIG
    pc_append "iptables -I INPUT -s 111.111.111.111 -p tcp --dport 9999 -j ACCEPT" $CONFIG
    Note that you must not use rules numbers in this script (e.g. "-I INPUT 1") because they will not be removed properly. So your rules need to be applied in reverse order.

    Side note: The reason we can't simply use firewall-start is because when the OpenVPN server is restarted it inserts it's own rules at the top of the input chain negating any changes of our own (as can be seen in that script you just posted).
     
    Last edited: Jul 2, 2020
    dave14305 and L&LD like this.
  20. nick_max

    nick_max Occasional Visitor

    Joined:
    Sep 25, 2017
    Messages:
    44
    Awesome, I did exactly as you said:
    - I've removed the firewall-start and openvpn-event files
    - created the openvpnserver1.postconf file with your code

    I'll wait and see what happens after a few days and reboots.

    I appreciate very much your help :)

    Cheers!
     
    L&LD likes this.