Block all IP LAN to WAN/Internet traffic except private network RFC1918 IPv4 / RFC4193 IPv6

bsmithline · August 16, 2019, 6:19pm

Examples please for LAN 192.168.0.0/32. All have have been looking for are examples...

In the Cisco world simple access-list applied to the WAN interface would take care of all of this....

ip access-list standard 101

permit 192.168.0.0 0.0.0.255

deny any

How do you do this on a OpenWRT router? What does it look like?

lleachii · August 16, 2019, 6:22pm

Did you see:

At the end of the firewall configs, you make a rule to drop forwarding from LAN to WAN. Or the rule/example already given to you above.

OpenWrt uses fw3, a wrapper for iptables.

bsmithline · August 16, 2019, 6:27pm

Thank you so very much. This looks like what I have been looking for. Now I have the text where does it go?

lleachii · August 16, 2019, 6:28pm

# in /etc/config/firewall

You then save and run:

/etc/init.d/firewall reload

Hope this helps.

bsmithline · August 16, 2019, 7:28pm

Thanks for example!!!!

First tests look to block web suffering. My private network is 192.168.1.0/24 so when I used your example I could no longer surf the Internet however my ping to 1.1.1.1 was still working. That could be a configuration in another part of the firewall file will have to look at that later. Changed to the configuration listed below with " option src_ip '!192.168.0.0/16' " and now able to surf the Internet.

So now I would like to look at other options if you could please help guide me again.

Is there a way to change the example listed below to block access for just one IP address like 192.168.1.200/32?

Also can you add more IP ranges like " option src_ip '!10.0.0.0/8' " to the same section (another line), or how is this done ?

config rule
option family 'ipv4'
option proto 'all'
option src 'lan'
option target 'DROP'
option name 'Drop-OUT_InvalidSRC'
option src_ip '!192.168.0.0/16'
option dest 'wan'

Understand permit and deny in the Cisco world for the most part only routers I used and knew when the Internet first opened up to the public. Security, and any attacks where not a big thing at the start. We where just trying to get it to work. So Cisco IOS is another world from OpenWRT Linux and I need all the help I can get.

moeller0 · August 16, 2019, 7:28pm

Yes, as far as I can tell '0.0.0.0/8 will' will only deal with packets claiming to come from 0.0.0.0 to 0.256.256.256 or so, note 205.x.x.x is not in that range. As far as I can tell 0.0.0.0/0 should cover all and then you will need to add your local IP range as acceptable.

config bcp38
	option interface 'eth1'
	option detect_upstream '1'
	list match '0.0.0.0/0'
	list nomatch '192.168.0.0/24'
	option enabled '1'

As far as I can see that should do what you want.

For me the default set:

config bcp38
	option interface 'eth1'
	option detect_upstream '1'
	list match '10.0.0.0/8'
	list match '127.0.0.0/8'
	list match '169.254.0.0/16'
	list match '172.16.0.0/12'
	list match '192.0.2.0/24'
	list match '192.168.0.0/16'
	list match '198.51.100.0/24'
	list match '203.0.113.0/24'
	list nomatch '192.168.42.0/24'
	option enabled '1'

results in the following iptables-save output:

-A BCP38 -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
-A BCP38 -o eth1 -m set --match-set bcp38-ipv4 dst -j REJECT --reject-with icmp-net-unreachable
-A BCP38 -i eth1 -m set --match-set bcp38-ipv4 src -j DROP
-A forwarding_rule -m conntrack --ctstate NEW -j BCP38
-A input_rule -m conntrack --ctstate NEW -j BCP38
-A output_rule -m conntrack --ctstate NEW -j BCP38

/etc/config/firewall contains:

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

and /usr/lib/bcp38/run.sh looks like:

#!/bin/sh
# BCP38 filtering implementation for CeroWrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>

STOP=$1
IPSET_NAME=bcp38-ipv4
IPTABLES_CHAIN=BCP38

. /lib/functions.sh

config_load bcp38

add_bcp38_rule()
{
	local subnet="$1"
	local action="$2"

	if [ "$action" == "nomatch" ]; then
		ipset add "$IPSET_NAME" "$subnet" nomatch
	else
		ipset add "$IPSET_NAME" "$subnet"
	fi
}

detect_upstream()
{
	local interface="$1"

	subnets=$(ip route show dev "$interface"  | grep 'scope link' | awk '{print $1}')
	for subnet in $subnets; do
		# ipset test doesn't work for subnets, so strip out the subnet part
		# and test for that; add as exception if there's a match
		addr=$(echo $subnet | sed 's|/[0-9]\+$||')
		ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule $subnet nomatch
	done
}

run() {
    	local section="$1"
    	local enabled
	local interface
	local detect_upstream
	config_get_bool enabled "$section" enabled 0
	config_get interface "$section" interface
	config_get detect_upstream "$section" detect_upstream

	if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
		setup_ipset
		setup_iptables "$interface"
		config_list_foreach "$section" match add_bcp38_rule match
		config_list_foreach "$section" nomatch add_bcp38_rule nomatch
		[ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
	fi
	exit 0
}

setup_ipset()
{
	ipset create "$IPSET_NAME" hash:net family ipv4
	ipset flush "$IPSET_NAME"
}

setup_iptables()
{
	local interface="$1"
	iptables -N "$IPTABLES_CHAIN" 2>/dev/null
	iptables -F "$IPTABLES_CHAIN" 2>/dev/null

	iptables -I output_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"
	iptables -I input_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"
	iptables -I forwarding_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"

	# always accept DHCP traffic
	iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
	iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set "$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
	iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set "$IPSET_NAME" src -j DROP
}

destroy_ipset()
{
	ipset flush "$IPSET_NAME" 2>/dev/null
	ipset destroy "$IPSET_NAME" 2>/dev/null
}

destroy_iptables()
{
	iptables -D output_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -D input_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -D forwarding_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -F "$IPTABLES_CHAIN" 2>/dev/null
	iptables -X "$IPTABLES_CHAIN" 2>/dev/null
}

destroy_iptables
destroy_ipset
config_foreach run bcp38

exit 0

lleachii · August 16, 2019, 8:39pm

I think you're making this difficult.

Might want to stop traffic if you're trying to block it.

Try /etc/init.d/firewall restart instead then.

Given your network is 192.168.0.0/24, I'm not sure how Internet worked, or even why you made this change.

Perhaps you didn't save/apply it.
Perhaps you didn't make the final-absolute DROP rule at the bottom, as I noted above:

Sure, just change it to 192.168.1.200/32 - like you did when you changed it to /16. That's quite simple and straightforward. You do understand that you can edit your own rules, correct?

Just add another rule, not difficult. I've never tested a second line for this kind of rule. Just remember, you can always add another rule.

Not too hard. Just remember, it's not Cisco. Perhaps you should look at the manual/wiki - instead of asking for a rule each time you need one:

Also, while you're still learning, maybe you should employ the web GUI for firewall rule creation.

system · August 26, 2019, 8:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.