Posted: Tue Sep 24, 2019 5:52 Post subject: [SOLVED] Access restrictions don't have any effect
For whatever reason none of my access restrictions work.
Firmware: DD-WRT v3.0-r40189 std (07/04/19)
My access restrictions used to work before I set up a few things in DD-WRT (VPN, DNS and DHCP changes, iptables firewall rules), but now they don't work I can browse the web with all devices at all hours of the day. I am sure the times of day are set up correctly, and I have included all MAC addresses and static IPs of all NICs on all my devices. This is true of connections via WiFi or wired.
Some notes about my setup:
-my router is an OpenVPN client to a VPN service I pay for and also as an OpenVPN server
-I disabled DHCP server on my router since I use another device (my Pi-hole) for this
-for DNS, my router points to a local DNS server/firewall (Pi-hole) with an upstream DNS server
I have for instance the following four rules:
Code:
Status: Enable
Interface: Any (only other option available is LAN)
Edit List of Clients: All the devices' MACs and static IPs on my network
DENY internet during selected days and hours
Days:
-Rule 1: Sun-Thurs 22:00-23:59
-Rule 2: Sun-Thurs 00:00-05:00
-Rule 3: Fri-Sat 23:00-23:59
-Rule 4: Fri-Sat 00:00-05:00
And here is my firewall in DD-WRT... maybe it's something I added here?
Code:
# OPENVPN SERVER: Accepts incoming traffic via port 553 UDP for OpenVPN clients to connect to DD-WRT server
iptables -I INPUT 1 -p udp --dport 553 -j ACCEPT
# OPENVPN SERVER: Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun2 -j ACCEPT
# OPENVPN SERVER: Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun2 -o tun2 -j ACCEPT
# OPENVPN SERVER: Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
# Force all traffic coming to VPN server to NAT out to the Internet from https://openvpn.net/community-resources/how-to/#redirect
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
# OPENVPN SERVER: Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
# OPENVPN CLIENT: VPN client killswitch - only allow traffic from VPN subnet (10.), not local (192.)
iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.54.11-192.168.54.150 -j DROP
# Close ports 21, 1720 - were showing as open from WAN-side nmap scan
iptables -I FORWARD -p tcp --dport 21 -j DROP
iptables -I FORWARD -p tcp --dport 1720 -j DROP
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -I INPUT -p tcp --dport 1720 -j DROP
Is there something I'm missing? Thanks.
Last edited by RoomClearInnTemper on Wed Feb 05, 2020 4:12; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12909 Location: Netherlands
Posted: Tue Sep 24, 2019 7:11 Post subject:
I do not know much about acces restrictions, but normally you do not need any firewall rules for the OpenVPN Client and only one firewall rule for the OVPN server (and only if you want to have internet acces from your OVPN server clients):
Code:
iptables -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j MASQUERADE
You can use a kill switch for the OVPN clients like you do but everything else seems redundant.
I do not know why you should have an FTP (21) and VoIP (1720) port open on your router, maybe this is from your Modem and not from your router?
In my signature (at the bottom of this post) is a link to an OVPN server setup guide.
I am aware that my firewall is a bit redundant, I've just never been too great at understanding iptables. I can certainly try to remove some of those lines.
One thing I did notice is that if I disable and then re-enable an access restriction, it goes into effect and works. But then the following day, it's no longer working. e.g. right now I should not be able to access the Internet from this laptop.
Maybe is there some sort of debug/log for access restrictions in DD-WRT?
I Googled around and added the following to Administration/Management/Additional Cron Jobs but nothing has changed. Instead of a single line with MAC aa:bb:cc:dd:ee:ff, I have that line duplicated with the MACs of all the devices I want blocked. Nothing changes. And the radios don't even turn off. Weird. Cron is definitely enabled.
Code:
00 06 * * * /sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 22 * * 0-4 /sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 23 * * 5-6 /sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Jan 21, 2020 16:47 Post subject:
RoomClearInnTemper wrote:
I Googled around and added the following to Administration/Management/Additional Cron Jobs but nothing has changed. Instead of a single line with MAC aa:bb:cc:dd:ee:ff, I have that line duplicated with the MACs of all the devices I want blocked. Nothing changes. And the radios don't even turn off. Weird. Cron is definitely enabled.
A long shot: do other cron jobs work? There was a report in the Marvell new-build thread for 41659 (3 Dec 2019) of the cron jobs actually going to the wrong file. I don't use cron here, but I believe the cron jobs should end up in /var/spool/cron/crontabs/root. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Thanks. /var/spool/cron/crontabs/root is a totally empty file.
However /etc/cron.d has a file called cron_jobs that has the exact text that I pasted above into Additional Cron Jobs. There is nothing else in /etc/ related to Cron.
However I noticed in the DD-WRT Cron help document it said to add root before every command, so I just did that and restarted cron. I know I already had root before the radio commands and those didn't work, but maybe because those are at the bottom of the commands, it errors out beforehand because of the lack of root. We'll see!
Okay, looks like I also messed up on the absolute path to iptables.
Calling any of the commands individually don't seem to even do anything. What is going on here?? Is my firewall overriding this stuff?
For instance, from the shell I called startservice radio_off_0 and startservice radio_off_1 and my radios are still on. I tried enabling wireless scheduling under wl0/wl1_Advanced and calling these commands again. Same thing.
Then I tried calling /usr/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP and it was successful. However that device could still browse to the internet, over the radio I had supposedly disabled. So maybe Cron's good but the commands just do nothing. Why would these commands not work??
Here's the updated Cron script that still doesn't work.
Code:
00 06 * * * root /usr/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 22 * * 0-4 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 23 * * 5-6 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
Okay, one last update. I got cron to turn off the wireless radios with the code below. However for my hardwired devices, I still need the MAC filtering to work. Do I maybe have conflicting iptable entries that will allow packets to go through? I posted my firewall below (also I'm not the best with iptables).
Just a heads up, my router is also an OpenVPN server and client.
Final working Cron section
Code:
00 05 * * * root /usr/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 22 * * 0-4 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 23 * * 5-6 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 05 * * * root wl radio on
00 05 * * * root wl -i eth2 up
00 22 * * 0-4 root wl radio off
00 22 * * 0-4 root wl -i eth2 down
00 23 * * 5-6 root wl radio off
00 23 * * 5-6 root wl -i eth2 down
My firewall
Code:
# OPENVPN SERVER: Accepts incoming traffic via port 553 UDP for OpenVPN clients to connect to DD-WRT server
iptables -I INPUT 1 -p udp --dport 553 -j ACCEPT
# OPENVPN SERVER: Allows the VPN client access to router internal
# processes, e.g. Web admin, SSH etc
iptables -I INPUT 3 -i tun2 -j ACCEPT
# OPENVPN SERVER: Allows connections between VPN clients, if
# client-to-client is enabled in OpenVPN server
iptables -I FORWARD 3 -i tun2 -o tun2 -j ACCEPT
# OPENVPN SERVER: Allows connection from local VPN to the internet
iptables -I FORWARD 1 --source 10.1.1.0/24 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
# Force all traffic coming to VPN server to NAT out to the Internet from https://openvpn.net/community-resources/how-to/#redirect
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE
iptables -t nat -I POSTROUTING -o tun1 -j MASQUERADE
# OPENVPN SERVER: Allows connections from local network to VPN network
# and other way around (br0 is LAN and WIFI)
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
# OPENVPN CLIENT: VPN client killswitch - only allow traffic from VPN subnet (10.), not local (192.)
iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.54.11-192.168.54.150 -j DROP
# Close ports 21, 1720 - were showing as open from WAN-side nmap scan
iptables -I FORWARD -p tcp --dport 21 -j DROP
iptables -I FORWARD -p tcp --dport 1720 -j DROP
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -I INPUT -p tcp --dport 1720 -j DROP
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Jan 23, 2020 0:46 Post subject:
RoomClearInnTemper wrote:
Okay, one last update. I got cron to turn off the wireless radios with the code below. However for my hardwired devices, I still need the MAC filtering to work. Do I maybe have conflicting iptable entries that will allow packets to go through? I posted my firewall below (also I'm not the best with iptables).
Just a heads up, my router is also an OpenVPN server and client.
Final working Cron section
[code]00 05 * * * root /usr/sbin/iptables -D FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 22 * * 0-4 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
00 23 * * 5-6 root /usr/sbin/iptables -A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP
I'm no iptables expert either, but I am surprised to see -A here. Adding a -j DROP command to the end of the chain will do nothing if an earlier line of that change does a -j ACCEPT on that packet. That's why most packet dropping is done with -I. Have you done iptables -vnL FORWARD (in the CLI) and looked over what else is going on in the FORWARD chain? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Honestly, every time I try to learn iptables it goes way over my head. Your post helps a lot actually.
So I understand -A appends to the bottom and -I inserts it at the top of the ruleset. I guess for something like this (complete blocking) -I makes more sense like you said because there are probably other rules above it. I'll try making the switch to -I and see how it goes.
I checked out the FORWARD chain and at the very top is a rule allowing all traffic in and out of tun1 (my OpenVPN client). Since my LAN devices are all going out tun1, I assume this rule matches instantly and it ignores everything below it.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Jan 24, 2020 21:46 Post subject:
RoomClearInnTemper wrote:
Honestly, every time I try to learn iptables it goes way over my head. Your post helps a lot actually.
So I understand -A appends to the bottom and -I inserts it at the top of the ruleset. I guess for something like this (complete blocking) -I makes more sense like you said because there are probably other rules above it. I'll try making the switch to -I and see how it goes.
I checked out the FORWARD chain and at the very top is a rule allowing all traffic in and out of tun1 (my OpenVPN client). Since my LAN devices are all going out tun1, I assume this rule matches instantly and it ignores everything below it.
Exactly. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Jan 24, 2020 22:05 Post subject:
Let me add one thing though... the iptables rules for tun1 are added when the vpn tunnel is created during vpn startup, and they are removed when the tunnel is taken down when the vpn connection terminates. So if you put your iptables rules in the firewall in the obvious way, they'll be there first and then the tun1 rules will be created above them, making your rules kind of pointless again.
So your scheme seems reasonable if the vpn is always up, give or take some question of what happens first during boot. You are going to want to think that bootup part through. Keep in mind that the Firewall section in GUI>Administration>Commands is just a shell script. What makes it the special Firewall section is when it is run. dd-wrt runs it when the firewall needs to be restarted. But since it is just a shell script, you can use shell commands freely, meaning there is no harm doing things like
(sleep 120; iptablesblah blah blah ) &
so that a particular iptables command is run a couple of minutes after the rest of the firewall is set up. You may need a couple of minutes to give the vpn time to start up.
I don't believe you can do things like that in cron specifications. I believe the latter have to be actual single commands, so if you need anything more complex, you are stuck creating a shell script in a file and marking it executable so you can run it from cron. In startup you can do
and then run /tmp/root/myscript with cron. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Access restrictions don't work for me and hasn't worked for any firmware I've tried. Setting up iptables rules hasn't helped either. My routers are WRT3200ACM and WRT1900ACSv1.
