Hi Michael,
OK, that is best done via custom rules in
"/mnt/kd/arno-iptables-firewall/custom-rules".
For this example WireGuard LAN->Local will drop all traffic except SSH.
-- /mnt/kd/arno-iptables-firewall/custom-rules --
# Put any custom (iptables) rules here down below:
##################################################
custom_wg_lan_input()
{
local wg_if
wg_if="${WIREGUARD_IF:-wg0}"
echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
}
custom_wg_lan_input
--
apply changes...
pbx # arno-iptables-firewall restart
test new rules with...
pbx # iptables -nvL INT_INPUT_CHAIN
Chain INT_INPUT_CHAIN (3 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
...
and for IPv6...
pbx # ip6tables -nvL INT_INPUT_CHAIN
Chain INT_INPUT_CHAIN (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp wg0 * ::/0 ::/0
tcp dpt:22
0 0 DROP all wg0 * ::/0 ::/0
...
Since the default LAN->Local policy is ACCEPT we need to use DROP to block all
for wg0.
As always, test the firewall rule changes to make sure it works as expected.
Lonnie
> On Sep 9, 2019, at 3:17 PM, Michael Knill <michael.kn...@ipcsolutions.com.au>
> wrote:
>
> Hi sorry Lonnie, I didn't explain it well enough.
>
> I want to provide different access to Local from a physical LAN than the wg0
> interface.
> For instance I want to open TCP443, my SSH Port and possibly other ports from
> the physical LAN but open my SSH Port only from wg0.
>
> I could do it based on the Source IP however as there is only Deny LAN->Local
> rules possible, I'm not sure how I could just open a single port and deny all
> the rest?
>
> Regards
> Michael Knill
>
> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
> I don't understand what you are asking, but the default isolated wg0
> interface can be allowed to access physical LAN interfaces with:
>
> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>
> And LAN's can access Local by default.
>
> Lonnie
>
>
>
>> On Sep 8, 2019, at 10:57 PM, Michael Knill
>> <michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Thanks Lonnie.
>>
>> Just wondering how I could use Deny LAN->Local when I actually want to allow
>> onsite local LAN traffic to access the system admin interface?
>> I really need a Pass LAN->Local to do this!
>>
>> Regards
>> Michael Knill
>>
>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>>
>>
>>
>>> On Sep 8, 2019, at 8:46 PM, Michael Knill
>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>
>>> Hi Group
>>>
>>> I am seeing lots of hacking attempts on my systems as they have found my
>>> non standard SSH port. Although there is no issue as I have SSH Key access
>>> only, I'm sick of the long list of addresses in the Adaptive Ban list and
>>> I'm thinking I should be adding another line of defence in my security
>>> anyway.
>>> As such, along with implementing Geoblocking Netset files (next release), I
>>> also want to use a Jump box for management. This server would connect to
>>> each system via Wireguard VPN allowing management also when in a failover
>>> condition through NAT e.g. 4G backup, firewall managed by others.
>>>
>>> With this architecture in mind, I was wondering how I would go about
>>> restricting access to a single port only from this Wireguard VPN tunnel to
>>> the local interface e.g. wg0 address. I think is completely open currently.
>>>
>>> Is it easy to do?
>>>
>>> Regards
>>> Michael Knill
>>
>> If SSH access can only occur within a WireGuard tunnel, no port filtering
>> is required since access is secured by WireGuard.
>>
>> As such, only allow remote user access to the management VPN via a
>> WireGuard tunnel.
>>
>> But, if you want to filter SSH from wg0 to the local device by source IP
>> address, try
>>
>> Firewall Rules:
>> Action: [ Deny LAN->Local ]
>>
>> keeping in mind that the wg0 interface is treated as an isolated LAN
>> subnet from any other LAN subnet.
>>
>> Lonnie
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
