Jump to content
Not connected, Your IP: 3.84.182.112
swmpgs

Network lock and custom firewall rules

Recommended Posts

Hello,

 

I have a question that maybe someone more knowledgeable can answer. I have a computer at home that runs airvpn client and a remote computer. I want to be able to connect from either computer to another one with ssh.

 

Without airvpn client, everything works (obviously). If I run airvpn without network lock, I can ssh from home to remote (it goes via the AirVPN server) but not from remote to home. I tried to start airvpn with the parameter "routes.custom=my.remote.ip.addr,255.255.255.255,out" but it didn't help - the required route was not added to the routing table. However, that problem was easily solved: I added the route separately with "route add -host my.remote.ip.address gw 192.168.1.1" and all was well: ssh works from home to remote and from remote to home bypassing AirVPN as I want it to do.

 

Now, I enable network lock. This time I need to add "allowed IP" parameter to be able to ssh from home to remote:

    ./airvpn -cli -connect -netlock -login=**** password=**** netlock.allowed_ips=my.remote.ip.addr

 

But ssh from remote to home is blocked by the firewall. I can't find any airvpn parameter that can be used to create custom firewall rules. So I ended up with adding the required rule myself.

 

Before:

# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      177 16717 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     255.255.255.255      anywhere
3       93  8963 ACCEPT     all  --  any    any     192.168.0.0/16       192.168.0.0/16
4       26  4651 ACCEPT     all  --  any    any     10.0.0.0/8           10.0.0.0/8
5        0     0 ACCEPT     all  --  any    any     172.16.0.0/12        172.16.0.0/12
6        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
7     1890  460K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
8        0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
9        6   502 DROP       all  --  any    any     anywhere             anywhere

 

Add the rule:

    iptables -t filter -I INPUT 9 -i eth0 -p tcp -s my.remote.ip.addr --dport 22 -j ACCEPT

 

After:

# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      182 17197 ACCEPT     all  --  lo     any     anywhere             anywhere
2        0     0 ACCEPT     all  --  any    any     255.255.255.255      anywhere
3      107 10296 ACCEPT     all  --  any    any     192.168.0.0/16       192.168.0.0/16
4       41  6945 ACCEPT     all  --  any    any     10.0.0.0/8           10.0.0.0/8
5        0     0 ACCEPT     all  --  any    any     172.16.0.0/12        172.16.0.0/12
6        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
7     1981  480K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
8        0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
9        0     0 ACCEPT     tcp  --  eth0   any     my.remote.ip.addr    anywhere             tcp dpt:22
10       6   502 DROP       all  --  any    any     anywhere             anywhere

 

Now everything works again, but the question remains: what is the best way to achieve that ? In the worst case scenario, I can just start airvpn in the background, wait a minute or so and then run iptables with my additional rule. But that looks ugly.

 

Can anyone think of a better way ? Maybe some "event.session..." or "event.vpn..." parameter will do the trick ?

 

Thanks for any help.

 

Share this post


Link to post

Hello!

 

Please insert your script (with all necessary iptables commands) as the event at "VPN Pre" or "VPN Up". Similarly, set another script (if required) at "VPN Down", or at "App End".

 

Don't execute the script at "App Start", because Network Lock is activated after that event.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...