Restrict access to router VPN client to a single IP address - shell

I have setup openvpn client on a asus router, it is running padavan firmware, which is similar to tomato and other.
The VPN client works, but I would like to limits it's use to one or 2 ips on my LAN (i.e. AppleTV) and all other clients bypass the VPN connection.
The padavan vpn client has a custom script that is executed with the interface goes up and down on tun0 which is the interface.
I have attempted to route the IP address of the client that I want to use, but it does not prevent access via all of the other clients:
#!/bin/sh
### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1 - action (up/down)
### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1 - peer DNS1
### $DNS2 - peer DNS2
# private LAN subnet behind a remote server (example)
peer_lan="192.168.0.130"
peer_msk="255.255.255.253"
### example: add static route to private LAN subnet behind a remote server
func_ipup()
{
# route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# route add -net $peer_lan gw $IPREMOTE dev $IFNAME
route add default dev tun0 table 200
rule add from 192.168.0.130 table 200
return 0
}
func_ipdown()
{
# route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
return 0
}
logger -t vpnc-script "$IFNAME $1"
case "$1" in
up)
func_ipup
;;
down)
func_ipdown
;;
esac
I realise that this is very specific to the padavan firmware, but I think that the commands that are executed when it goes up should be universal, and my routing skills are very limited !
Maybe I need to block / allow using ip tables instead?
Any suggestions or help gratefully appreciated !

Related

No IPV6 internet connectivity on client side of OpenVPN AWS EC2 server

I have an OpenVPN server I've set up on an AWS EC2 instance that is pulling an IPV6 address, and can traceroute6 and ping6 ipv6.google.com. The client can do neither and does not return an address when using online tests like ipleak, or testipv6. The server and client can ping6 and traceroute6 each other.
The client appears to pull the correct address locally, and via ip -6 route. IPV4 has always worked fine without issue. Everything appears good on the AWS side per their instructions here so the instance does have ipv6 enabled with the proper routing on the aws/vpc side. Security groups are pretty wide open for ipv6 as well.
I am assuming it's my routing, but I'm not really sure at this point as I'm no ipv6 or routing expert. Please help!
Relevant config info:
ipv6 addr of AWS instance:
aaaa:bbbb:cccc:dddd::/64
server.conf
local 172.31.44.1
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
server-ipv6 aaaa:bbbb:cccc:dddd:80::/112
push "redirect-gateway-ipv6 def1 bypass-dhcp-ipv6"
push "route-ipv6 aaaa:bbbb:cccc:dddd::/64"
push "route-ipv6 2000::/3"
push "route 172.31.44.1 255.255.255.255 net_gateway"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
ip6tables:
-A INPUT -p udp --dport 443 -j ACCEPT
-A FORWARD -m state --state NEW -i tun0 -o eth0 -s aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state NEW -i eth0 -o tun0 -d aaaa:bbbb:cccc:dddd::/64 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Don't use proxy NDP. It's a mess.
What you need is to delegate (=route) a prefix to the EC2 instance, then configure this prefix in the OpenVPN config (server-ipv6 keyword with the assigned prefix and mask, e.g. 2001:db8:dead:beef:1::/80), then assign connected users addresses from the prefix.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-prefixes.html
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Select value from 11th column as variable

Objective is to extract the ip address from the 11th column and feed it to whois.
The sourcefile it's first line are the headers so they should be ignored.
then I try to select with awk the 11th column.
Since skipping first line seems to be too hard (for me) right now I left it out for now. Any good suggestion is welcome.
The code so far:
while IFS= read -r p
do
DESTIP=$(awk 'BEGIN{FS=OFS=";"} {print $11}' $p)
echo "$DESTIP; $p"
ORGNAME=$(whois $DESTIP|grep 'OrgName')
COUNTRY=$(whois $DESTIP|grep 'Country')
echo "$p;$ORGNAME;$COUNTRY" >>whois-results.txt
done < working-sorted.csv
The first lines of the sourcefile:
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo
r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest
ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest
to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore
d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short f
or Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de
stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges
t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito
red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist
Result for now:
awk: cmd. line:1: fatal: cannot open file `2020-01-19' for reading (No such file or directory)
DESTINATION IP=
Variable P= 2020-01-19 20:42:56;43;3;Remote Administration Tool;::ffff:ac8:c8d0/128;101;00:0c:29:4c:20:37;Vmware;172.16.16.100;54552;52.174.64.84;443;TCP;Connection to blacklisted destination
After adjusting the awk to:
DESTIP=$(awk -v TEST='$p' 'BEGIN{FS=OFS=";"} {print $9;}')
I do get the ip addresses from the correct column, but the are in one list and not line by line, nor passed to the whois commands
Desired output:
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country;
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo
r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest
ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest
to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore
d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;SomeName;SomeCountry
For now I'm a bit stuck.
Help would be appriciated.
Consider this approach instead of your shell loop:
$ cat tst.awk
BEGIN {
numFlds = split("OrgName Country",nr2name)
FS=OFS=";"
}
{ delete name2val }
NR == 1 {
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = fldVal = nr2name[fldNr]
name2val[fldName] = fldVal
}
}
NR > 1 {
cmd = "whois \047" $9 "\047"
while ( (cmd | getline line) > 0 ) {
fldName = fldVal = line
sub(/[[:space:]]*:.*/,"",fldName)
sub(/[^:]+:[[:space:]]*/,"",fldVal)
name2val[fldName] = fldVal
}
close(cmd)
}
{
printf "%s%s", $0, OFS
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
fldVal = name2val[fldName]
printf "%s%s", fldVal, (fldNr<numFlds ? OFS : ORS)
}
}
.
$ awk -f tst.awk file
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short for Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;;
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short for Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;OVH Hosting, Inc.;CA
since it gives you exactly the output you wanted, it won't fail when Country, for example, appears in one of the values (your current shell script will fail due to a false match given a company name of "Big Country", for example), and with that you can access any of the values output from whois by just referring to their name. So if you wanted to additionally print the "OrgAbuseEmail" all you have to do is change this:
numFlds = split("OrgName Country",nr2name)
to this:
numFlds = split("OrgName Country OrgAbuseEmail",nr2name)
Alternatively, this avoids spawning a shell once per IP address and so MAY be a bit more efficient than the above:
$ cat tst.sh
#!/bin/env bash
file="$1"
awk 'BEGIN{FS=OFS=";"} {print $9, $0}' "$file" |
while IFS=';' read -r ip all; do
whois "$ip"
printf '%s\n---\n' "$all"
done |
awk '
BEGIN {
numFlds = split("OrgName Country",nr2name)
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
name2val[fldName] = fldName
}
FS = OFS = ";"
}
/^[[:alpha:]]+:/ {
fldName = fldVal = $0
sub(/[[:space:]]*:.*/,"",fldName)
sub(/[^:]+:[[:space:]]*/,"",fldVal)
name2val[fldName] = fldVal
}
/^---$/ {
printf "%s%s", prev, OFS
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
fldVal = name2val[fldName]
printf "%s%s", fldVal, (fldNr<numFlds ? OFS : ORS)
}
delete name2val
}
{ prev = $0 }
'
.
$ ./tst.sh file
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;;
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short f or Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;OVH Hosting, Inc.;CA
I found a workaround. maybe not so nice, but at least working:
(edit: the workaround is now a bit nicer and less "workaround" :)
The code below is adjusted on advice of Cyrus.)
while IFS= read -r p
do
DESTIP=$(echo "$p" | awk 'BEGIN{FS=OFS=";"} {print $9;}')
echo "DESTINATION IP= $DESTIP"
echo "Variable P= $p"
ORGNAME=$(whois $DESTIP|grep 'OrgName')
COUNTRY=$(whois $DESTIP|grep 'Country')
echo "$p;$domain;$ORGNAME;$COUNTRY" >>working-whois.csv
done < working-sorted.csv
Thanks to Cyrus in this by making clear it needs an inputfile.

How can I monitor a router with a intern ssl certificate in Nagios?

This ist my current setup:
Host config:
define host{
use generic-host ; Inherit default values from a template
host_name A+A ; The name we're giving to this host
alias A+A Objektausstattung Router ; A longer name associated with the host
address https://87.139.203.190:444 ; IP address of the host
hostgroups Router ; Host groups this host is associated with
}
Service config:
define service{
use generic-service ; Inherit default values from a template
host_name A+A
service_description HTTP
check_command check_http
}
I´ll get this error from Nagios:
check_icmp: Failed to resolve https://87.139.203.190:444
What am I doing wrong here ?
Nagios tries to resolve to ip-address and port. Try ip-address only.
address https://87.139.203.190 ; IP address of the host
Your host definition should only specify an IP address for the 'address'. The URL is not an attribute of the host, but of the HTTP check your want to perform.
The Service definition specifies the check_command, which is in turn defined in the checkcommands.cfg file. This will specify exactly what command is to be run, possibly using additional parameters passed.
You will probably want to pass the port number as a parameter, and that you are to use HTTPS. How to do this will depend on your settings. For example, you could use this in your checkcommands.cfg:
define command{
command_name check_https
command_line $USER1$/check_http -t 12 -H $HOSTADDRESS$ -f ok --ssl=1 -u "$ARG1$" -p "$ARG2$" -w $ARG3$ -c $ARG4$
}
Then you could configure your service with a checkcommand thus:
check_command check_https!/!444!1!5
This would check for the url http://87.139.203.190:444/, giving a warning if it takes over 1s and a critical if it takes over 5s to complete. TLSv1 would be used (else you might get a false positive on web servers with Poodle protection).

amazon ec2, cannot ping internal host

In amazon ec2, I have 2 instances in a placement group. First node is 172.31.12.76/20, second, 172.31.12.77/20 I can ssh both nodes from my pc. They share the same security group that has got these 2 rules:
Inbound rules:
Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0
All IMCP All N/A 0.0.0.0/0
(no outbound rules)
Both nodes see to each other in L2:
root#ip-172-31-12-76:~# arp
[...]
ip-172-31-12-77.eu-west ether 0a:ad:5e:e4:12:de C eth0
[...]
root#ip-172-31-12-77:~# arp
[...]
ip-172-31-12-76.eu-west ether 0a:34:a1:17:57:28 C eth0
[...]
iptables are empty on both nodes.
But ping does not work between each other
I have already checked a previous post:
EC2 instances not responding to internal ping
but it does not address the issue. It looks like there are no other similar posts.
Any idea? Thank you very much!
I got the answer; I need to also allow outbound icmp on each host in order to be able to ping both external and internal IPs.

How do I know the internal DNS name of an Amazon AWS instance?

I have a system that has N servers on the Amazon AWS cloud. They are all in the same zone. Instance A wants to talk to instance B, but it obviously doesn't go through the internet. As far as I understand, the internal IP changes every time I reboot the instance. Is there an internal, constant DNS name to all my instances, through which they can interact between themselves without worrying about restarts?
http://alestic.com/2009/06/ec2-elastic-ip-internal
No, there is no way to make use of 'fixed' IP addresses or DNS names using the out-of-the-box AWS instances. Even if you assign an EIP (Elastic IP) to the instance, this only affects the public-facing IP/DNS reference, not the internal one.
We use a pair of DNS servers in our EC2 estate (it's Windows, so they're Primary/Secondary AD Domain Controllers). By having all other instances use this pair as their DNS servers, we can assign unique machine names to each instance as they spin-up, and reference any/all other instances by these names.
So for example our EC2-based Subversion server has an EIP which means it's always at the same place when we talk to it from outside EC2, but the EC2-based CruiseControl server refers to it as [ourec2domain].SVNHOST because it registers that name with the DCs at startup.
I had the same issues when I first started using the cloud. I too use a setup of 2 DNS servers and add a tag to the two servers using the command ec2-create-tags <instance> --tag Purpose=DNS
Using the http://cloudinitnet.codeplex.com service I created the server runs a powershell script on startup. This powershell script checks amazon for the two dns servers and add them to the network interface. Assuming you have a list of dns servers at this point you can use the code below to add the entries to the dns server. To get a list of servers just query your account with the AWSSDKnet with powershell.
$connection = "Local Area Connection 2"
$registered = $false;
# Clean up the DNS entries incase there are any settings already
Write-Output "Clearing DNS Entries"
$X = netsh interface ip set dns $connection static none
$index = 1;
foreach ( $server in $servers)
{
# Set this server's
Write-Output "Adding server $server to DNS"
$X = netsh interface ip add dnsserver $connection $server index=$index
# Register the server's hostname with the dns server
if(-not ($registered))
{
$computer = hostname
$address = (netsh interface ip show address $connection | select-string "IP Address") -replace '^[^\d]+'
$rec = [WmiClass]"\\dns01\root\MicrosoftDNS:MicrosoftDNS_ResourceRecord"
$rec.CreateInstanceFromTextRepresentation("dns01", "network.cloud", "$($computer).network.cloud IN A $address")
$registered = $true;
}
$index++;
}
If your servers are not windows then you can use Ubuntu or Amazon Linux "Cloud-Init" to perform the same task.
From the instance:
curl http://169.254.169.254/latest/meta-data/local-hostname

Resources