[22.03] Translate extra/raw firewall rules

Installing and Using OpenWrt Network and Wireless Configuration
1

If there's a reference to any of these, please provide a link - I will read/perform myself. I've been watching the forums for some time - these are a few examples of firewall rules that seem will not work in version 22?

(Also, if that's not accurate, just let me know which ones will work as-is.)

I probably have about 5-20 more various examples. I have devices that I cannot upgrade because a lot of these rules exist.

How would I translate?

config rule
	option proto 'tcp'
	option name 'Block_In_Not_SYN'
	option src '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'

config rule
	option name 'Block_FWD_Not_SYN'
	option proto 'tcp'
	option src '*'
	option dest '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'

No. 1 firewalls nearly 70% of my unsolicited and rogue traffic in networks I use this - it is major.

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option name 'xyz_www'
	option family 'ipv4'
	option dest_port '80'
	option src '*'
	option extra '-m limit --limit 25/minute --limit-burst 100 -j ACCEPT'
	option dest 'xyz'
	list dest_ip 'xx.xx.xx.xx

config rule
	option src 'wan'
	option name 'SSH_CheckDrop'
	option family 'ipv4'
	option proto 'tcp'
	option dest '*'
	option dest_port '22'
	option target 'DROP'
	option extra '--syn -m recent --name ssh --update --seconds 300 --hitcount 5'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp'
	option src 'wan'
	option dest_port '22'
	option extra '--syn -m recent --name ssh --set'
	option name 'SSH_CheckAccept'
	option dest '*'

How do I translate similar burst rules, e.g.:

option extra '-m limit --limit 25/minute --limit-burst 100'

Connection limimt rules, e.g.:

option extra '--syn -m connlimit --connlimit-above 3'

Do ipsets work in /etc/config/firewall as before?

Raw rules:

iptables -t raw -I PREROUTING -p <x_proto> -i tunl0 -j DROP

TTL/multicast rules:

iptables -t raw -A PREROUTING -i eth0.1 -m ttl --ttl-lt 7 -j ACCEPT
iptables -t raw -A PREROUTING -i eth1 -d 224.0.0.0/4 -p 2 -m ttl --ttl-lt 7 -j ACCEPT
iptables -t raw -A PREROUTING -i eth1 -d 224.0.0.0/4 -p udp -m ttl --ttl-lt 7 -j ACCEPT
iptables -t raw -A PREROUTING -i eth0.3 -s 192.168.1.2 -d 224.0.0.0/4 -m ttl --ttl-lt 7 -j ACCEPT
iptables -t raw -A PREROUTING -m ttl --ttl-lt 7 -j DROP
2

I have found this page and there is a conversion tool as well.

1 Like
3

Translating is cool - I've seen the program you enter an iptables rule and get a nft rule...but...that's OK for the few custom rules I have (e.g. Nos. 7 and 8 - the TTL/Multicast ones)...but what you suggested is kinda the issue/inquiry, as the others are in UCI.

Over the years I worked to translate all (possible) of my rules to UCI.

Am I to understand these rules cannot be reduced to UCI (and therefore must all be made as custom firewall rules in versions 22.03+)?

4

I am not sure if in 22.03 you can add custom parts of nftables rules like you did in previous versions.

1 Like
5

OK, cool...maybe I'll test. Thanks.

EDIT: The section doesn't exist in LuCI v 22.03.

Any experience with enumerating ipsets from the UCI as before?

6

why you use rule 1? default config fw4 includes

chain input {
                type filter hook input priority filter; policy accept;
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"

 chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
}

could you please elaborate where your rouge traffic is coming from which is not covered by these rules? I'm just curious.

7
  • Because I have inbound TCP traffic that's not Established/Related - at least in <= versions 21

All people who open a [common] TCP port have this issue - that's why we highly suggest people don't - especially to LuCI. :wink: That rule creates a Relation for any NEW packet that DOES_EQUAL SYN - SYN is the ESTABLISHMENT of a TCP connection.

I got multiple examples, but that suffices (port forwards, routed public subnets I'm forwarding onward to another firewall and therefore not "establishing/relating" any traffic, etc.).

I realize now that you mention - that all traffic might be tracked now anyway in 22+. BTW, I think your display is nearly the same as the old rule pre-22 rules, no difference.

Also rule 1 was based on SYN, see this regarding the built-in SNY-Flood button: Syn flood protection for FORWARD?

8

You can add custom nftables rules via includes inserted before or after default rules in fw4 chains.

Also see the local readme at /usr/share/nftables.d/README

1 Like
9

there is this topic https://forum.openwrt.org/t/firewall4-nftables-tips-and-tricks/
the very first comment is about how tcp flags are handled for example. but there are many other tips. check it if you have not done so.

1 Like
10

All:

screen181
screen181814×148 12.4 KB

This is version 22.03.

  • @trendy It seems I can translate Nos. 2 and 4 into UCI? it seems there was already a UCI syntax I never used - instead I made the argument calls thru extra
config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option name 'xyz_www'
	option family 'ipv4'
	option dest_port '80'
	option src '*'
	option limit '25/minute'
	option limit_burst '100'
	option dest 'xyz'
	list dest_ip 'xx.xx.xx.xx
  • I think No. 3 can be translated into a burst rule
  • No. 5 basically says "do not allow the same SRC IP to have more than 3 established connections" - I may omit this if there's no simple UCI translation (this rule is not open at port 22 and keys are used anyway, it takes packets from another redirect and then applies those rules seen)
  • Raw rules can be translated and appended as suggested
  • My concern regarding No. 7 is that it prevents nested routing by malicious or misconfigured peers on that tunnel, if the decapsulated datagram inside the tunnel is read by the Kernel again before the firewall applies it as a new packet to be forwarded - a raw rule in iptables prevented these resources from being used. I'll have to test this behavior with fw4
  • No. 8 was to mitigiate the TTL Expiry Attacks - I'll look into translating those - as a Raw rule was needed to stop the downstream Kernels and itself from transmitting the corresponding ICMP messages indicating the successful attack

But... @dave14305 - The wiki says

The iptables rules generated for this section rely on the state match which needs connection tracking to work.

It seems outdated. It also says "fw3" in certain sections I'm trying to reference. Also, "extra" and "burst" still exists in the documentation (which has to be iptables/fw3 because my rule does the same thing calling thru the extra arguments). It seems to need serious updating.

11 
root@OpenWrt:~# iptables-translate  -t raw -A PREROUTING -m ttl --ttl-lt 7 -j DROP
iptables-translate v1.8.7 (nf_tables): Couldn't load match `ttl':No such file or directory

Try `iptables-translate -h' or 'iptables-translate --help' for more information.

?

This worked:

root@OpenWrt:~# iptables-translate  -t raw -I PREROUTING -p <x_proto> -i tunl0 -j DROP
nft insert rule ip raw PREROUTING iifname "tunl0" ip protocol <proto_name> counter drop

Now, is the file still /etc/firewall.user?

Also...

The translations I'm seeing in that thread are not what iptables-translate gives me. This one for example:

I get for the same example:

root@OpenWrt:~# iptables-translate  -A POSTROUTING -o eth2 -t mangle -j TTL --ttl-set 64
iptables-translate v1.8.7 (nf_tables): unknown option "--ttl-set"
Try `iptables-translate -h' or 'iptables-translate --help' for more information.

So, this thread and the "main" thread for this says use the translation tool...?

Is this a UCI example, or is this the pre-stuff scripted into the fw4?

If it's UCI, can you show the syntax?

12

So I upgraded one of my major devices to 22.03.0 (the one with most of these rules).

This is a big no. This config:

config rule
        option name 'Drop-Bogons_In_WAN'
        option src 'wan'
        option family 'ipv4'
        option proto 'all'
        option ipset 'bogons'
        option target 'DROP'

config ipset                      
        option name 'bogons'      
        option storage 'hash'     
        option match 'src_net'    
        list entry '0.0.0.0/8'          
        list entry '10.0.0.0/8'   
        list entry '100.64.0.0/10'
        list entry '127.0.0.0/8'  
        list entry '169.254.0.0/16'
        list entry '172.16.0.0/12' 
        list entry '192.0.0.0/24'  
        list entry '192.0.2.0/24'  
        list entry '192.168.0.0/16'
        list entry '198.18.0.0/15' 
        list entry '198.51.100.0/24'
        list entry '203.0.113.0/24' 
        list entry '224.0.0.0/4'          
        list entry '240.0.0.0/4'

Results in:

Section @ipset[3] (bogons) option 'storage' is not supported by fw4

How do others create lists of IPs and filter against them in the version 22 firewall ?

(e.g. I have a malware ipset that's ~1M IPs/ranges big, another that is used to allow the IPs...meaning that traffic is not working at this time)

I'm guessing people use /etc/rc.local now (which was advised against in previous versions). But this also means that a firewall reload will erase it. Is this correct?

13

Just remove the storage option from the definition. It should then create just fine.

It's preferred to use include files to take advantage of nftables' atomic rule replacement, but if you instead want to add nft add rule inet fw4 ... commands to a script, you can still use firewall.user as long as you add the fw4_compatible flag in the uci config for the include (this is mentioned in the wiki).

1 Like
14

Oh duh - thanks...I tested on the bogon, it works.

But how do I list/add/flush it by CLI?

(I'll need to alter scripts for the other sets - they won't be pre-populated and are dynamic using cron or triggered by a daemon calling the script upon an action.)

nft insert rule ip raw PREROUTING iifname "tunl0" ip protocol <proto_name> counter drop

Error: Could not process rule: No such file or directory
insert rule ip raw PREROUTING iifname tunl0 ip protocol x counter drop
               ^^^
Include '/etc/firewall.user' failed with exit code 1

I'm not sure what I'm missing here - same on the CLI when I actually attempt to enter the translated rule.

Should it be a *.nft file?
Is there an nft raw module?
Is there some module too for TTL in the link from the FW4 Tips/Tricks thread?

15

nft insert rule inet fw4 raw_prerouting iifname…

See the new chain structure available by running nft list chains or nft list ruleset

You can add elements to a named set with nft add element inet fw4 bogons { 192.168.1.4 }

1 Like
16

Wow...

That's a whole new syntax...

OK...this syntax is not what's found online.

Using this reference: https://wiki.nftables.org/wiki-nftables/index.php/Sets

root@OpenWrt:~# nft list set ip filter bogons
Error: No such file or directory
list set ip filter bogons
            ^^^^^^
  • How does one list?
  • How does one flush?
  • How does one delete?
  • How does one query?

(A link to a working wiki will also be OK.)

17

nft list set inet fw4 bogons

ip is the table type and filter is the example table name from the wiki. With firewall4, you would always use inet fw4 instead of ip filter. filter has no special meaning in this context except as the chosen name for the table by the wiki author.

1 Like
18 
nft add rule inet fw4 raw_prerouting ip6 hoplimit \< 7 drop
nft add rule inet fw4 raw_prerouting ip ttl \< 7 drop

At the command line you need to escape the less-than character.

1 Like
19

:partying_face:

OK...

I got list and add...

nft list set inet fw4 bogons
nft add element inet fw4 bogons { 192.168.1.4 }

nft flush set inet fw4 bogons
nft delete element inet fw4 bogons { 192.168.1.4 }
nft get element inet fw4 bogons { 192.168.1.4 }

(for other's reference)

Thanks!

EDIT: :frowning_face: My router has booted, the scripts are translated...but they're taking longer than when I used iptables before switching to ipset. In fact, calculating, the one with 1 M + entries - could take 4 hours to 1.5 days to finish (compared to one that took about 70 seconds on ipset - it ran for 16 minutes). And it's taking multiple cores (GHz) to process. I've had to cancel it - it's taken so long, it's scheduled Cron began running too.

(I'm calculating how far in the CIDR range I see process adding the IPs - and by the script that finished.)

There's gotta be something I'm missing here.

20

If I understand you correctly, a similar stanza as in Post No. 1 (which I'm guessing is a custom script from a community member) you linked - can be used to add a rule for DROP New TCP packets in that do_not_equal SYN as I desire?

If such a handling is even needed now.

(Forgive my funky pseudocode.)

  • If so, where do you add it? (I assume thats when you place an *.nft file)
  • More importantly, where is a Wiki link to this syntax I'm seeing in that thread? (so I don't have to ask every time)