Custom firewall rules executed multiple times

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

nick_max

Occasional Visitor
Hello,

I have a slight issue regarding my custom firewall rules - they are executed 3 times at every router reboot:

Jun 30 18:53:10 ovpn-server1[4125]: Initialization Sequence Completed
Jun 30 18:53:11 asus: ===========< OpenVPN fw rlz applied >===========
Jun 30 18:53:19 asus: ===========< OpenVPN fw rlz applied >===========
Jun 30 18:53:23 uiDivStats: Mounting uiDivStats WebUI page as user2.asp
Jun 30 18:53:35 kernel: bcm_i2c: bus 0: Failed to detect SFP: 100 retries exhausted
Jun 30 18:53:36 asus: ===========< OpenVPN fw rlz applied >===========


I have my custom rules in /jffs/scripts/firewall-start file.
I have added a logger comment to see the confirmation in the syslog and I also set a 30 second sleep delay at the beginning of the file.

Does anybody know why is this happening, please?

My router is Asus AX88U.

Many thanks.
 

ColinTaylor

Part of the Furniture
It is normal that the firewall script is run more than once on boot. Usually it's because that state of the WAN connection changes or some other service has made a change to the network configuration. This should not be a problem because the previous firewall rules are removed before the script runs again.
 

nick_max

Occasional Visitor
Thanks for your reply.

Unfortunately it is a problem because these custom rules are inserted 3 times into the INPUT chain. I can see that when I run the iptables -t filter -L INPUT -n -v command.

If the firewall-start file is not a good place to put my custom rules, is there a way for these rules to be applied only once at the end of router initialization?

Many thanks.
 

ColinTaylor

Part of the Furniture
Then something strange is going on. I've been using a firewall-start script to insert rules into the INPUT chain for years without any duplication problems. The firewall-start script is the correct place to do this.

Are you using dual-WAN?
 

ColinTaylor

Part of the Furniture
Try using this simple firewall-start script (without any sleep commands) and see what parameter is being passed each time it runs:
Code:
#!/bin/sh
logger -t "$(basename $0)" "$1"
 

ColinTaylor

Part of the Furniture
I've just noticed that in your initial post it said "OpenVPN fw rlz". If you're trying to insert rules that relate to the OpenVPN server the firewall-start script is the wrong place to do it (as I learnt from experience :rolleyes:). The reason being that the OpenVPN servers are (re)started independently of the WAN interface. For that you need to use openvpn-event with some conditional logic.

EDIT: I posted a crude example here of how to block certain IP addresses from connecting to the OpenVPN servers:
Code:
#!/bin/sh
if [ "$1" = "tun21" ] || [ "$1" = "tun22" ] || \
   [ "$1" = "tap21" ] || [ "$1" = "tap22" ]
then
    logger -t openvpn-event "Apply additional firewall rules"
    iptables -D INPUT -s 185.200.118.0/24 -j DROP
    iptables -I INPUT -s 185.200.118.0/24 -j DROP
fi
 
Last edited:

nick_max

Occasional Visitor
Many thanks for your input, I have renamed the file from firewall-start to openvpn-event, I've added your logger line and I've deleted the sleep command.
The openvpn-event script is called 3 times in the log:

Jun 30 20:12:06 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:12:06 openvpn-event: tun21
...
Jun 30 20:12:20 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:12:20 openvpn-event: tun21
---
Jun 30 20:12:23 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:12:23 openvpn-event: tun21


Interestingly, my firewall rules are applied now twice in the iptables INPUT chain.

My custom openvpn firewall rules are below (I have replaced the IPs and port with xxx):
logger -t "$(basename $0)" "$1"
iptables -I INPUT 1 -p tcp -i ppp0 -s x.x.x.x --dport xxx -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 2 -p tcp -i ppp0 -s x.x.x.x --dport xxx -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -p tcp -i ppp0 --dport xxx -j DROP
logger "===========< OpenVPN fw rlz applied >==========="


Thank you.
 

ColinTaylor

Part of the Furniture
What do you see from the firewall-start logger commands? What is/are the interface names?
 

nick_max

Occasional Visitor
I have renamed my file from firewall-start to openvpn-event. Now there's no more firewall-start.
Should I rename back, reboot and see the parameters?
 

ColinTaylor

Part of the Furniture
Just create another copy of that file so you have both firewall-start and openvpn-event. I think I know what 's happening but I want to confirm it.
 

nick_max

Occasional Visitor
All right, I did what you asked and this is what the syslog shows:

Jun 30 20:56:59 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:56:59 openvpn-event: tun21
Jun 30 20:56:59 asus: ===========< OpenVPN fw rlz applied >===========
...
May 5 08:05:35 custom_script: Running /jffs/scripts/firewall-start (args: )
May 5 08:05:35 firewall-start:
May 5 08:05:35 asus: ===========< OpenVPN fw rlz applied >===========
...
May 5 08:05:43 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
May 5 08:05:43 firewall-start: ppp0
May 5 08:05:43 asus: ===========< OpenVPN fw rlz applied >===========
...
Jun 30 20:58:20 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:58:20 openvpn-event: tun21
Jun 30 20:58:20 asus: ===========< OpenVPN fw rlz applied >===========
...
Jun 30 20:58:28 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Jun 30 20:58:28 firewall-start xx: ppp0
Jun 30 20:58:28 rc_service: ip-up 2168:notify_rc stop_vpnserver1
Jun 30 20:58:28 rc_service: ip-up 2168:notify_rc start_vpnserver1
Jun 30 20:58:28 rc_service: waitting "stop_vpnserver1" via ip-up ...
Jun 30 20:58:28 asus: ===========< OpenVPN fw rlz applied >===========
Jun 30 20:58:28 custom_script: Running /jffs/scripts/service-event (args: stop vpnserver1)
Jun 30 20:58:28 ovpn-server1[2787]: Closing TUN/TAP interface
Jun 30 20:58:28 ovpn-server1[2787]: /sbin/ifconfig tun21 0.0.0.0
Jun 30 20:58:28 ovpn-server1[2787]: updown.sh tun21 1500 1624 192.168.110.1 255.255.255.0 init
Jun 30 20:58:28 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:58:28 openvpn-event: tun21
Jun 30 20:58:28 asus: ===========< OpenVPN fw rlz applied >===========
...
Jun 30 20:58:32 custom_script: Running /jffs/scripts/openvpn-event (args: tun21 1500 1624 192.168.110.1 255.255.255.0 init)
Jun 30 20:58:32 openvpn-event: tun21
Jun 30 20:58:32 asus: ===========< OpenVPN fw rlz applied >===========


My firewall rules are applied now thrice in the iptables INPUT chain.
I could paste the full syslog in a pastebin if it helps.

Thank you
 

ColinTaylor

Part of the Furniture
If you're simply trying to restrict access to the VPN server to specific IP addresses you don't need the conntrack stuff AFAIK. So delete your firewall-start script and use the following as your openvpn-event script.
Code:
#!/bin/sh

if [ "$dev" = "tun21" ]
then
    if [ "$script_type" = "up" ]; then
        iptables -I INPUT 1 -s x.x.x.x -p tcp --dport xxx -j ACCEPT
        iptables -I INPUT 2 -s x.x.x.x -p tcp --dport xxx -j ACCEPT
        iptables -I INPUT 3 -p tcp --dport xxx -j DROP
    elif [ "$script_type" = "down" ]; then
        iptables -D INPUT -s x.x.x.x -p tcp --dport xxx -j ACCEPT
        iptables -D INPUT -s x.x.x.x -p tcp --dport xxx -j ACCEPT
        iptables -D INPUT -p tcp --dport xxx -j DROP
    fi
fi
Disclaimer: I haven't tested this script.
 
Last edited:

nick_max

Occasional Visitor
Cheers!
That's exactly what I'm trying to do: block everything except 2 IPs to my OpenVPN server.

I will definitely try your script and let you know.

Many thanks :)
 

nick_max

Occasional Visitor
Hi Colin,

After a couple of days of seeing what's happening with the new script, I have noticed that after reboot, the iptables rules get applied successfully, but after a while these rules get automatically deleted.
My assumption is that even though the rules are applied at reboot, somewhere along the way the firewall gets restarted and the rules go away.

That was the reason of placing my custom iptables rules in the firewall-start file, so that they get applied every time some service decides to restart the firewall.

Do you think that there might be a workaround for this, please?

Thank you.
 

ColinTaylor

Part of the Furniture
Yes, sorry you are correct. I encountered that problem myself and updated my scripts accordingly but didn't read my notes properly when replying in this thread. :rolleyes:

Let me review what I actually did, rather than what I thought I did.
 

ColinTaylor

Part of the Furniture
@nick_max Could you post the output of this command please? The way the VPN firewall rules are implemented is slightly different between Merlin's and John's firmware. I don't have Merlin's firmware on my router and I don't want to post something that doesn't work for both.
Code:
cat /etc/openvpn/fw/server1-fw.sh
 

nick_max

Occasional Visitor
Hi Colin,

Please see below:

#!/bin/sh
iptables -t nat -I PREROUTING -p tcp --dport xxx -j ACCEPT
iptables -I INPUT -p tcp --dport xxx -j ACCEPT
iptables -I OVPN -i tun21 -d 192.168.1.0/24 -j ACCEPT
iptables -t mangle -I PREROUTING -i tun21 -j MARK --set-mark 0x01/0x7
 

ColinTaylor

Part of the Furniture
That's excellent, thanks. I think I've found a better way of doing this than I had before. ;)

OK try this. Remove/delete any changes you may still have in firewall-start and openvpn-event.

Create a /jffs/scripts/openvpnserver1.postconf file as follows:
Code:
#!/bin/sh

CONFIG="/etc/openvpn/fw/server1-fw.sh"
source /usr/sbin/helper.sh

# Do not use rule numbers. Insert rules in reverse order.
pc_append "iptables -I INPUT -p tcp --dport 9999 -j DROP" $CONFIG
pc_append "iptables -I INPUT -s 222.222.222.222 -p tcp --dport 9999 -j ACCEPT" $CONFIG
pc_append "iptables -I INPUT -s 111.111.111.111 -p tcp --dport 9999 -j ACCEPT" $CONFIG
Note that you must not use rules numbers in this script (e.g. "-I INPUT 1") because they will not be removed properly. So your rules need to be applied in reverse order.

Side note: The reason we can't simply use firewall-start is because when the OpenVPN server is restarted it inserts it's own rules at the top of the input chain negating any changes of our own (as can be seen in that script you just posted).
 
Last edited:

nick_max

Occasional Visitor
Awesome, I did exactly as you said:
- I've removed the firewall-start and openvpn-event files
- created the openvpnserver1.postconf file with your code

I'll wait and see what happens after a few days and reboots.

I appreciate very much your help :)

Cheers!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top