ddwrt-ovpn-pbr-block-wan-288852.sh

1. #!/bin/sh
2. ################################################################################
3. # IMPORTANT: This script is officially deprecated as of April 4, 2021,
4. #            and has been replaced by: https://pastebin.com/TKdKUmY1
5. #            Please discontinue further use.
6. ################################################################################
7.  
8. #         name: ddwrt-ovpn-pbr-block-wan.sh
9. #      version: 2.0.2, 12-Feb-2016, by eibgrad
10. #      purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
11. #  script type: firewall
12. #   dd-wrt ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
13. # installation:
14. #   1. set VPN_ENABLED_ONLY to your preference
15. #   2. set FW_STATE to your preference
16. #   3. install this script in the router's firewall script
17. #   4. reboot
18.  
19. VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)
20.  
21. # state checking: "state NEW" vs. no state
22. #   state NEW (default):
23. #     * any pre-existing LAN->WAN connections persist until/unless they timeout/close
24. #     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
25. #     * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
26. #   no state:
27. #     * any pre-existing LAN->WAN connections are stopped/blocked
28. #     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
29. #     * less efficient (every LAN->WAN packet is inspected)
30.  
31. FW_STATE="-m state --state NEW"
32. #FW_STATE="" # uncomment/comment to disable/enable state checking
33.  
34. WAN_IF="$(ip route | awk '/^default/{print $NF}')"
35. FW_CHAIN="blocked-ips"
36.  
37. # cleanup from possible prior execution
38. (
39. iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
40. iptables -F $FW_CHAIN
41. iptables -X $FW_CHAIN
42. ) >/dev/null 2>&1
43.  
44. # quit if no IPs in policy based routing
45. [ -z "$(nvram get openvpncl_route)" ] && exit
46.  
47. # quit if vpn disabled (unless firewall rules still need to be enforced)
48. [[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit
49.  
50. # create firewall chain for blocked IPs
51. iptables -N $FW_CHAIN
52.  
53. # read IP addresses from OpenVPN client policy based routing
54. echo -e "$(nvram get openvpncl_route)" | \
55.     while read ip; do
56.         ip=${ip//$'\r'} # remove carriage returns
57.  
58.         [ -z "$ip" ] && continue # skip blank lines
59.  
60.         # block access LAN->WAN for this IP address
61.         iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
62.         iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
63.     done
64.  
65. # begin blocking: force LAN->WAN traffic thru firewall chain for inspection
66. iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN