15.12.2017 09:24, e9hack:
Hi,
I did set-up a openvpn server on my router. /etc/config/network contains the
interface definition:
config interface 'vpn'
option proto 'none'
option ifname 'tun1'
In /etc/config/firewall, I've the following definitions related to vpn, lan and
wan:
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan_6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
option conntrack '1'
config zone
option name 'vpn'
option network 'vpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
You vpn zone configuration has to be read as:
- allow traffic from vpn zone to firewall (INPUT)
- allow traffic from firewall to vpn zone (OUTPUT)
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow OpenVPN Inbound on wan'
option src 'wan'
option proto 'tcpudp'
option dest_port '1194'
option extra '-m conntrack --ctstate NEW'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'Block NetBios from vpn to wan'
option src 'vpn'
option dest 'wan'
list dest_port '135'
list dest_port '137-139'
list dest_port '445'
list dest_port '3389'
option proto 'tcpudp'
option target 'DROP'
This are not the complete firewall definitions, but it doesn't exist any other
rule with the zone or network vpn.
I did not define any forwarding rule between vpn and lan. The lan ip range is
192.168.x.x. and a client, which is
connected to the openvpn server, gets an ip address from the range 10.8.y.y.
From an openvpn client, I can access the
web interface of the router via 192.168.x.1. Why is this possible?
It is possible because your traffic targets the firewall (INPUT) and not
the lan zone (FORWARD). The destination ip address doesn't really mater
as long as it is an interface of the fireall. Consider the firewall as
something like a special zone.
Following an excerpt of the firewall configuration I'm using to restrict
IoT devices. My complete configuration is more complex, since ipset is
involved to limit forwarding of IoT traffic to WAN based on the
destination fqdn/domain. But it should give you are start.
config zone
option name iot
list network 'iot'
option input REJECT
option output ACCEPT
option forward REJECT
config forwarding
option src lan
option dest iot
config rule
option name Allow-iot-DHCPv4-Input
option src iot
option proto udp
option dest_port 67
option target ACCEPT
option family ipv4
config rule
option name Allow-iot-DHCPv6-Input
option src iot
option proto udp
option dest_port 547
option target ACCEPT
option family ipv6
config rule
option name Allow-iot-DNS-Input
option src iot
option dest_port 53
option proto 'udp tcp'
option target ACCEPT
Mathias
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
