tomato-ovpn-server-restrict.sh

#!/bin/sh
#DEBUG=; set -x # uncomment/comment to enable/disable debug mode

#          name: tomato-ovpn-server-restrict.sh
#       version: 1.0.1, 13-sep-2024, by eibgrad
#       purpose: restrict access to openvpn server(s) by ip/network/domain
#   script type: openvpn (route-up, route-pre-down)
#  installation:
#    1. enable jffs (administration->jffs)
#    2. enable syslog (status->logs->logging configuration->syslog)
#    3. use shell (telnet/ssh) to execute one of the following commands:
#         curl -kLs bit.ly/tomato-installer|tr -d '\r'|sh -s -- --dir /jffs RbdQNmay
#       or
#         wget -qO - bit.ly/tomato-installer|tr -d '\r'|sh -s -- --dir /jffs RbdQNmay
#    4. use vi editor to modify script w/ your preferred permissions:
#         vi /jffs/tomato-ovpn-server-restrict.sh
#    5. create symbolic links:
#         ln -sf /jffs/tomato-ovpn-server-restrict.sh /jffs/route-up
#         ln -sf /jffs/tomato-ovpn-server-restrict.sh /jffs/route-down
#    6. change firewall setting of openvpn server(s) from automatic to custom
#    7. add the following to openvpn server(s) custom configuration:
#         script-security 2
#         route-up /jffs/route-up
#         route-pre-down /jffs/route-down
#    8. reboot
{
# ----------------------------------- FYI ------------------------------------ #
# * one ip/network/domain per line
# * commented lines and anything after ip/network/domain are ignored
# * access is only permitted when source matches ip/network/domain
# * the order of permissions doesn't matter (there is no order of precedence)
# ---------------------------------------------------------------------------- #

PERMITTED='
# ----------------------------- BEGIN PERMITTED ------------------------------ #
#0.0.0.0/0 # discontinue further checking; permit ALL
192.168.63.103
111.111.111.111 this comment is ignored
112.112.112.112 # this comment is ignored
#113.113.113.113 this whole line is ignored
114.114.114.0/24
epdg.epc.mnc071.mcc505.pub.3gppnetwork.org
# ------------------------------ END PERMITTED ------------------------------- #
'
# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

SID="${dev:4:1}"

CHAIN="ovpn_server${SID}_restrict"
PROTO="$(nvram get vpn_server${SID}_proto | cut -c1-3)"
PORT="$(nvram get vpn_server${SID}_port)"

# function up()
up() {
# create and initialize permissions chain
iptables -N $CHAIN 2>/dev/null || iptables -F $CHAIN

# add user-defined permissions to chain
OIFS="$IFS"; IFS=$'\n'
for src in $PERMITTED; do
    # ignore comments and blank lines
    echo $src | grep -Eq '^\s*(#|$)' && continue

    # add the permission to the chain
    iptables -A $CHAIN -s $(echo $src | cut -f1) -j ACCEPT
done
IFS="$OIFS"

# finalize permissions chain
iptables -A $CHAIN -j DROP

# enable tunnel on input and forward chains
iptables -I INPUT -i $dev -j ACCEPT
iptables -I FORWARD -i $dev -j ACCEPT

# open server port w/ link to permissions chain
iptables -I INPUT -p $PROTO --dport $PORT -m state --state NEW -j $CHAIN

# enable access through the prerouting chain
iptables -t nat -I PREROUTING -p $PROTO --dport $PORT -j ACCEPT
}

# function down()
down() {
# disable access through the prerouting chain
iptables -t nat -D PREROUTING -p $PROTO --dport $PORT -j ACCEPT

# close server port and unlink from permissions chain
iptables -D INPUT -p $PROTO --dport $PORT -m state --state NEW -j $CHAIN

# disable tunnel on input and forward chains
iptables -D INPUT -i $dev -j ACCEPT
iptables -D FORWARD -i $dev -j ACCEPT

# flush and delete permissions chain
iptables -F $CHAIN
iptables -X $CHAIN
}

# trap event-driven callbacks by openvpn and take appropriate action(s)
case "$script_type" in
          'route-up') up;;
    'route-pre-down') down;;
                   *) echo "warning: unexpected invocation: $script_type";;
esac

exit 0
} 2>&1 | logger -t "$(basename $0 | grep -Eo '^.{0,23}')[$$]"