I am using a LEDE 17.01.4 on a Raspberry Pi 3 with Lan into the Pi acting as Wan, and then using the Wan to forward and generate a wifi network using the Pi's built in 802.11n wifi. I am trying to implement blocking specific ip's using firewall rules. As per the LEDE and openwrt wikis I created the following rule in /etc/config/firewall to block all access to the ip 198.90.5.100 (just an ip for the website pinkbike.com)
config rule option name Block-IP option src lan option dest wan option dest_ip 198.90.5.100 option target REJECT
After refreshing all networking and firewall the rule shows up in Luci properly (see attached picture) however I can still ping 198.90.5.100 on any device connected to the network produced by the raspberry pi. This should according to the LEDE wiki block all communication with 198.90.5.100 however after messing around with the rule for quite a while I can't figure out how to make it work. Anyone know what I'm doing wrong? Thanks!
Hi! Thank you for the response, I tried moving the rule to above the forwarding rule so in /etc/config/firewall they are now listed as:
config rule
option name Block-IP
option src lan
option dest wan
option dest_ip 198.90.5.100
option target REJECT
option family ipv4
config forwarding
option src lan
option des wan
I added the family so that I stopped getting the "Skipping due to different family of ip address" error when I refreshed the firewall. Currently in /etc/config/firewall the only rules above the Block-IP rule are config defaults, and configs for the lan and wan zones. However after moving the Block-IP rule to that position I can still ping the address from any device connected to the network, do you have any other ideas as to why this is not working?
Thank!
Hi hnyman, thanks for the reply, that was a typo in my message, here is my etc/config/firewall file https://hastebin.com/tijiyaraki.php
Also the output of fw3 print contains the lines:
Hello, after doing a bunch of research and getting some help from a friend who has more iptables experience than myself I have found something very odd with UCI firewall. When I load the firewall with this /etc/config/firewall https://hastebin.com/qugojipuri.php and then run iptables-save I receive the following file https://hastebin.com/itirehoden.rb . This shows that the rule I specified
Specifies that any traffic from 198.90.5.100 should be directed to be handled by a rule defined by zone_wan_dest_REJECT however for some reason (I'm not sure if this is an actual bug in LEDE or not) there is no default rule(s) written for zone_wan_dest_REJECT so since this traffic was not being rejected as it should be the traffic was being accepted by another one of zone_lan_forward rules. I fixed this problem by adding the line
-A zone_wan_dest_REJECT -j DROP
and there defining a rule for zone_wan_dest_REJECT that drops all traffic directed to this section. I am not sure why I had to do this as there should be a default rule for zone_wan_dest_REJECT but this is how I resolved the problem.