Nastaveni firewallu pro pristup pouze ze site Tmobile CZ

Treba to nekomu pomuze / usetri cas…

Jak nastavit Firewall aby poustel provoz jen ze site Tmobil CZ, pro OpenVPN ale i jakoukoliv jinou sluzbu bezici doma - NAS, SMTP, atd:

Metodou zjistovani IP adres jsem dosel k nasledujicimu nastaveni firewallu pro pristup z mobilni site Tmobilu, kdyz clovek potrebuje pristupovat domu z mobilu, a aby zaroven neotviral uplne zbytecne svuj OpenVPN server celemu siremu svetu bez omezeni (bohuzel to vetsina lidi bezstarostne udela a dava prostor utokum neomezene z celeho sveta)

Pooly IP adres Tmobiliho CGNATu jsem zjistoval ukladanim IP adres meho a nekolika dalsich mobilu bezici na Tmobilu [vetsinou tarif Twist internet na rok za 499] jednoduse prisupem na mou web stranku ktera jen uklada IP adresu navstevnika, parkrat za tyden behem cca posledniho roku.
Predpokladam ze by seznam jejich NAT IP adres mozna slo i vytahnout z Tmobilu, ale nemam tam kontakt a s infolinkou neni rozumna rec.

Na zaklade posbiranych IP adres

list IP Adres
IP IP block end address part of end address
37.48.0.35 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.2.170 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.4.81 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.8.114 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.9.47 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.12.196 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.12.210 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.12.43 37.48.0.0/20 Broadcast: 37.48.15.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.16.129 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.16.129 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.17.82 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.18.243 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.19.156 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.19.240 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.19.248 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.19.255 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.20.32 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.21.71 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.24.115 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.26.103 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.26.105 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.26.148 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.27.101 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.29.67 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.29.68 37.48.16.0/20 Broadcast: 37.48.31.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.36.200 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.36.200 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.36.229 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.37.201 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.37.84 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.40.151 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.42.81 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.45.11 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.45.245 37.48.32.0/20 Broadcast: 37.48.47.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.48.135 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.48.143 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.48.177 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.48.20 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.49.28 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.50.96 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.52.206 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.55.172 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.59.207 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.60.167 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.61.124 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
37.48.61.242 37.48.48.0/20 Broadcast: 37.48.63.255 37.48.0.0/18 Broadcast: 37.48.63.255
78.80.18.95 78.80.16.0/20 Broadcast: 78.80.31.255
78.80.20.149 78.80.16.0/20 Broadcast: 78.80.31.255
78.80.21.158 78.80.16.0/20 Broadcast: 78.80.31.255
78.80.25.2 78.80.16.0/20 Broadcast: 78.80.31.255
78.80.26.194 78.80.16.0/20 Broadcast: 78.80.31.255
89.24.33.127 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.34.197 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.34.209 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.34.209 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.37.10 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.40.119 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.40.237 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.41.11 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.43.40 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.44.69 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.44.69 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.45.147 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.45.239 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.46.113 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.46.171 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.46.216 89.24.32.0/19 Broadcast: 89.24.63.255
89.24.46.231 89.24.32.0/19 Broadcast: 89.24.63.255

jsem se podival do RIPE a ke kazde nasel subnet ktery Tmobil oznamuje, a na stesti to maji pekne popsane, na rozdil od vetsiny operatoru:

inetnum 37.48.0.0/20
netname T-Mobile_Czech_Mobile_pool_1
descr CGNAT pool for mobile customers

inetnum 37.48.16.0/20
netname T-Mobile_Czech_Mobile_pool_2
descr CGNAT pool for mobile customers

atd…

Tak jsem nasel vsechny pooly ktery byly realne pouzity u me a v mem okoli:

37.48.0.0/18
78.80.16.0/20
89.24.32.0/19

Takze dokud se u T neco nezmeni, tak tato limitace staci na povoleni pristupu z mobilu a zakazani pristupu ze sveta a ostatnich siti.

Vysledek pro vlozeni do /etc/config/firewall

config redirect
	option name 'vpn1'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '37.48.0.0/18'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

config redirect
	option name 'vpn2'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '78.80.16.0/20'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

config redirect
	option name 'vpn3'
	option target 'DNAT'
	list proto 'udp'
	option src 'wan'
	option src_ip '89.24.32.0/19'
	option src_dport '12345'
	option dest 'lan'
	option dest_ip '192.168.1.11'
	option dest_port '12345'

kde 192.168.1.11 je adresa vercajku kde bezi OVPN server, 12345 je port na kterym bezi OVPN server

Jestli vite o dalsim CGNAT poolu Tmobilu tak dejte prosim vedet. Zatim me a par dalsim to takle bezi uz pres 2 mesice bez chyby.

1 Like