Block connection to all devices except listed ones

Hikari · May 11, 2021, 11:15pm

Hello friends!

From my LAN:

VMRouterWRT is in router mode. Say I wanna use it to block LixVM from connecting to Internet and also to any device on my main LAN. Except for Urubu4, I want it to connect there because it has a Subversion server I need to connect to. Other VMnet VMs should connect normally.

What's the best practice to setup a firewall rule to block it to connect to anything outside VMnet, except Urubu4 on port 443?

And what if I want it to connect to Internet, but drop package destined to 192.168.0.0/16 or fdfa::/8?

Cheddoleum · May 11, 2021, 11:31pm

Simply create an ALLOW rule for the source IP (211.101), dest IP and port, and follow it with a DENY rule for all traffic from that source IP. You can omit that second rule if VMrouterWRT's default policy is not to forward from that subnet at all.

Hikari · May 12, 2021, 12:17am

It seems it didn't work, I'm still able to ping internet and LAN

config rule
	option src '*'
	option name 'Deny LixuxVM'
	list src_ip '192.168.211.101'
	option dest '*'
	option target 'DROP'

Shouldn't it block any traffic at all?

Cheddoleum · May 12, 2021, 12:28am

Hm. Try naming the zone that 211.101 is in under option src, instead of *. ISTR if you leave both src and dest zones wiidcarded, it doesn't know which chain to apply the filter rule to.

Oh, and you'll need similar rules for the IPv6 address. (I sometimes cheat and use the mac instead, which covers both protocols.)

Hikari · May 12, 2021, 1:01am

lol I was blocking TCP+UDP and testing with ping! now it works

config rule
	option dest_port '443'
	list proto 'tcp'
	option name 'Allow LixuxVM to Urubu4'
	list src_ip '192.168.211.101'
	option dest 'wan'
	list dest_ip '192.168.49.4'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Deny LixuxVM'
	option target 'DROP'
	option src 'lan'
	option dest 'wan'
	list src_mac '00:0C:29:0E:4C:28'
	list proto 'all'

vgaetera · May 12, 2021, 4:21am

You can simplify the config by removing the denial rule and LAN to WAN forwarding.

Hikari · May 12, 2021, 9:19am

Why remove the denial rule? The main objective is to block everything else.

As u see, at first I didn't set zones, but it wasn't working then.

vgaetera · May 12, 2021, 10:11am

Firewall zones are supposed to be configured by default.
You don't need the denial rule if you remove the forwarding.

Hikari · May 12, 2021, 2:17pm

Sorry I didn't understand.

LAN zone is configured to accept everything from WAN zone. It's only this device I wanna block.

vgaetera · May 12, 2021, 2:20pm

This is the forwarding allowed by default:

github.com

openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config#L26-L28


config forwarding
	option src		lan
	option dest		wan

If you remove it, then the denial rule becomes redundant.

Hikari · May 12, 2021, 6:24pm

That's on my firewall file:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

So I need to create a rule to block a device to reach WAN, and above it rules for destination addresses and ports I wanna allow it, isn't it?

I don't wanna block everything and set rules for what to allow, I wanna block a couple VMs and restrict what they can access.

system · May 22, 2021, 6:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.