Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Best firewall configuration for Cryptostorm+ASUSWRT-Merlin

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
Arch

Best firewall configuration for Cryptostorm+ASUSWRT-Merlin

Postby Arch » Fri Oct 06, 2017 1:51 pm

Greetings, fellow network experts, newbies, freaks, geeks and other noble society members. My question is simple. I'm running Cryptostorm from ASUS RT-AC5300 with Merlin installed on it. It has some handy features like "start with WAN" which are working fine for me. But, since I'm a bit of a paranoid person, I'd like to prevent my VPN connection from exposing my real IP. The thing is: my ISP IP's are Dynamic, which means that there's a small timeframe, when my real IP is visible while router gets new lease even with "start with wan" enabled. I know about IPTables, but I need an exact config, because I don't want to fuck something up. Thanks in advance, guys.

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Best firewall configuration for Cryptostorm+ASUSWRT-Merlin

Postby parityboy » Tue Oct 10, 2017 9:35 pm

@OP

I can't give you an exact config because I don't run a Merlin-based router. However, here's a snippet of what I do with my Linux-based VMs.

Code: Select all

*filter
# DROP all traffic as a default policy
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

#  Accept traffic from localhost
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#  Accept LAN traffic
-A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -i eth0 -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -o eth0 -j ACCEPT

# Accept traffic from Cryptostorm Rome Exit Node
-A INPUT -p udp -m udp -s 185.94.193.235/32 -i eth0 --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp -d 185.94.193.235/32 -o eth0 --dport 443 -j ACCEPT

#  Only accept other traffic if it's coming & going via the VPN tunnel.
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT


Obviously you must edit the values according to your router's exact setup. I'm guessing you should also allow traffic to the gateway upstream from your router - I assume this is where DHCP requests will go to from your router when it gets its IP address renewed.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Baidu [Spider], Boorbun21 and 9 guests

cron

Login