Block IP but allow ping zone output only allowed

pwned · October 15, 2020, 9:59pm

Is it possible to block an IP (for all zones) but allow ping to this blocked IP (for a specific zone) only? If firewall zone is configured ouput only. Or better how could I achive that without allowing input/forwarding by default?

I have an IoT device which needs ping to an IP periodicly. I want to block the traffic to this IP but allow ping only to this IP. I would like to block this IP for all zones also.

psherman · October 15, 2020, 10:03pm

I haven't tried this, but I would think you could achieve the goal by creating 2 firewall rules.
The first rule with a protocol of ICMP and the destination address of the specified IP needed, action = accept.
The second rule would use protocol TCP + UDP to the same specified IP address (destination) and action = drop.

psherman · October 16, 2020, 2:47am

Just tested this and it works:

config rule
	option name 'Allow_Ping_To_IP'
	list proto 'icmp'
	option src 'lan'
	option dest 'wan'
	list dest_ip 'ip.address.to.allow'
	option target 'ACCEPT'

config rule
	option name 'Drop_All_To_IP'
	list proto 'all'
	option src 'lan'
	option dest 'wan'
	list dest_ip 'ip.address.to.block'
	option target 'DROP'

It is not strictly necessary to put in the src and dest zones for these rules, but I would recommend limiting the src zone for the allow ping. And the ping rule doesn't actually need to have the dest IP address.

pwned · October 16, 2020, 12:22pm

O.K. My error was that I've tried to use "any zone". Which was not working. Thx for helping me out.

trendy · October 16, 2020, 12:28pm

If you have only the default lan and wan zones, then "any zone" doesn't make too much sense. The IP you are trying to block belongs to an already known zone, let's say lan, and you want to block it from accessing the other zone, e.g wan.
If you had another zone, i.e iot, guest, dmz, vpn, and you wanted to deny access to all other zones, then it would make sense to use it like this.

pwned · October 16, 2020, 1:49pm

I have multiple zones. E. g. if I set:

firewall.@rule[49]=rule
firewall.@rule[49].src='zguest1'
firewall.@rule[49].dest='wan'
firewall.@rule[49].dest_ip='1.1.1.1'
firewall.@rule[49].proto='icmp'
firewall.@rule[49].target='ACCEPT'
firewall.@rule[50]=rule
firewall.@rule[50].dest='wan'
firewall.@rule[50].dest_ip='1.1.1.1'
firewall.@rule[50].target='REJECT'
firewall.@rule[50].proto='all'
firewall.@rule[50].src='zguest1'

Then it is working like intended. Ping is getting through. And e.g. telnet (just testing with this) is failing.

If I set:

firewall.@rule[49]=rule
firewall.@rule[49].src='zguest1'
firewall.@rule[49].dest='wan'
firewall.@rule[49].dest_ip='1.1.1.1'
firewall.@rule[49].proto='icmp'
firewall.@rule[49].target='ACCEPT'
firewall.@rule[50]=rule
firewall.@rule[50].dest='wan'
firewall.@rule[50].dest_ip='1.1.1.1'
firewall.@rule[50].target='REJECT'
firewall.@rule[50].proto='all'
firewall.@rule[50].src='*'

Ping is not working anymore. Whole IP is blocked. I don't know why exactly. I just can guess.

trendy · October 16, 2020, 1:51pm

If I am not mistaken, it has to do with the priority in iptables.
iptables-save -c -t filter
In the second case the reject rule will be higher than the accept rule.

pwned · October 16, 2020, 2:17pm

O.K. I've deactivated most of my rules to shorten things (still same behaviour). Even a lot left. For testing IP is 8.8.8.8.

with src=*:

 Generated by iptables-save v1.8.4 on Fri Oct 16 16:53:08 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BCP38 - [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wireguard0_rule - [0:0]
:forwarding_wireguard1_rule - [0:0]
:forwarding_zguest0_rule - [0:0]
:forwarding_zguest1_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wireguard0_rule - [0:0]
:input_wireguard1_rule - [0:0]
:input_zguest0_rule - [0:0]
:input_zguest1_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wireguard0_rule - [0:0]
:output_wireguard1_rule - [0:0]
:output_zguest0_rule - [0:0]
:output_zguest1_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wireguard0_dest_ACCEPT - [0:0]
:zone_wireguard0_dest_REJECT - [0:0]
:zone_wireguard0_forward - [0:0]
:zone_wireguard0_input - [0:0]
:zone_wireguard0_output - [0:0]
:zone_wireguard0_src_REJECT - [0:0]
:zone_wireguard1_dest_ACCEPT - [0:0]
:zone_wireguard1_dest_REJECT - [0:0]
:zone_wireguard1_forward - [0:0]
:zone_wireguard1_input - [0:0]
:zone_wireguard1_output - [0:0]
:zone_wireguard1_src_REJECT - [0:0]
:zone_zguest0_dest_ACCEPT - [0:0]
:zone_zguest0_forward - [0:0]
:zone_zguest0_input - [0:0]
:zone_zguest0_output - [0:0]
:zone_zguest0_src_REJECT - [0:0]
:zone_zguest1_dest_ACCEPT - [0:0]
:zone_zguest1_dest_REJECT - [0:0]
:zone_zguest1_forward - [0:0]
:zone_zguest1_input - [0:0]
:zone_zguest1_output - [0:0]
:zone_zguest1_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[140:7496] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[140:7496] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard0_input
[0:0] -A INPUT -i wg1 -m comment --comment "!fw3" -j zone_wireguard1_input
[0:0] -A INPUT -i br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_input
[0:0] -A INPUT -i br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard0_forward
[0:0] -A FORWARD -i wg1 -m comment --comment "!fw3" -j zone_wireguard1_forward
[0:0] -A FORWARD -i br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_forward
[0:0] -A FORWARD -i br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[134:16432] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[133:16312] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:120] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard0_output
[0:0] -A OUTPUT -o wg1 -m comment --comment "!fw3" -j zone_wireguard1_output
[0:0] -A OUTPUT -o br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_output
[0:0] -A OUTPUT -o br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_output
[0:0] -A BCP38 -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[0:0] -A BCP38 -o eth0.2 -m set --match-set bcp38-ipv4 dst -j REJECT --reject-with icmp-net-unreachable
[0:0] -A BCP38 -i eth0.2 -m set --match-set bcp38-ipv4 src -j DROP
[0:0] -A forwarding_rule -m conntrack --ctstate NEW -j BCP38
[0:0] -A input_rule -m conntrack --ctstate NEW -j BCP38
[0:0] -A output_rule -m conntrack --ctstate NEW -j BCP38
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:120] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wireguard0 forwarding policy" -j zone_wireguard0_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-lan" -j DROP
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:120] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:120] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard0_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard0_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3: Custom wireguard0 forwarding rule chain" -j forwarding_wireguard0_rule
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3: Zone wireguard0 to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wireguard0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3" -j zone_wireguard0_dest_REJECT
[0:0] -A zone_wireguard0_input -m comment --comment "!fw3: Custom wireguard0 input rule chain" -j input_wireguard0_rule
[0:0] -A zone_wireguard0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard0_input -m comment --comment "!fw3" -j zone_wireguard0_src_REJECT
[0:0] -A zone_wireguard0_output -m comment --comment "!fw3: Custom wireguard0 output rule chain" -j output_wireguard0_rule
[0:0] -A zone_wireguard0_output -m comment --comment "!fw3" -j zone_wireguard0_dest_ACCEPT
[0:0] -A zone_wireguard0_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard1_dest_ACCEPT -o wg1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard1_dest_REJECT -o wg1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3: Custom wireguard1 forwarding rule chain" -j forwarding_wireguard1_rule
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3: Zone wireguard1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wireguard1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3" -j zone_wireguard1_dest_REJECT
[0:0] -A zone_wireguard1_input -m comment --comment "!fw3: Custom wireguard1 input rule chain" -j input_wireguard1_rule
[0:0] -A zone_wireguard1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard1_input -m comment --comment "!fw3" -j zone_wireguard1_src_REJECT
[0:0] -A zone_wireguard1_output -m comment --comment "!fw3: Custom wireguard1 output rule chain" -j output_wireguard1_rule
[0:0] -A zone_wireguard1_output -m comment --comment "!fw3" -j zone_wireguard1_dest_ACCEPT
[0:0] -A zone_wireguard1_src_REJECT -i wg1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest0_dest_ACCEPT -o br-zguest0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3: Custom zguest0 forwarding rule chain" -j forwarding_zguest0_rule
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3: Zone zguest0 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3" -j zone_zguest0_dest_ACCEPT
[0:0] -A zone_zguest0_input -m comment --comment "!fw3: Custom zguest0 input rule chain" -j input_zguest0_rule
[0:0] -A zone_zguest0_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-zguest0" -j DROP
[0:0] -A zone_zguest0_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: Allow-WLAN208G-DHCP-v4" -j ACCEPT
[0:0] -A zone_zguest0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_zguest0_input -m comment --comment "!fw3" -j zone_zguest0_src_REJECT
[0:0] -A zone_zguest0_output -m comment --comment "!fw3: Custom zguest0 output rule chain" -j output_zguest0_rule
[0:0] -A zone_zguest0_output -m comment --comment "!fw3" -j zone_zguest0_dest_ACCEPT
[0:0] -A zone_zguest0_src_REJECT -i br-zguest0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest1_dest_ACCEPT -o br-zguest1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_zguest1_dest_REJECT -o br-zguest1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3: Custom zguest1 forwarding rule chain" -j forwarding_zguest1_rule
[0:0] -A zone_zguest1_forward -d 8.8.8.8/32 -p icmp -m comment --comment "!fw3: @rule[22]" -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest1_forward -d 8.8.8.8/32 -m comment --comment "!fw3: @rule[23]" -j zone_wan_dest_REJECT
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3: Zone zguest1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3" -j zone_zguest1_dest_REJECT
[0:0] -A zone_zguest1_forward -d 8.8.8.8/32 -p icmp -m icmp --icmp-type 8 -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest1_forward -d 8.8.8.8/32 -j zone_wan_dest_REJECT
[0:0] -A zone_zguest1_input -m comment --comment "!fw3: Custom zguest1 input rule chain" -j input_zguest1_rule
[0:0] -A zone_zguest1_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-zguest1" -j DROP
[0:0] -A zone_zguest1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: Allow-WLAN309G-DHCP-v4" -j ACCEPT
[0:0] -A zone_zguest1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_zguest1_input -m comment --comment "!fw3" -j zone_zguest1_src_REJECT
[0:0] -A zone_zguest1_output -m comment --comment "!fw3: Custom zguest1 output rule chain" -j output_zguest1_rule
[0:0] -A zone_zguest1_output -m comment --comment "!fw3" -j zone_zguest1_dest_ACCEPT
[0:0] -A zone_zguest1_src_REJECT -i br-zguest1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct 16 16:53:08 2020

src=zguest

# Generated by iptables-save v1.8.4 on Fri Oct 16 16:53:54 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BCP38 - [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wireguard0_rule - [0:0]
:forwarding_wireguard1_rule - [0:0]
:forwarding_zguest0_rule - [0:0]
:forwarding_zguest1_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wireguard0_rule - [0:0]
:input_wireguard1_rule - [0:0]
:input_zguest0_rule - [0:0]
:input_zguest1_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wireguard0_rule - [0:0]
:output_wireguard1_rule - [0:0]
:output_zguest0_rule - [0:0]
:output_zguest1_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wireguard0_dest_ACCEPT - [0:0]
:zone_wireguard0_dest_REJECT - [0:0]
:zone_wireguard0_forward - [0:0]
:zone_wireguard0_input - [0:0]
:zone_wireguard0_output - [0:0]
:zone_wireguard0_src_REJECT - [0:0]
:zone_wireguard1_dest_ACCEPT - [0:0]
:zone_wireguard1_dest_REJECT - [0:0]
:zone_wireguard1_forward - [0:0]
:zone_wireguard1_input - [0:0]
:zone_wireguard1_output - [0:0]
:zone_wireguard1_src_REJECT - [0:0]
:zone_zguest0_dest_ACCEPT - [0:0]
:zone_zguest0_forward - [0:0]
:zone_zguest0_input - [0:0]
:zone_zguest0_output - [0:0]
:zone_zguest0_src_REJECT - [0:0]
:zone_zguest1_dest_ACCEPT - [0:0]
:zone_zguest1_dest_REJECT - [0:0]
:zone_zguest1_forward - [0:0]
:zone_zguest1_input - [0:0]
:zone_zguest1_output - [0:0]
:zone_zguest1_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[209:17828] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[208:17768] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1:60] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard0_input
[0:0] -A INPUT -i wg1 -m comment --comment "!fw3" -j zone_wireguard1_input
[0:0] -A INPUT -i br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_input
[0:0] -A INPUT -i br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -d 8.8.8.8/32 -p icmp -m comment --comment "!fw3: @rule[22]" -j zone_wan_dest_ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard0_forward
[0:0] -A FORWARD -i wg1 -m comment --comment "!fw3" -j zone_wireguard1_forward
[0:0] -A FORWARD -i br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_forward
[0:0] -A FORWARD -i br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[193:288560] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[193:288560] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard0_output
[0:0] -A OUTPUT -o wg1 -m comment --comment "!fw3" -j zone_wireguard1_output
[0:0] -A OUTPUT -o br-zguest0 -m comment --comment "!fw3" -j zone_zguest0_output
[0:0] -A OUTPUT -o br-zguest1 -m comment --comment "!fw3" -j zone_zguest1_output
[0:0] -A BCP38 -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[0:0] -A BCP38 -o eth0.2 -m set --match-set bcp38-ipv4 dst -j REJECT --reject-with icmp-net-unreachable
[0:0] -A BCP38 -i eth0.2 -m set --match-set bcp38-ipv4 src -j DROP
[0:0] -A forwarding_rule -m conntrack --ctstate NEW -j BCP38
[1:60] -A input_rule -m conntrack --ctstate NEW -j BCP38
[0:0] -A output_rule -m conntrack --ctstate NEW -j BCP38
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1:60] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wireguard0 forwarding policy" -j zone_wireguard0_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1:60] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-lan" -j DROP
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:60] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1:60] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard0_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard0_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3: Custom wireguard0 forwarding rule chain" -j forwarding_wireguard0_rule
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3: Zone wireguard0 to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wireguard0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard0_forward -m comment --comment "!fw3" -j zone_wireguard0_dest_REJECT
[0:0] -A zone_wireguard0_input -m comment --comment "!fw3: Custom wireguard0 input rule chain" -j input_wireguard0_rule
[0:0] -A zone_wireguard0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard0_input -m comment --comment "!fw3" -j zone_wireguard0_src_REJECT
[0:0] -A zone_wireguard0_output -m comment --comment "!fw3: Custom wireguard0 output rule chain" -j output_wireguard0_rule
[0:0] -A zone_wireguard0_output -m comment --comment "!fw3" -j zone_wireguard0_dest_ACCEPT
[0:0] -A zone_wireguard0_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard1_dest_ACCEPT -o wg1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard1_dest_REJECT -o wg1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3: Custom wireguard1 forwarding rule chain" -j forwarding_wireguard1_rule
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3: Zone wireguard1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wireguard1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard1_forward -m comment --comment "!fw3" -j zone_wireguard1_dest_REJECT
[0:0] -A zone_wireguard1_input -m comment --comment "!fw3: Custom wireguard1 input rule chain" -j input_wireguard1_rule
[0:0] -A zone_wireguard1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard1_input -m comment --comment "!fw3" -j zone_wireguard1_src_REJECT
[0:0] -A zone_wireguard1_output -m comment --comment "!fw3: Custom wireguard1 output rule chain" -j output_wireguard1_rule
[0:0] -A zone_wireguard1_output -m comment --comment "!fw3" -j zone_wireguard1_dest_ACCEPT
[0:0] -A zone_wireguard1_src_REJECT -i wg1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest0_dest_ACCEPT -o br-zguest0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3: Custom zguest0 forwarding rule chain" -j forwarding_zguest0_rule
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3: Zone zguest0 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_zguest0_forward -m comment --comment "!fw3" -j zone_zguest0_dest_ACCEPT
[0:0] -A zone_zguest0_input -m comment --comment "!fw3: Custom zguest0 input rule chain" -j input_zguest0_rule
[0:0] -A zone_zguest0_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-zguest0" -j DROP
[0:0] -A zone_zguest0_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: Allow-WLAN208G-DHCP-v4" -j ACCEPT
[0:0] -A zone_zguest0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_zguest0_input -m comment --comment "!fw3" -j zone_zguest0_src_REJECT
[0:0] -A zone_zguest0_output -m comment --comment "!fw3: Custom zguest0 output rule chain" -j output_zguest0_rule
[0:0] -A zone_zguest0_output -m comment --comment "!fw3" -j zone_zguest0_dest_ACCEPT
[0:0] -A zone_zguest0_src_REJECT -i br-zguest0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest1_dest_ACCEPT -o br-zguest1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_zguest1_dest_REJECT -o br-zguest1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3: Custom zguest1 forwarding rule chain" -j forwarding_zguest1_rule
[0:0] -A zone_zguest1_forward -d 8.8.8.8/32 -m comment --comment "!fw3: @rule[23]" -j zone_wan_dest_REJECT
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3: Zone zguest1 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_zguest1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_zguest1_forward -m comment --comment "!fw3" -j zone_zguest1_dest_REJECT
[0:0] -A zone_zguest1_input -m comment --comment "!fw3: Custom zguest1 input rule chain" -j input_zguest1_rule
[0:0] -A zone_zguest1_input -s 169.254.0.0/16 -m comment --comment "!fw3: Block-APIPA-v4-zguest1" -j DROP
[0:0] -A zone_zguest1_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: Allow-WLAN309G-DHCP-v4" -j ACCEPT
[0:0] -A zone_zguest1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_zguest1_input -m comment --comment "!fw3" -j zone_zguest1_src_REJECT
[0:0] -A zone_zguest1_output -m comment --comment "!fw3: Custom zguest1 output rule chain" -j output_zguest1_rule
[0:0] -A zone_zguest1_output -m comment --comment "!fw3" -j zone_zguest1_dest_ACCEPT
[0:0] -A zone_zguest1_src_REJECT -i br-zguest1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct 16 16:53:54 2020

I even cannot see any difference between the output for the rules in question. oO

trendy · October 16, 2020, 2:35pm

The rules have not been properly applied in the second case. Only zguest1 is.

trendy · October 16, 2020, 2:45pm

Ok I just confirmed it.
When you are using src * then the rule is added in the main FORWARD chain.
However a more specific rule, like src lan will be added to zone_lan_forward, which is found later in the queue.
So one solution is to use only specific source zones to both rules, or use the any zone again to both rules:

config rule
        list icmp_type 'echo-request'
        option src '*'
        option name 'test'
        option dest 'wan'
        list dest_ip '100.65.1.1'
        option target 'ACCEPT'
        list proto 'icmp'

config rule
        option src '*'
        option name 'test2'
        option dest 'wan'
        list dest_ip '100.65.1.1'
        option target 'REJECT'
        list proto 'all'

[0:0] -A FORWARD -d 100.65.1.1/32 -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: test" -j zone_wan_dest_ACCEPT
[0:0] -A FORWARD -d 100.65.1.1/32 -m comment --comment "!fw3: test2" -j zone_wan_dest_REJECT

pwned · October 16, 2020, 2:45pm

How could I influence the order in OpenWrt firewall beside moving them up and down.

How would the rules look if I would try to write it with iptables directly? Would this be correct to get it at the beginning?

iptables -t filter -A zone_zguest1_forward -p icmp --icmp-type 8 -d 8.8.8.8/255.255.255.255 -j ACCEPT
iptables -t filter -A zone_zguest1_forward -d 8.8.8.8/255.255.255.255 -j REJECT

pwned · October 16, 2020, 2:55pm

Y, my fault ... I will edit the post above.

trendy · October 16, 2020, 3:01pm

No worries, as you can see from my post above, the src * rules will have precedence over the more specific zone rules. So you need to keep that in mind when you mix rules for a specific zone and all the zones, if they match the same thing.

pwned · October 16, 2020, 3:02pm

Thx for help @psherman @trendy.

system · October 26, 2020, 3:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.