scripts & cron - Page 2

mrgenie · #11 11-25-2012, 01:23 PM

Quote:

Originally Posted by RMerlin

One easy way to test this is to disable the DHCP server on the local LAN segment (assuming you have control of it), and see if you are able to issue a DHCP lease renewal on one of your clients. If not, then it will confirm that your rules are indeed preventing DHCP requests from reaching the DHCP server on the other side of the tunnel.

There's a Paypal button on my personal website (link is in my signature). Thank you

Ok, the ebtables in the script file don't prevent clients from accessing remote dhcp servers. Bummers, as I really have no idea how to pull this off with openVPN itself..

RMerlin · #12 11-25-2012, 01:26 PM

TAP VPNs are tricky. It's usually simpler to use TUNs instead, unless you actually need broadcasts to work accross the VPN.

You will probably need to insert runes inside an OpenVPN "up" script. I've seen some references to it on the web.

mrgenie · #13 11-25-2012, 01:37 PM

I've simply added all I could think off that might be needed to get this working..

Of course several lines can be erased, will test them tomorrow what can be deleted..

but here's thus far what I got to prevent the DHCP's from other subnets being reached from other locations:

Quote:

#!/bin/sh

insmod ebtables
insmod ebtable_filter
insmod ebt_ip
ebtables -I INPUT -i $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o $TUNTAPINTERFACE -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

sleep 10
ebtables -F
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface tap21 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

also in the logs I noticed the tap21 interface is up and running long before this script is being executed..

For those interested in blocking UPnP or PmP over nat:

Quote:

ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A INPUT --in-interface tap11--protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 1900 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 1900 -j DROP

ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A INPUT --in-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-destination-port 5351 -j DROP
ebtables -A FORWARD --out-interface tap11 --protocol ipv4 --ip-protocol udp --ip-source-port 5351 -j DROP

mrgenie · #14 11-26-2012, 04:43 AM

To get the DHCP-madness run properly (multiple DHCP over TAP bridged openVPN networks) you have to do only the following:

create the jffs directory (enable the option in the webGUI)
verify there's a "scripts" directory inside the jffs! If it's not you simply must reboot a few times. Sometimes the jffs is initialized properly the 2nd time you reboot, sometimes it takes you 10 reboots. You also might want to switch off/on the jffs option in the webGUI several times. No panic, it will be initialized after several attempts!
inside the "/jffs/scripts" you create the "services-start" file
inside this file you put the following code

Quote:

#!/bin/sh
sh /jffs/scripts/filt.sh&

also create a file named "filt.sh" and put inside it following code

Quote:

#!/bin/sh
ebtables -I FORWARD -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I INPUT -i tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT -o tap21 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

both files must be set executable. I used 755 for both files
to test if it works, reboot the router and login with putty or whatever you want to use. type "ebtables -L" and you should see the proper filters listed in the ebtables

NOTE: Check if your openVPN also uses tap21. If it uses something else, of course you must adept the ebtables to your different tap number.
Note 2: see my previous post if you want to block upnp or pmp