IPTables allow access to specific ports from tun21 to new bridge

jjimenez

Occasional Visitor
Hi,

I have an Asus RT-AX58U with Merlin.

Thanks to another post in this forum, I managed to create a new bridge (br100), and isolate it from my LAN (br0). I managed to allow only specific traffic from br0 to br100. It works fine. But, yesterday, I realized that while I'm connected through VPN (tun21) to my network, I cannot access the new bridge (br100). So I added some rules to my iptables. Basically, duplicated some rules applied to br0, using tun21 and tun22 as input. But still, I cannot access those services while connected to my VPN.

What am I doing wrong? Here is my `firewall-start.sh` script.

Bash:
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Allow new incoming connections from br100
iptables -I INPUT -i br100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Deny br100 access the web UI and SSH of the main router
iptables -I INPUT -i br100 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br100 -p tcp --dport 443 -j DROP
iptables -I INPUT -i br100 -p tcp --dport 22 -j DROP

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT

# Allow packet forwarding between br100 and ppp0 (WAN)
iptables -I FORWARD -i br100 -o ppp0 -j ACCEPT

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP
iptables -I FORWARD -i tun21 -o br100 -j DROP
iptables -I FORWARD -i tun22 -o br100 -j DROP

# But allow one-way traffic from br0 to br100 only for restricted ports - SSH, HTTP, and HTTPS
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT

# vpn 1
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT

# vpn 2
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 22 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 80 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 443 -j ACCEPT

# Trantor --------
# portainer (8003)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 8003 -j ACCEPT

# proxmox web ui (8006)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 8006 -j ACCEPT

# Raspi2 --------
# nginx proxy manager web (81)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p tcp --match multiport --dports 81 -j ACCEPT

# glances port (61208 and 61209)
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 61208 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 61209 -j ACCEPT

# MINECRAFT
iptables -I FORWARD -i br0 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT
iptables -I FORWARD -i tun21 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT
iptables -I FORWARD -i tun22 -o br100 -p udp --match multiport --dports 19132 -j ACCEPT

# allow traffic back for opened connections
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i br100 -o tun21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i br100 -o tun22 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.60.1/24 -p icmp --icmp-type echo-request -j DROP

Thanks in advance!!!
 

eibgrad

Part of the Furniture
It would help to see these rules in action, in your own firewall, so we can see them in context.

Code:
iptables -vnL FORWARD --line-numbers

Also, do you happen to be running the OpenVPN client on the router at the same time? If so, then also include a dump of the routing tables and ip rules.

Code:
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
 

jjimenez

Occasional Visitor
Hi @eibgrad, thanks for your answer. Here is the output of the iptables command:

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  br100  tun22   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  br100  tun21   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3     660K  198M ACCEPT     all  --  br100  br0     0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        0     0 ACCEPT     udp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 19132
5        0     0 ACCEPT     udp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 19132
6        0     0 ACCEPT     udp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 19132
7        0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 61209
8    12290  883K ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 61208
9        0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 81
10       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 81
11       0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 81
12       0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8006
13       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8006
14       0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8006
15       0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8003
16       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8003
17       0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 8003
18       0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 443
19       0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 80
20       0     0 ACCEPT     tcp  --  tun22  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 22
21       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 443
22       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 80
23       0     0 ACCEPT     tcp  --  tun21  br100   0.0.0.0/0            0.0.0.0/0            multiport dports 22
24    722K   95M ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 443
25      11   836 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 80
26      13  2389 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            multiport dports 22
27       0     0 DROP       all  --  tun22  br100   0.0.0.0/0            0.0.0.0/0
28       0     0 DROP       all  --  tun21  br100   0.0.0.0/0            0.0.0.0/0
29       0     0 DROP       all  --  br0    br100   0.0.0.0/0            0.0.0.0/0
30   82790   23M ACCEPT     all  --  br100  ppp0    0.0.0.0/0            0.0.0.0/0
31       0     0 ACCEPT     all  --  br100  br100   0.0.0.0/0            0.0.0.0/0
32   37268 2235K DROP       all  --  br100  *       0.0.0.0/0            0.0.0.0/0
33   34676 1692K DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
34       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
35       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
36       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
37   18058 1176K DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
38       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
39       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
40       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
41       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
42       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
43       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
44       0     0 DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX
45   91823 5425K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
46    932K  300M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
47     932 74239 WGNPControls  all  --  br1    *       0.0.0.0/0            0.0.0.0/0
48     932 74239 ACCEPT     all  --  br1    ppp0    0.0.0.0/0            0.0.0.0/0
49       0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0
50       0     0 DROP       all  --  !br0   eth4    0.0.0.0/0            0.0.0.0/0
51       0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
52    4400  224K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
53    182K   31M NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
54    138K   28M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
55   13165  783K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
56   30963 1929K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
57       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


ip route

Code:
default via 192.168.144.1 dev ppp0
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.16.0.0/24 dev tun22 proto kernel scope link src 10.16.0.1
80.58.XXX.XXX via 192.168.144.1 dev ppp0 metric 1
80.58.XXX.XXX via 192.168.144.1 dev ppp0 metric 1
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev eth4 proto kernel scope link src 169.254.134.106
192.168.55.0/24 dev br0 proto kernel scope link src 192.168.55.1
192.168.60.0/24 dev br100 proto kernel scope link src 192.168.60.1
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
192.168.144.1 dev ppp0 proto kernel scope link
239.0.0.0/8 dev br0 scope link


ip rule

Code:
0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

The commands ip route show table ovpncX don't have any output.
 
Last edited:

eibgrad

Part of the Furniture
On the face of it, it seems correct. Although on a side note, I don't see the point in using the multiport module if you end up specifying one port per rule. You might as well use the built-in dport option. The point of multiport is to increase efficiency. And as written, it is NOT very efficient (although I concede it's easier to document it this way).

Also, for efficiency purposes, you could combine the two rules for the OpenVPN servers into one rule using a wildcard (tun2+).

Again, it all seems correct. But I noticed there's NO traffic on the tun21/tun22 rules AT ALL.

What I suspect is your OpenVPN servers are NOT configured to route ALL traffic by the client over the VPN, but only LAN traffic (i.e., you probably have the "Client will use VPN to access" option on the OpenVPN servers set to LAN only). The problem w/ that setting is the router will only push the default network to the OpenVPN client, specifically br0. YOU have to include any additional IP networks yourself by adding them as push'd route directives in the custom config field of the OpenVPN servers.

Code:
push "route 192.168.60.0 255.255.255.0"

Without this information, the OpenVPN client doesn't KNOW that network is accessible over the VPN.
 
Last edited:

jjimenez

Occasional Visitor
On the face of it, it seems correct. Although on a side note, I don't see the point in using the multiport module if you end up specifying one port per rule. You might as well use the built-in dport option. The point of multiport is to increase efficiency. And as written, it is NOT very efficient (although I concede it's easier to document it this way).

Also, for efficiency purposes, you could combine the two rules for the OpenVPN servers into one rule using a wildcard (tun2+).

Again, it all seems correct. But I noticed there's NO traffic on the tun21/tun22 rules AT ALL.

What I suspect is your OpenVPN servers are NOT configured to router ALL traffic by the client over the VPN, but only LAN traffic (i.e., you probably have the "Client will use VPN to access" option on the OpenVPN servers set to LAN only). The problem w/ that setting is the router will only push the default network to the OpenVPN client, specifically br0. YOU have to include any additional IP networks yourself by adding them as push'd route directives in the custom config field of the OpenVPN servers.

Code:
push "route 192.168.60.0 255.255.255.0"

Without this information, the OpenVPN client doesn't KNOW that network is accessible over the VPN.

Yes! that was the problem! thank you very much. The VPN was configured to route only LAN traffic. I've added the "push" config and it works as expected :)

Thanks for your advice on the iptables commands, I'll try to apply them. So, one last question... with this "push" config, do I still need the iptables rules to/from tun2+? I guess the answer is yes, right?

Thanks again!
 

eibgrad

Part of the Furniture
Thanks for your advice on the iptables commands, I'll try to apply them. So, one last question... with this "push" config, do I still need the iptables rules to/from tun2+? I guess the answer is yes, right?

Yes. Because the jump to the OVPN chain further down in the FORWARD chain has a rule limiting access to the default IP network (br0).

Code:
iptables -vnL OVPN

By adding your own rules for the new IP network of br100, you make it accessible as well.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top