[Firehol-support] Port forwarding and blocking custom DNS from clients help

Pedro Guizeline pedro at guizeline.com
Thu Mar 14 23:17:39 GMT 2019 

Hi! First let me thank everyone for this amazing tool! You guys really
saved my life, I was going completely insane with plain iptables!

I'm running a Debian 9 router, with 3 VLANS, DHCP server and DNS cache
dnscrypt-proxy2. I was able to setup the whole firewall rules in under 5min
and everything started working perfectly! But now I'm trying to achieve 2
last things for my setup:

1) Port forwarding my internet facing port 4242 to port 22 so I can access
my router via SSH remotely (I know this is dangerous but my server only
accepts SSH key auth)
2) Block all my users, everyone but the router, from using custom DNS
resolvers on their devices, using 8.8.8.8, 1.1.1.1 and so on. I want to
force the users to use my DNS server provided via DHCP.

Here's my current configuration:

version 6

WAN=ppp0
LAN=enp3s0
VLAN10=enp3s0.10
VLAN20=enp3s0.20
VLAN30=enp3s0.30

LAN_NET="192.168.1.0/24"
VLAN10_NET="192.168.10.0/24"
VLAN20_NET="192.168.20.0/24"
VLAN30_NET="192.168.30.0/24"

tcpmss auto "${WAN}"

#dnat4 to 192.168.1.1:22 inface ${WAN} proto tcp dport 4242

interface4 ${WAN} internet src not "${LAN_NET} ${UNROUTABLE_IPS}"
    protection strong 10/sec 10
    server icmp accept
    server ident reject with tcp-reset
    client all accept

interface4 ${LAN} home src "${LAN_NET}"
    policy reject
    server "icmp ssh dhcp dns" accept
    client icmp accept
    #client dns reject dst 0.0.0.0/0 log

interface4 ${VLAN10} private src "${VLAN10_NET}"
    policy reject
    server "icmp ssh dhcp dns" accept
    client icmp accept
    #client dns reject dst 0.0.0.0/0 log

interface4 ${VLAN20} guest src "${VLAN20_NET}"
    policy reject
    server "icmp ssh dhcp dns" accept
    client icmp accept
    #client dns reject dst 0.0.0.0/0 log

interface4 ${VLAN30} iot src "${VLAN30_NET}"
    policy reject
    server "icmp ssh dhcp dns" accept
    client icmp accept
    #client dns reject dst 0.0.0.0/0 log

router4 internet2home inface ${WAN} outface ${LAN}
    protection strong 10/sec 10
    masquerade reverse
    client all accept
    server ident reject with tcp-reset

router4 home2internet inface ${LAN} outface ${WAN}
    masquerade
    route all accept

router4 private2internet inface ${VLAN10} outface ${WAN}
    masquerade
    route all accept

router4 guest2internet inface ${VLAN20} outface ${WAN}
    masquerade
    route all accept

router4 iot2internet inface ${VLAN30} outface ${WAN}
    masquerade
    route all accept

////

All the lines that I've commented were my attempts at port forwarding and
blocking outgoing DNS, but none of them seem to work. Thanks for any help
in advance and again thanks for this awesome application!

-- 
Pedro Guizeline
p <pedro at guizeline.com>edro at guizeline.com

More information about the Firehol-support mailing list