NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi IPTABLES and TUN interface
uname -a : Linux RBR50 3.14.77 #1 SMP PREEMPT Fri Jan 8 20:10:05 CST 2021 armv7l GNU/Linux
Aid needed.
Background:
I want to enable VPN server and only allow a handfull of ports to be allowed once connected to the tunnel interface.
TUN Network: 192.168.2.0/24
LAN Network: 192.168.1.0/24
I have been playing around with IPTables on the Orbi console interface but not managed to actually affect the tunnel IP traffic. I'm lost to what chain I'm suppossed to put the statement in to block traffic. What I can see is that when enabling the VPN server a statement like below appears under the loc2net chain I try and add a statement above this it has no effect.
5 ACCEPT all -- 192.168.2.0/24 anywhere
* iptables -I loc2net 4 -s 192.168.2.0/24 -j DROP
**and I've been trying statements in other places also but not wanting to break things I thought I'd stop and ask here instead :)
I tried to look at the GUI if it had any ways of blocking but the secion where you seem to be able to do so doesn't allow 192.168.2.0 statements, but I enabled this for something else just to see what the IPtables behaviour was and noticed it created a new section called chain blk_svc . I also tried to add my drop statements there but to no avail.
Also wondering if its possible somehow to trace or log on the ORBI the trace function doesn't seem to work and when I try below nothing shows up in the /var/log/messages, any ideas?
~ iptables -A INPUT -s 192.168.2.2 -j LOG--log-level 4
iptables -t raw -A OUTPUT -p icmp -j TRACE gives : iptables v1.4.21: Couldn't load target `TRACE':No such file or directory
Cheers and thank you!
8 Replies
Could you please describe the intended result in more general terms? Such as:
When a remote device joins my Orbi LAN through OpenVPN, I want this device to be able to (a) only do certain things, or (b) not be able to do certain things, (1) on the local LAN or (2) when it accesses the internet.
And, this restriction applies only to devices on the VPN and not "regular devices"?
Sure :
When this device joins my network through VPN and get the IP 192.168.2.x I want it only to be able to access the following IP: 192.168.1.150 with tcp/udp port 25000
Cheers
andlid wrote:When this device joins my network through VPN and get the IP 192.168.2.x I want it only to be able to access the following IP: 192.168.1.150 with tcp/udp port 25000
That would be any (every) device that joins the network through VPN. Seems to that this sorts of defeats the general purpose of having a VPN. I am guessing that the remote device can be 'anywhere' and thus have a different IP address every time it connects.
Does 192.168.1.150 have no firewall or password capability?
This sounds like what port forwarding is intended to accomplish. i.e. a connection attempt to port 25000 goes only to one IP on the LAN and that IP can decide to accept or decline the connection, and then can require whatever authentication it wants before granting access.
Another consideration is that anything done to iptables will disappear if the Orbi reboots
Frankly, I am impressed that you know so much about iptables. I made a couple of attempts to figure out how Orbi was implementing things and got SO confused that I gave up.
