Quarantine xp rdp only

dsl400 · November 27, 2022, 7:19pm

The goal is to have an windows xp virtual machine isolated with only rdp access

So far I managed to create an interface called quarantine on a separate device with a zone called quarantine.

The local network is on 10.1.1.x and the quarantine network is on 10.10.1.x

From the windows XP ( 10.10.1.2) I can ping the router ( 10.10.1.1)

I created a port forward roule for port 3389 to 10.10.1.2 but I can not connect from lan with rdp to the XP virtual machine

when running nmap I get the following result

PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

oot@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd17:5726:3a19::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'
	option ipv6 'off'

config interface 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option device 'eth2'
	option ipv6 'off'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'

config device
	option name 'eth2'

config interface 'QUARANTINE'
	option proto 'static'
	option device 'eth1'
	option ipaddr '10.10.1.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'


config zone
	option name 'Quarantine'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Quarantine'
	list network 'QUARANTINE'


config redirect
	option dest 'Quarantine'
	option target 'DNAT'
	option name 'Xp RDP'
	option src 'lan'
	option src_dport '3389'
	option dest_ip '10.10.1.2'
	list proto 'tcp'
	list proto 'udp'

Pico · November 27, 2022, 7:43pm

you need dest_port

dsl400 · November 27, 2022, 8:30pm

added dest port, rdp still not working

config redirect
	option target 'DNAT'
	option name 'Allow RDP XP'
	option src 'lan'
	option dest_ip '10.10.1.2'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '3389'
	option dest 'Quarantine'
	option dest_port '3389'

Pico · November 27, 2022, 8:47pm

no, the dest port only,
allow any source port, like

dsl400:

config redirect
	option target 'DNAT'
	option name 'Allow RDP XP'
	option src 'lan'
	option dest_ip '10.10.1.2'
	list proto 'tcp'
	list proto 'udp'
	option dest 'Quarantine'
	option dest_port '3389'

dsl400 · November 27, 2022, 8:51pm

luci does not allow me to create port forward rule without specifying source port

Pico · November 27, 2022, 8:55pm

forget what I suggested, I should go to bed, I missread it as firewall rule.

you need 3 parts:

two interfaces, each in its own zones, with different subnets for each interfscd, as that allows you to define access restriction between them. Those are the 2 zones and interfaces „lan“ and QUARANTINE. You have those already defined.
routing between the 2 subnets
firewall rulesbetween the 2 zones
so routing and firewall rules are missing

port forward rules are meant for, if you have maquerading/NAT active between 2 zones (like between WAN and LAN). I would use routing, not NAT. Then no port forwardings needed.

static routes both ways would look like (please check for typos, made from pure mind):

config route
     option interface 'lan'
     option target '10.10.1.0'
     option netmask '255.255.255.0'
     option gateway '10.10.1.1'

config route
     option interface 'QUARANTINE'
     option target '10.1.1.0'
     option netmask '255.255.255.0'
     option gateway '10.1.1.1'

Once routing works, then take care of the traffic rules.

psherman · November 27, 2022, 10:09pm

Since both of these networks exist on the main router, static routes are not necessary (the router already knows how to route between these two networks). In fact, those routes won't work anyway as they are incorrectly formed.

I'd recommend starting with a very simple forwarding allowance:

config forwarding
	option src 'lan'
	option dest 'Quarantine'

This will allow the lan to initiate a connection with any/all hosts (and all of their ports) on the quarantine network without restriction, and it will allow the quarantine network to respond to those connection requests. But it will not allow the reverse, so it still protects your lan. If you want to tighten it down later, you can (although there may be no need for it... depending on your situation and goals).

This will have the maximum chance for success -- if it still doesn't work, there may be other factors that are preventing it from working properly. I'd recommend this approach to ensure that you have a working baseline situation.