I'm looking for a way to reliably block internet access for computers on the LAN (other than the router itself) from the moment the router boots up until the moment when an openvpn connection is brought up. The reason is that without such a scheme, there is a time window (probably around 10 seconds) when programs running on a desktop can inadvertently leak the real ip of the router (as opposed to the vpn ip). I'm using EasyTomato + usb disk with Entware, but I believe that a solution using TomatoUSB would be very relevant. I'll start with some background first:
From what I understand about the system, I can inject scripts in 3 locations:
1. Init script. This is done from the web interface.
2. USB mount script. This is in /opt/mount.autorun at the root of the USB drive.
3. Firewall script. This is in /opt/etc/config/*.fire.
Currently, I implemented a kill switch in a firewall script (3) using iptables. The relevant bits are:
-A FORWARD -o vlan2 -j wanout -A wanout -j REJECT
So, if the vpn connection dies and must be restarted, only the router itself is able to send packets out via vlan2 (those go through filter::OUTPUT not filter:FORWARD). I think this works fine once the the firewall script runs.
As explained above, the problem I have is that there is a window of time from the moment the router is up until the firewall script runs during which LAN packets escape out on vlan2. To confirm this, I added an iptables-save -c in all 3 locations above.
- In (1), the tables are completely empty, eg. the wanout chain doesn't exist yet.
- In (2), I already see [5:337] -A FORWARD -o vlan2 -j wanout. So LAN packets went out on vlan2 already, but wanout is empty at that point, so the real IP leaked.
1. Is there some way add the 2 iptables rules above independently of the moment /opt is mounted? It looks like the 1st line is added by the router sometime between (1) and (2). Is there a way to add the 2nd line as well at that point? Would it be reliable to add both rules from the init script (1)?
2. Is there some other simple way to prevent br0 packets going out on vlan2 before iptables is properly set up? Perhaps a switch in the web interface whose effect would be to prevent br0 routing, but who could then be easily flipped by a script?