Nastaveni firewallu pro pristup pouze ze site T-mobile CZ a O2 mobile CZ

xsys · June 25, 2021, 8:15am

Treba to nekomu pomuze / usetri cas…

Jak nastavit Firewall aby poustel provoz jen ze site Tmobil CZ, pro OpenVPN ale i jakoukoliv jinou sluzbu bezici doma - NAS, SMTP, atd:

Metodou zjistovani IP adres jsem dosel k nasledujicimu nastaveni firewallu pro pristup z mobilni site Tmobilu, kdyz clovek potrebuje pristupovat domu z mobilu, a aby zaroven neotviral uplne zbytecne svuj OpenVPN server celemu siremu svetu bez omezeni (bohuzel to vetsina lidi bezstarostne udela a dava prostor utokum neomezene z celeho sveta)

Pooly IP adres Tmobiliho CGNATu jsem zjistoval ukladanim IP adres meho a nekolika dalsich mobilu bezici na Tmobilu [vetsinou tarif Twist internet na rok za 499] jednoduse prisupem na mou web stranku ktera jen uklada IP adresu navstevnika, parkrat za tyden behem cca posledniho roku.
Predpokladam ze by seznam jejich NAT IP adres mozna slo i vytahnout z Tmobilu, ale nemam tam kontakt a s infolinkou neni rozumna rec.

Na zaklade posbiranych IP adres

list IP Adres

IP	IP block	end address	part of	end address
37.48.0.35	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.2.170	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.4.81	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.8.114	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.9.47	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.12.196	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.12.210	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.12.43	37.48.0.0/20	Broadcast: 37.48.15.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.16.129	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.16.129	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.17.82	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.18.243	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.19.156	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.19.240	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.19.248	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.19.255	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.20.32	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.21.71	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.24.115	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.26.103	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.26.105	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.26.148	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.27.101	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.29.67	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.29.68	37.48.16.0/20	Broadcast: 37.48.31.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.36.200	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.36.200	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.36.229	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.37.201	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.37.84	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.40.151	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.42.81	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.45.11	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.45.245	37.48.32.0/20	Broadcast: 37.48.47.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.48.135	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.48.143	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.48.177	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.48.20	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.49.28	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.50.96	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.52.206	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.55.172	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.59.207	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.60.167	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.61.124	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
37.48.61.242	37.48.48.0/20	Broadcast: 37.48.63.255	37.48.0.0/18	Broadcast: 37.48.63.255
78.80.18.95	78.80.16.0/20	Broadcast: 78.80.31.255
78.80.20.149	78.80.16.0/20	Broadcast: 78.80.31.255
78.80.21.158	78.80.16.0/20	Broadcast: 78.80.31.255
78.80.25.2	78.80.16.0/20	Broadcast: 78.80.31.255
78.80.26.194	78.80.16.0/20	Broadcast: 78.80.31.255
89.24.33.127	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.34.197	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.34.209	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.34.209	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.37.10	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.40.119	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.40.237	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.41.11	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.43.40	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.44.69	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.44.69	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.45.147	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.45.239	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.46.113	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.46.171	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.46.216	89.24.32.0/19	Broadcast: 89.24.63.255
89.24.46.231	89.24.32.0/19	Broadcast: 89.24.63.255

jsem se podival do RIPE a ke kazde nasel subnet ktery Tmobil oznamuje, a na stesti to maji pekne popsane, na rozdil od vetsiny operatoru:

inetnum 37.48.0.0/20
netname T-Mobile_Czech_Mobile_pool_1
descr CGNAT pool for mobile customers

inetnum 37.48.16.0/20
netname T-Mobile_Czech_Mobile_pool_2
descr CGNAT pool for mobile customers

atd…

Tak jsem nasel vsechny pooly ktery byly realne pouzity u me a v mem okoli:

37.48.0.0/18
78.80.16.0/20
89.24.32.0/19

Takze dokud se u T neco nezmeni, tak tato limitace staci na povoleni pristupu z mobilu a zakazani pristupu ze sveta a ostatnich siti.

Vysledek pro vlozeni do /etc/config/firewall

config redirect
	option name 'vpn1'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '37.48.0.0/18'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

config redirect
	option name 'vpn2'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '78.80.16.0/20'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

config redirect
	option name 'vpn3'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '89.24.32.0/19'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

kde 192.168.1.11 je adresa vercajku kde bezi OVPN server, 12345 je port na kterym bezi OVPN server

Jestli vite o dalsim CGNAT poolu Tmobilu tak dejte prosim vedet. Zatim me a par dalsim to takle bezi uz pres 2 mesice bez chyby.

xsys · September 20, 2023, 12:29pm

IP blok pro O2 mobile:

85.160.0.0/18


config redirect
	option name 'vpn'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '85.160.0.0/18'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'