Conditional redirect

My question is of general nature, port 123 (NTP) is just an example.

Let's consider the following firewall rule:

config redirect
        option name 'Redir-NTP-SMART'
        option proto 'udp'
        option family 'ipv4'
        option src 'smart'
        option src_dport '123'
        option dest 'lan'
        option dest_port '123'
        option dest_ip '192.168.1.1'
        option target 'DNAT'

This rule intercepts all traffic with destination port 123 (NTP). Even that traffic, which already goes to 192.168.1.1.

What I want: just intercept those NTP requests, which have as destination the wan interface. In other words: redirect NTP traffic (zone smart -> zone wan) to (zone smart -> zone lan).

My question: is this possible with an OpenWrt's firewall rule? If yes, what is the exact specification of such a rule?

Sounds like a dns hijack type config that you are aiming for. See this:

1 Like

In general case, intercepting only transit traffic and accepting/rejecting inbound is not so simple as the complete solution requires to analyze the destination address by utilizing specific nftables options or IP sets, but for trivial cases like DNS and NTP there's effectively no difference, so it can be safely ignored, and only specific cases like Tor client make it matter.

The DNS hijacking in the OpenWrt Wiki intercepts every DNS traffic from one source zone - regardless of the destination.

What I want: intercept only those requests from a given source zone going to a specific destination zone (in my example: the wan zone). This is not covered by the above link.

I feared such an answer. :frowning_face:

The problem with the NTP use case is: you can't nail down the destinations to a few IP addresses. For example: if you request the IP address of de.pool.ntp.org, you get a set of 4 IPv4 addresses. An hour later the same request can deliver a totally different set of 4 IPv4 addresses. Or with other words: the destination is a permanently moving target.

1 Like

This seems

Is there any specific reason you need a selective redirect for NTP?
Typically there's no visible difference whether the redirect is selective or not.
So, you can keep the config simple as long as the destination port it the same.

As I stated in my initial post:

I think that src_dip (Source packet's Destination IP) is an option which could match the IPs headed to the Internet (i.e. routed to the wan port). Or use the !192.168.1.0/24 notation to not match the packets that are going to a private lan already so you don't want to redirect them.

1 Like

Keep in mind that specifying any IPv4 address makes the redirect IPv4-only and creates a loophole for IPv6 traffic leaks, which requires an extra redirect with IPv6 sets for LLA, ULA, and GUA.

That's exactly, what I'm looking for.

No problem! My home network is IPv4-only.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.