It may be that this cannot be done on an OpenWRT router as I have looked and just do not find an example to block all IP LAN to WAN/Internet traffic except Private network RFC1918 IPv4 / RFC4193 IPv6 IP addresses. To me this should be standard on all routers that are setup with devices that are using a DHCP for the LAN side using private network RFC1918 IPv4 / RFC4193 IPv6 IP addresses.
The general form for something like this would be:
- skip next for [set of permissible addresses]
- drop all
- (continue)
It could also be done with a somewhat more complex set of CIDR subnets that form the deleted set.
In many firewalls, this is often a "non-issue" as early rules drop packets that either are not from directly attached sources or do not have the reverse route out the interface on which they were received. I consider this kind of "anti-spoof" rule much more robust than trusting IP address ranges alone.
1 Like
Still looking for an example for OpenWRT. Let's say 192.168.0.X/24 DHCP LAN. You stated "anti-spoof" rule witch is what I am trying to do by only allowing 192.168.0.X/24 traffic from the LAN to the Internet. If you have "anti-spoof" rule examples for OpenWRT would like to see these.
I think setting the proper entries in the routing table should be enough?
Or something like this?
config rule
option name 'LAN-FORWARD-DROP-None-Private-Network'
option family 'ipv4'
option proto 'all'
option src 'lan'
option dest 'wan'
option src_ip '!192.168.0.0/24'
option target 'DROP'
But this shouldn't be necessary?
2 Likes
Depends on how paranoid you are. A “rogue” device can change its IP address. Adding a single rule, for me, is easy enough and provides peace of mind when crafting later rules, knowing that “If it came in eth0.100, it’s an address that belongs there.”
Like your idea of "anti-spool" rule however can not find and example. Found article that shows how to setup Anti-Spoofing in Cisco and Juniper routers " https://www.manrs.org/isps/guide/antispoofing/ ". Do you have an example what a "anti-spoof" rule would look like for 192.168.0.x/24 LAN in OpenWRT?
By the way why am I trying to set my OpenWRT router up so that only legitimate traffic is routed out my OpenWRt router to the Internet. Do not want "spoofed" traffic to exit my router. I want to be a good Internet citizen and stop things like this "Hackers Use IoT Botnets to Launch Massive Attacks".
There is a BCP38 package for OpenWRT which does install IPv4 iptable rules to block bogus networks that normally should not be routed.
You can also use BanIP package for this. (Bogus List and also blocks bogus IPV6 addresses).
There is also the rp_filter option (https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)
But I'm not sure how well it works with OpenWRT's Firewall implementation...
But those things should normally be deployed by your isp?
1 Like
At least as I think of it, anti-spoof comes early in the firewall. Unfortunately, as far as I know, Linux firewall tools like iptables and the newer nftables don't directly support one-line functions for (in order of increasing restrictiveness)
- source reachable via any (there routers without a default route, as well as things like blackhole routes)
- source reachable via interface where packet was received (verify reverse path)
- source is link-local to the interface where packet was received
As a result, you end up something very similar to what shm0 suggested for each interface. Personally, based on the netfilter flow, I'd go with the ingress hook, if available, or for prerouting, if not.
This is nice and everything however this is RFC 2827 Network Ingress Filtering. This looks to be incoming traffic. I am looking to block egress IP traffic going from the LAN side through to the WAN/Internet side of my OpenWRT router to only host systems that are using RFC1918 IPv4, and RFC4193 IPv6 IP addresses.
This is what I am looking to do to start with...Firewall Best Practices - Egress Traffic Filtering
Block IP spoofing. Only allow source addresses from the IP network numbers you assign to internal networks to pass through your firewall (trusted, DMZ, guest). This includes primary and secondary network numbers, and subnets that are routed to the Internet through your firewall (including addresses reserved for VPN clients).
Ingress is when packets first enter your router from any interface, including your interior interfaces.
Edit: To be even clearer, you block the traffic the moment you know it’s undesirable. In the case of anti-spoof, that’s long before routing. With the firewall stack I use, it is on ingress, L3, right after fragment reassembly, right along with anything that is source routed.
Have a look at the BCP38 package (opkg update ; opkg install bcp38) it might be close to what you are looking for, after installation it can be found as an additional tab on the firewall page in the GUI. It does not fully do what you want by default, but it will allow you to block any network range, as well as allowing explicit exceptions.
1 Like
Now looking for some help. This is what bcp38 shows...
config bcp38
option detect_upstream '1'
list match '127.0.0.0/8'
list match '0.0.0.0/8'
list match '240.0.0.0/4'
list match '192.0.2.0/24'
list match '198.51.100.0/24'
list match '203.0.113.0/24'
list match '192.168.0.0/16'
list match '10.0.0.0/8'
list match '172.16.0.0/12'
list match '169.254.0.0/16'
option enabled '1'
option interface 'eth0.2'
Now is this showing the IP address that it is going to allow from my LAN interface to the WAN interface on eth0.2 ? So if 0.0.0.0/8 is an allowed IP range to be routed to the Internet would this allow a spoofed type attack from a host on my LAN which was compromised to be part on a bot-net attack?
I forgot, opkg upgrade ; opkg install luci-app-bcp38 will give you another tab in the firewall GUI that allows to configure bcp38 and that also has terse instructions. Not on my router ATM so I can not really help with the details....
1 Like
Why don't you try to check iptables-save and verify the result?
1 Like
I did do that. So my question is does the entry " list match '0.0.0.0/8' " allow for an address like 205.139.102.34 to egress from the LAN side and ingress into the eht0.2 WAN interface and out to the Internet?
Part of firewall best practices are to be able to understand what the firewall is doing. The UCI you ask about produces some firewall rules. As suggested by vgaetera, verifying exactly what those rules are and how they work, not only by themselves, but in context of other rules on your device.
For understanding the rules, packet flow is usually discussed in terms of the router, so
- Packets from the LAN are ingress
- Packets are then potentially forwarded
- Packets that head toward outside-world destinations via the WAN are egress
1 Like
In this case option interface 'eth0.2' is the WAN interface. Egress or Ingress depends which end of the bullet coming out of the gun you are at. So this config file looks to be for the WAN interface which would mean that traffic would be egress from LAN interface side of the router to ingress on the WAN interface side of the router.
config bcp38
option detect_upstream '1'
list match '127.0.0.0/8'
list match '0.0.0.0/8'
list match '240.0.0.0/4'
list match '192.0.2.0/24'
list match '198.51.100.0/24'
list match '203.0.113.0/24'
list match '192.168.0.0/16'
list match '10.0.0.0/8'
list match '172.16.0.0/12'
list match '169.254.0.0/16'
option enabled '1'
option interface 'eth0.2'
That is not the question I last asked. Simple BIT type question and answer. Does the above configuration file allow a IP address of 205.139.102.30 on a LAN interface to reach the Internet? YES/NO
If YES then does the removal of the line " list match '0.0.0.0/8' " from the configuration file block access from 205.139.102.30 through " option interface 'eth0.2' "? YES/NO
I perform this simply by configuring the firewall
to drop all IPs not assigned. You can do this on ingress to LAN or egress from WAN. Simple.
If you're using Private IPs, then masquerade must be used anyway. On IPv6, Private IPs aren't Global anyway.
- So you're a BGP-connected customer on your ISP?
- Otherwise how could you spoof IPs not issued to your interface?
config rule
option family 'ipv4'
option proto 'all'
option src 'lan'
option target 'DROP'
option name 'Drop-OUT_InvalidSRC'
option src_ip '!192.168.0.0/24'
option dest 'wan'
This is a basic does-not-equal rule.