SHARE
TWEET

ddwrt-ovpn-pbr-block-wan-288852.sh

eibgrad Nov 30th, 2015 (edited) 2,392 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. #         name: ddwrt-ovpn-pbr-block-wan.sh
  3. #      version: 2.0.2, 12-Feb-2016, by eibgrad
  4. #      purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
  5. #  script type: firewall
  6. #   dd-wrt ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
  7. # installation:
  8. #   1. set VPN_ENABLED_ONLY to your preference
  9. #   2. set FW_STATE to your preference
  10. #   3. install this script in the router's firewall script
  11. #   4. reboot
  12.  
  13. VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)
  14.  
  15. # state checking: "state NEW" vs. no state
  16. #   state NEW (default):
  17. #     * any pre-existing LAN->WAN connections persist until/unless they timeout/close
  18. #     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
  19. #     * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
  20. #   no state:
  21. #     * any pre-existing LAN->WAN connections are stopped/blocked
  22. #     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
  23. #     * less efficient (every LAN->WAN packet is inspected)
  24.  
  25. FW_STATE="-m state --state NEW"
  26. #FW_STATE="" # uncomment/comment to disable/enable state checking
  27.  
  28. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
  29. FW_CHAIN="blocked-ips"
  30.  
  31. # cleanup from possible prior execution
  32. (
  33. iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
  34. iptables -F $FW_CHAIN
  35. iptables -X $FW_CHAIN
  36. ) > /dev/null 2>&1
  37.  
  38. # quit if no IPs in policy based routing
  39. [ -z "$(nvram get openvpncl_route)" ] && exit
  40.  
  41. # quit if vpn disabled (unless firewall rules still need to be enforced)
  42. [[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit
  43.  
  44. # create firewall chain for blocked IPs
  45. iptables -N $FW_CHAIN
  46.  
  47. # read IP addresses from OpenVPN client policy based routing
  48. echo -e "$(nvram get openvpncl_route)" | \
  49.     while read ip; do
  50.         ip=${ip//$'\r'} # remove carriage returns
  51.  
  52.         [ -z "$ip" ] && continue # skip blank lines
  53.  
  54.         # block access LAN->WAN for this IP address
  55.         iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
  56.         iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
  57.     done
  58.  
  59. # begin blocking: force LAN->WAN traffic thru firewall chain for inspection
  60. iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top