Posted: Mon Jun 08, 2009 16:30 Post subject: [Solved] Block OpenVPN DHCP in NVRAM v24 and later..
Hello,
I have been trying to use the following startup script to block DHCP over my router to router VPN but it is failing to run at boot. Oddly, I can telnet in and paste the code and it works perfectly. All commands execute and a 'ebtables -L' list the exceptions. However, when I go to put the code in startup commands section (nvram), at some point it fails. I think it is creating the /tmp/ebt_ip.o.gz.u64 just fine, but failing on the insmod commands.
I have tried to add lengthy sleep commands, save the insmod in the firewall section, create a custom script...but nothing works. Maybe it is a permission issue?
Does anyone have any insight on why this is failing?
I would not try to troubleshoot with SP1 on the router....see the top two announcements at the top of the forum. _________________ SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
At what point during the boot is startup run? Is there a way to delay it to the end?
I bet there are other insmod commands running after my startup script runs which is negating my efforts and giving me "The kernel doesn't support the ebtables 'filter' table.".
It's likely that tap1 doesn't exist yet when the startup script is run. Also, afaik ebtables can get cleared by link state changes too, so the firewall script is where it belongs anyways. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
It's likely that tap1 doesn't exist yet when the startup script is run. Also, afaik ebtables can get cleared by link state changes too, so the firewall script is where it belongs anyways.
The ebtables modules now reliably load (a step int he right direction). However, my filter "ebtables -I INPUT -i tap1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP" still is not working because when I do a ebtables -L it is 0 for all three areas.
I added a sleep 120 to allow tap1 to connect. Also, my open VPN for tap1 is place chronologically before the ebtables section in the startup script.
I know the tap1 is working and in use because my VPN works.
Any suggestions on how I can debug this? Also, could I set a timer of some sort to re initiate my "ebtables -I INPUT -i tap1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP" statement every x amount of times?
I'm curious why you're going through the trouble of using ebtables instead of iptables because this rule would work the same with either. If you were blocking dhcp forwarding then ebtables wold be needed but for input either will do.
It can be tricky getting some things to run when needed, the last resort is always cron. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I'm curious why you're going through the trouble of using ebtables instead of iptables because this rule would work the same with either. If you were blocking dhcp forwarding then ebtables wold be needed but for input either will do.
It can be tricky getting some things to run when needed, the last resort is always cron.
I was trying to block DHCP from traveling across the VPN. From what I have read and whats posted in this forum, you must use ebtables because DHCP cannot be blocked with iptables on the VPN bridge.
Yeah I've seen that tutorial before but it's never made sense why they have an INPUT rule which is only for traffic destined to the MAC address of the router itself. I would expect it to use the FORWARD chain to block bridged traffic but maybe the tunnel has an odd effect with the bridging. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
The ebtables modules now reliably load (a step int he right direction). However, my filter "ebtables -I INPUT -i tap1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP" still is not working because when I do a ebtables -L it is 0 for all three areas.
I added a sleep 120 to allow tap1 to connect. Also, my open VPN for tap1 is place chronologically before the ebtables section in the startup script.
I know the tap1 is working and in use because my VPN works.
Any suggestions on how I can debug this?
I had a similar timing problem with a simple iptables DELETE here:
It turned out in my case that every delay I inserted into my script only delayed initialization of the firewall sequence I was waiting for!
I finally figured out that I had to start a new shell and wait there for the rest of the initialization sequence to finish. In your case it would look something like this I think (trailing ampersand to push the new shell into the background):
Posted: Tue Jun 09, 2009 15:18 Post subject: [Solved] OpenVPN DHCP block router-to-router VPN
Thanks to everyone who helped! This is a working script to block DHCP traffic over an router-to-router openVPN bridge. You might have to change tap1 part to reflect your interface.
Edit: Moved everything the startup because firewall was calling things more than once causing 4 duplicate entries in ebtables.
Edit2: Changed timing and removed error check on sleep.
Last edited by AaronDrabeck on Tue Jun 09, 2009 21:39; edited 1 time in total
Oops, sorry, looks like using a semicolon instead of && following the sleep command doesn't work quite the same. Also, in my case I had to start a new shell to avoid blocking the init thread. So applying this to your code, here's what I should have written instead for the Firewall section:
Putting... sleep 15 ; ebtables -I INPUT -i tap1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &... in the firewall causes 4 entries to exist in ebtables. The firewall section must be called more than once during boot or something.
Using && with insmod does not seem to work. insmod must not return the correct variable for it to pass the error check to move on the the next statement because when I do "insmod ebtables && insmod ebtable_filter && insmod /tmp/ebt_ip.o", "insmod ebtable_filter && insmod /tmp/ebt_ip.o" never get installed.
Sleep needs to be in front of both commands for it to work and it needs to be run in the background. No idea why but when I remove either or both it breaks. Maybe gunzip is taking a second to create /tmp/ebt_ip.o ? OpenVPN needs time to establish a connection with the other router anyway before I block DHCP so this is okay with me.
It might be instructive to watch what is happening with the late init process entirely apart from your extra commands, e.g. remove all the ebtables commands, then reboot the router and telnet in about 25 seconds afterwards, then run cat /proc/kmsg . When I did this I discovered that several modules were being unloaded and reloaded several times (details in the thread I linked to above). I could also see exactly which module seemed to be having load problems (IPPTP) which were proportionate to the amount of delay that I was adding with the sleep command.
After testing my initial hypothesis above (i.e. that the && following the sleep command could be replaced with a semicolon) I learned that these two commands behave quite differently in busybox:
Code:
sleep 5 && echo hello world &
vs.
Code:
sleep 5 ; echo hello world &
The first command returns a command prompt immediately, while the second one waits for 5 seconds. I can also add additional commands and as long as they are separated by && then the command prompt returns immediately. But as soon as I separate an item in the list with a semicolon then the shell waits for the entire process to complete before returning a prompt.
Did you try starting a separate entirely asynchronous process to execute a && delimited command list?
THIS is the solution that finally seems to work with no problems for me. I have been fooling around with this for literally YEARS looking for the correct solution to this problem. Now I am sure I have found it. MUCH THANKS to the creator of the CRON job that fixes this frustrating problem!
EDIT: As he says, DO VERIFY THE FILE PATHS. I had to change .37 to .36 because I'm using a slightly older DD-WRT and I refuse to change because everything is working perfectly as-is.