Hi,
I have an Asus RT-AX58U with Merlin.
Thanks to another post in this forum, I managed to create a new bridge (br100), and isolate it from my LAN (br0). I managed to allow only specific traffic from br0 to br100. It works fine. But, yesterday, I realized that while I'm connected through VPN (tun21) to my network, I cannot access the new bridge (br100). So I added some rules to my iptables. Basically, duplicated some rules applied to br0, using tun21 and tun22 as input. But still, I cannot access those services while connected to my VPN.
What am I doing wrong? Here is my `firewall-start.sh` script.
Thanks in advance!!!
I have an Asus RT-AX58U with Merlin.
Thanks to another post in this forum, I managed to create a new bridge (br100), and isolate it from my LAN (br0). I managed to allow only specific traffic from br0 to br100. It works fine. But, yesterday, I realized that while I'm connected through VPN (tun21) to my network, I cannot access the new bridge (br100). So I added some rules to my iptables. Basically, duplicated some rules applied to br0, using tun21 and tun22 as input. But still, I cannot access those services while connected to my VPN.
What am I doing wrong? Here is my `firewall-start.sh` script.
Bash:
#!/bin/sh
# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"
# Allow new incoming connections from br100
iptables -I INPUT -i br100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Deny br100 access the web UI and SSH of the main router
iptables -I INPUT -i br100 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br100 -p tcp --dport 443 -j DROP
iptables -I INPUT -i br100 -p tcp --dport 22 -j DROP
# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP
# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT
# Allow packet forwarding between br100 and ppp0 (WAN)
iptables -I FORWARD -i br100 -o ppp0 -j ACCEPT
# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP
iptables -I FORWARD -i tun21 -o br100 -j DROP
iptables -I FORWARD -i tun22 -o br100 -j DROP
# But allow one-way traffic from br0 to br100 only for restricted ports - SSH, HTTP, and HTTPS
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT
# vpn 1
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT
# vpn 2
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT
# Trantor --------
# portainer (8003)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT
# proxmox web ui (8006)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT
# Raspi2 --------
# nginx proxy manager web (81)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT
# glances port (61208 and 61209)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 61208 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 61209 -j ACCEPT
# MINECRAFT
iptables -I FORWARD -i br0 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT
# allow traffic back for opened connections
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i br100 -o tun21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i br100 -o tun22 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.60.1/24 -p icmp --icmp-type echo-request -j DROP
Thanks in advance!!!