[SOLVED] Merlin WRT - help with IPtables SMB share

[Jack Yaz]

Hi there,

I want to create a NAT/IPTables rule that only allows specific IP addresses to connect to my router, which has a server hosting an SMB share (run on Windows).

Can anyone help with the rules that are required? I found this but I'm not sure what the difference between a nat chain and normal rules is?

https://github.com/RMerl/asuswrt-me...b.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

https://www.snbforums.com/threads/need-help-with-iptables-script.35400/#post-289598

Thanks in advance!

 

[RMerlin]

Note that many ISPs will block the ports used by SMB, for security reasons. You might need to use a VPN if that's the case.

 

[Jack Yaz]

Sorry, forgot to mention it'll be over VPN tunnel, but I don't want all of the lan accessible (using push lan to clients), so was going to drop all traffic then allow the port to connect to the SMB share on a server, if that makes sense?

 

[RMerlin]

Sorry, forgot to mention it'll be over VPN tunnel, but I don't want all of the lan accessible (using push lan to clients), so was going to drop all traffic then allow the port to connect to the SMB share on a server, if that makes sense?

That should be possible. Make sure you use the IPs from the OpenVPN tunnel (10.x.x.x), and put the rules in the FORWARD chain, referring to the tunnel interface (probably tun21).

I can't give you any more details because it's not something I have ever done myself, sorry. But it's doable.

 

[Jack Yaz]

Are the iptables rules stored anywhere I can modify, and that won't get overwritten by GUI settings?

 

[RMerlin]

Are the iptables rules stored anywhere I can modify, and that won't get overwritten by GUI settings?

No, they are dynamically generated by the router. You need to write a script to manipulate them. OpenVPN has a script that gets run at connect time, that would be the location to put your rules.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[Jack Yaz]

Here's an odd one, I turned off "push lan to clients", yet vpn clients can still access the lan?

I can see the router is doing this:

Apr 24 15:00:19 openvpn[9068]: YAZS7/213.205.194.74 SENT CONTROL [YAZS7]: 'PUSH_REPLY,dhcp-option DNS 10.14.16.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

 

[Jack Yaz]

Also, in the conf it still shows the below, despite me not selecting to push DNS?

push "dhcp-option DNS 10.14.16.1"

 

[Jack Yaz]

Ah, its where I changed respond to DNS to no, without also changing the sub-option of advertising DNS to no as well.

 

[sfx2000]

Don't forget to check the samba config file - it's been a long time since I've looked at the asus configs, but one can limit scope there...

it's usually under the <global> section of the config, under hosts allow = IPRange/CIDR

I have to be a bit obtuse here, otherwise I hit the keyword sensor that'll block the post...

Here's a sample config that can get one pointed in the right direction (many Samba configs are more complicated than needed, but that's due to scripting support - but eyeball things, and see if there's a section or two that can help)

 

[Jack Yaz]

I realised that I was missing the obvious for the server config. Disabled push lan to clients then in custom config push the route of the ip i want to allow!