Portál AbcLinuxu, 5. května 2025 09:08
firewall {
all-ping enable
broadcast-ping disable
group {
address-group AG_INTERNAL_LANS {
address 192.168.0.0/16
address 172.16.0.0/12
description ""
}
address-group AG_IPVanish {
address 10.0.11.0/24
description "IPVanish Address Group"
}
address-group AG_IPVanish2 {
address 10.0.12.10-10.0.12.253
address 172.19.0.9
address 172.19.0.13
description ""
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify OPENVPN_ROUTE {
rule 10 {
action modify
description "IPVanish to vtun0"
modify {
table 1
}
source {
group {
address-group AG_IPVanish
}
}
}
rule 20 {
action modify
description "IPVanish2 to ESXi-OpenVPN"
modify {
table 2
}
source {
group {
address-group AG_IPVanish2
}
}
}
}
name GUEST_IN {
default-action accept
rule 10 {
action accept
description "Accept Established & Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow access to IPVanish Gateway"
destination {
address 10.0.12.2
}
log disable
protocol all
}
rule 30 {
action accept
description "Allow UDP ports for Sonos"
destination {
port 1900,1901,5353,6969
}
log disable
protocol udp
source {
group {
address-group AG_Guest_Sonos_Clients
}
}
}
rule 40 {
action accept
description "Allow TCP ports for Sonos"
destination {
port 3400,3401,04070
}
log disable
protocol tcp
source {
group {
address-group AG_Guest_Sonos_Clients
}
}
}
rule 50 {
action drop
description "Drop packets destined for Internal"
destination {
group {
address-group AG_INTERNAL_LANS
}
}
log disable
protocol all
source {
group {
}
}
}
rule 60 {
action drop
description "Drop P2P"
disable
log disable
p2p {
all
}
protocol all
}
}
name GUEST_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
log disable
protocol udp
}
rule 21 {
action accept
description "Allow MDNS"
destination {
port 5353
}
log disable
protocol udp
source {
group {
address-group AG_Guest_Sonos_Clients
}
}
}
rule 22 {
action accept
description "Allow ICMP"
log disable
protocol icmp
}
}
name IPVANISH2_IN {
default-action accept
rule 10 {
action accept
description "Accept Established & Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop packets destined for Internal"
destination {
group {
address-group AG_INTERNAL_LANS
}
}
log disable
protocol all
source {
group {
}
}
}
}
name IPVANISH2_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description "Accept IGMP"
log disable
protocol igmp
}
rule 20 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
rule 30 {
action accept
description "Accept DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
name IPVANISH_IN {
default-action accept
rule 10 {
action accept
description "Accept Established & Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop packets destined for Internal"
destination {
group {
address-group AG_INTERNAL_LANS
}
}
log disable
protocol all
source {
group {
}
}
}
}
name IPVANISH_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
log disable
protocol udp
}
rule 21 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
}
name VTUN0_IN {
default-action accept
rule 10 {
action accept
description "Accept Established & Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop packets destined for Internal"
destination {
group {
address-group AG_INTERNAL_LANS
}
}
log disable
protocol all
source {
group {
}
}
}
}
name VTUN0_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
log disable
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal from internet"
rule 1 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 3 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN from internet to router"
rule 10 {
action accept
description "allow established sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 50 {
action drop
description "drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_OUT {
default-action accept
description "Block internet if no VPN"
rule 1 {
action drop
description "DROP IPVanish AG on WAN"
log disable
protocol all
source {
group {
address-group AG_IPVanish
}
}
}
rule 2 {
action drop
description "DROP Cameras on WAN"
log disable
protocol all
source {
group {
address-group AG_Unifi_Cameras
}
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN-Internet_AT&T
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
}
ethernet eth2 {
address 10.0.10.1/24
description Guest
duplex auto
firewall {
in {
modify OPENVPN_ROUTE
name GUEST_IN
}
local {
name GUEST_LOCAL
}
}
speed auto
}
ethernet eth3 {
address 192.168.0.1/24
description Main
duplex auto
firewall {
in {
}
local {
}
}
speed auto
vif 5 {
address 10.0.11.1/24
description IPVanish
firewall {
in {
modify OPENVPN_ROUTE
name IPVANISH_IN
}
local {
name IPVANISH_LOCAL
}
}
mtu 1500
}
vif 15 {
address 10.0.12.1/24
description IPVanish2
firewall {
in {
modify OPENVPN_ROUTE
name IPVANISH2_IN
}
local {
name IPVANISH2_LOCAL
}
}
mtu 1500
}
}
loopback lo {
}
openvpn vtun0 {
config-file /config/auth/config.ovpn
description IPVanish
firewall {
in {
name VTUN0_IN
}
local {
name VTUN0_LOCAL
}
}
}
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 2 {
route 0.0.0.0/0 {
next-hop 10.0.12.2 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Guest {
authoritative enable
subnet 10.0.10.0/24 {
default-router 10.0.10.1
dns-server 208.67.222.222
dns-server 208.67.220.220
lease 86400
start 10.0.10.10 {
stop 10.0.10.199
}
}
}
shared-network-name IPVanish {
authoritative enable
subnet 10.0.11.0/24 {
default-router 10.0.11.1
dns-server 10.0.11.1
lease 86400
start 10.0.11.10 {
stop 10.0.11.19
}
}
}
shared-network-name IPVanish2 {
authoritative enable
subnet 10.0.12.0/24 {
default-router 10.0.12.2
dns-server 10.0.12.1
lease 86400
start 10.0.12.10 {
stop 10.0.12.19
}
static-mapping Openvpn-Client {
ip-address 10.0.12.2
mac-address 00:0c:29:66:d7:67
}
}
}
shared-network-name VPN {
authoritative disable
subnet 172.21.0.0/24 {
default-router 172.21.0.1
dns-server 172.21.0.1
lease 86400
start 172.21.0.50 {
stop 172.21.0.60
}
}
}
static-arp disable
use-dnsmasq disable
}
forwarding {
cache-size 750
listen-on eth1
listen-on eth2
listen-on eth3
listen-on eth3.4
listen-on eth3.10
listen-on eth3.5
listen-on eth3.15
listen-on eth3.20
listen-on eth3.25
options listen-address=192.168.0.1
}
}
nat {
rule 5000 {
description IPVanish
log disable
outbound-interface vtun0
protocol all
source {
group {
address-group AG_IPVanish
}
}
type masquerade
}
rule 5001 {
description IPVanish2
log disable
outbound-interface eth3.15
source {
group {
address-group AG_IPVanish2
}
}
type masquerade
}
rule 5002 {
description "All LAN-to-WAN"
log disable
outbound-interface eth0
type masquerade
}
}
}
-A FORWARD -i tap0 ! -d 10.0.11.0/24 -j DROPSamo pokud to chces jeste nekam povolit ;D, tak to pridas (pred ten DROP). Pocitam ze chces
-A FORWARD -i tap0 -d 10.0.10.0/24 -j ACCEPTMno a kdybys ty site mel ... spravne ocislovany, tak se vice siti vybere maskou. Pak tu taky jsou chainy => vytvoris, posles do nej vybranej provoz, a v nem nastavis co je povoleno a nakonci byva prevazne drop na vse co zbyde. Povoli provoz z vpn na lan, a vse ostatni z vpn zahodi.
-N VpnIn -A FORWARD -i tap0 -j VpnIn -A VpnIn -d 10.2.10.0/24 -j ACCEPT -A VpnIn -j DROP
27.10.2019 11:17
Jendа | skóre: 78
| blog: Jenda
| JO70FB
Stačí mi, když se dostane jen na VPN server pro spojení a opačně.1) vypnout client-to-client, 2) to je default, ne? Linux defaultně pakety neforwarduje (v
/proc/sys/net/ipv4/ip_forward je 0), a pokud to potřebuješ, tak bych to povolil, ale do iptables do chainu FORWARD bych dal policy DROP (iptables -P FORWARD DROP) a ručně povolil jenom to co opravdu potřebuješ. Nebo pokud jde jen o jednoho klienta, tak asi iptables -I FORWARD -s klient -j DROP.
ptables -I FORWARD -s klient -j DROP nefunguje. Nedostanu se na něj sice již z LAN serveru, ale z klienta se stále dostanu na adresy v rousahu VPN a na sítě za klienty. To je asi právě to, co zmínil výše Fritz. Tato komunikace neprochází skrt iptables. Zřejmě se to musí řešit nějak jinak, ale jak?
27.10.2019 15:11
Jendа | skóre: 78
| blog: Jenda
| JO70FB
Mám povolený client-to-client a ptables -I FORWARD -s klient -j DROP nefunguje.Protože když máš povolené client-to-client, tak pakety mezi klienty přehazuje přímo OpenVPN, a do kernelu se vůbec nedostanou…
Zřejmě se to musí řešit nějak jinak, ale jak?Vypnutím client-to-client a forwardováním všeho přes kernel.
27.10.2019 17:35
Jendа | skóre: 78
| blog: Jenda
| JO70FB
-A FORWARD -d 10.666.666.0/29 -j ACCEPT -A FORWARD -s 10.66.666.0/29 -j ACCEPT -A FORWARD -j DROP(moje pointa je, že mám několik klientů na začátku adresního rozsahu, kteří „můžou všude“, a zbytek nesmí nikam). Pro celé sítě nevím, ale mělo by to být obdobné.
27.10.2019 18:59
Jendа | skóre: 78
| blog: Jenda
| JO70FB
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.