eibgrad

ddwrt-ovpn-pbr-block-wan-288852.sh

Nov 30th, 2015 (edited)
4,070
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.66 KB | None | 0 0
  1. #!/bin/sh
  2. ################################################################################
  3. # IMPORTANT: This script is officially deprecated as of April 4, 2021,
  4. #            and has been replaced by: https://pastebin.com/TKdKUmY1
  5. #            Please discontinue further use.
  6. ################################################################################
  7.  
  8. #         name: ddwrt-ovpn-pbr-block-wan.sh
  9. #      version: 2.0.2, 12-Feb-2016, by eibgrad
  10. #      purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
  11. #  script type: firewall
  12. #   dd-wrt ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
  13. # installation:
  14. #   1. set VPN_ENABLED_ONLY to your preference
  15. #   2. set FW_STATE to your preference
  16. #   3. install this script in the router's firewall script
  17. #   4. reboot
  18.  
  19. VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)
  20.  
  21. # state checking: "state NEW" vs. no state
  22. #   state NEW (default):
  23. #     * any pre-existing LAN->WAN connections persist until/unless they timeout/close
  24. #     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
  25. #     * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
  26. #   no state:
  27. #     * any pre-existing LAN->WAN connections are stopped/blocked
  28. #     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
  29. #     * less efficient (every LAN->WAN packet is inspected)
  30.  
  31. FW_STATE="-m state --state NEW"
  32. #FW_STATE="" # uncomment/comment to disable/enable state checking
  33.  
  34. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
  35. FW_CHAIN="blocked-ips"
  36.  
  37. # cleanup from possible prior execution
  38. (
  39. iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
  40. iptables -F $FW_CHAIN
  41. iptables -X $FW_CHAIN
  42. ) >/dev/null 2>&1
  43.  
  44. # quit if no IPs in policy based routing
  45. [ -z "$(nvram get openvpncl_route)" ] && exit
  46.  
  47. # quit if vpn disabled (unless firewall rules still need to be enforced)
  48. [[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit
  49.  
  50. # create firewall chain for blocked IPs
  51. iptables -N $FW_CHAIN
  52.  
  53. # read IP addresses from OpenVPN client policy based routing
  54. echo -e "$(nvram get openvpncl_route)" | \
  55.     while read ip; do
  56.         ip=${ip//$'\r'} # remove carriage returns
  57.  
  58.         [ -z "$ip" ] && continue # skip blank lines
  59.  
  60.         # block access LAN->WAN for this IP address
  61.         iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
  62.         iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
  63.     done
  64.  
  65. # begin blocking: force LAN->WAN traffic thru firewall chain for inspection
  66. iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
Add Comment
Please, Sign In to add comment