Blocking wireless GUI access to router in AP mode

Maybe use ebtables or enable net.bridge.bridge-nf-call-iptables (maybe dont use this one :sweat_smile:) or iptables physdev module ?

opkg update
opkg install iptables-mod-physdev

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j DROP

Can this work?

2 Likes

Works for me with iptables-mod-physdev only, tried kmod-br-netfilter with net.bridge.bridge-nf-call-iptables=1 earlier without success.

Using net.bridge.bridge-nf-call-iptables=1 doesn't seem to be a good idea anyway.
For example, traffic between the bridge ports will be treated as forwarded traffic.
I think this isn't going well with the firewall zone setup/logic/concept and can break some things...?
But I'm not sure :sweat_smile:
Better use ebtables or iptables physdev module.

Can you please detail your interfaces config before using iptables-mod-physdev

just default configuration where wlanX is a part of br-lan

1 Like

Unable to make it working

while the custom rule is well inserted in the firewall (iptables -L)

root@OpenWrt:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere multiport dports www,https PHYSDEV match --physdev-in wlan0

lan bridge is as default (eth0.1 - wlan0), a new interface is covering wlan0 (protocol = none)
AP behaves as wlan0 traffic was not monitored by the firewall rule while using tcpdump wlan0 tcp port 80 is well trapped and monitored

@66enligne
Try
iptables -I ....
instead of
iptables -A ....

I think, *-mod-physdev needs kmod-br-netfilter.

//edit
Indeed, physdev doesn't work. Does it also net.bridge.bridge-nf-call-iptables to be enabled?

So Jeff's suggestions would be the best options here.
Remove the wireless interfaces from the bridge and assign them into their own firewall zone.
But this will break things, like multicast for example?
So, the only option left is ebtables?

1 Like

I already did iptables -I.... because I suspected that this rule was better located at first than at last but with no more effect.

physdev does work, net.bridge.bridge-nf-call-iptables should be be enabled - just re-tested on the clean installation (18.06.5)
Using iptables -A is absolutely OK.

I would think so. Just easier to separate the interfaces, and make wlan0 it's own OpenWrt enumerated interface. Then the rule works.

FYI, I noted this, and showed the OP screenshot in another thread that was hijacked:

Yes it would, as wlan0 would be on its own PHY/LAN.

Really, interesting, I didn't realize there was a hook to hit iptables on a bridge. Probably takes some extra CPUs. Glad you got it working!

Any idea how to check this in a simple way?

Me as well, so thanks to @shm0

Sure, set it up like I did for the OP. I'm not sure why you need to test though - if you setup any WiFi interface and address it on any Interface, it wouldn't get multicast from another. That's same thing on a router.

Are sure that net.bridge.bridge-nf-call-iptables is needed?
With net.bridge.bridge-nf-call-iptables enabled, isn't it possible to use -i anyway?
So what is the purpose of physdev then?

1 Like

Sure. Sorry, I misinterpreted your earlier response.

Yes, I've performed my tests in sequence. Access was blocked only after I added a line to sysctl.conf and rebooted.

This is what I took from my search results, this pretty much explains things to me, will appreciate if someone will provide a better explanation.

--physdev-in name
Name of a bridge port via which a packet is received 

self-explaining

-i, --in-interface name
Name of an interface via which a packet was received

I guess that interface here is more like a standalone L3 interface.

And the final quote is

When the sysctl net.bridge.bridge-nf-call-iptables=1 is set, bridged packets will traverse iptables rules.

Ok THX to all of you, the config is working now.

However for a newbe like me it wasn’t that easy to capture all what you said

I will recap the full process for others

Tested using a fresh install R18.06.2 with default config wlan bridged to lan, wlan in AP mode. Connected to the internet via ethernet and configuring via Luci, some checking via console.

System\Software screen
Update list
Install ipsec (warn to be missing when performing a console ‘service firewall restart’ maybe not mandatory, but don’t like pending warnings)
Install iptables-mod-physdev

Wireless screen
Edit interface and set it up as AP with usual info (country, channel….etc)
Enable the wireless (saves the config and creates the wireless interface)

Network\Interface screen
Add new interface
Name ‘WhatYouWant’
Protocol ‘unmanaged’
Cover the following interface ‘wlan0’ (to be checked via console ‘ifconfig’)
Submit
Go to the firewall sheet and assign the firewall zone to ‘lan’

Network\Firewall\Custom Rules screen
Copy and paste the following line (assuming you want to block http and https)
iptables -I INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j REJECT

The last operation is realized using the console. It consists in modifying the ‘net.bridge.bridge-nf-call-iptables’ flag
Current status of the flag can be checked using:
cat /proc/sys/net/bridge/bridge-nf-call-iptables
Permanent modification is obtained by editing the file /etc/sysctl.conf
and adding the line : net.bridge.bridge-nf-call-iptables=1

then reboot
It should work.

Any firewall rule configuration so that to generate an error 403 or 401 screen on the remote wireless client?

Fierewalls mainly work on a packet-by-packet basis -- generating a 401 or 403 is something that a web server does.

(Also, please upgrade to at least 18.06.5, as there have been security vulnerabilities patched since 18.06.2)

1 Like

OK THX don't know how DD-Wrt does.

reffering to my setup recap there was a typo error regarding the packages I suggest to install.
You must read 'ipset' instead of 'ipsec'
Sorry for the confusion

I've read this thread and still don't fully understand it. I have a rather difficult configuration on top of that. I'm using a WRT3200ACM with two main networks and two guest networks divided on two separate radios. My goal is to prevent LuCI/GUI access for all but the Ethernet. I believe that I need a separate VLAN and firewall zone but not sure on the coding/configuration. My current VLAN configuration is the default for 18.06.5 and the switch part is the most confusing. I've read the manual for OpenWRT but I can't understand the difference between tagged/untagged/off in how it relates to internet traffic? To include how I use two CPU(ethx) effectively because the guest nets will rarely be on. Please any guidance?

This an entirely different inquiry from the OP. I advice making a new thread to assist with your particular configuration.