Creating procd init script with firewall rule inside

Hello, I am trying to create a new small package (proxy), and need to create a redirection firewall rule at startup and delete redirection rule at shutdown. Is there any example how to create a procd service with firewall rules inside?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/firewall

I am trying to create universal board and openwrt version independent package, I have few boards based on different Owrt versions 17.01.07 and 23.05.04 both mips_24kc architecture, but what is the reason of question, procd scripts should be architecture independent, so I am looking for a universal fw3/fw4 compatible solution. It seems uci could fit, but at Owrt WiKi there is a note NOT to use uci for writing/changing firewall rules, only for reading, so may be there are some build-in functions in procd to create fw rules?

... connect to your OpenWrt device ...

... and your questions will be answered :tada: ...

Ok, thank's I'll try, at current location I have only bricked Owrt-device, I am waiting for spared parts tomorrow to repair it.

If I do understand correct you are talking about ubus ipc interface, I am looking into documentation, thanks again.

You could take a look at my project - geoip-shell. It has 2 separate packages, one for fw3+iptables and the other for fw4+nftables. Both create a procd script and a firewall include. The project is much more complex than what you need, so this won't provide the exact solution for your case, but you could learn from it if you like. You would need to download both packages from here:

https://github.com/friendly-bits/geoip-shell/releases/tag/v0.5.6

and extract them. Then check out the owrt-fw-include, owrt-mk-fw-include, and owrt-init scripts.

1 Like

Seems you are using UCI inside init script for adding fw rules(https://github.com/friendly-bits/geoip-shell/blob/v0.5.6/OpenWrt/geoip-shell-owrt-mk-fw-include.tpl), but due to WiKi:

UCI is useful to view the firewall configuration, but not to do any meaningful modifications for the following reasons:

  • Essential prior knowledge of where a firewall rule needs to go into the rule array in order to make it work.

  • uci does not recognize content within the /etc/firewall.user script.

  • uci commit is necessary to save the changes, but still needs /etc/init.d/firewall reload to reload new tables.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#command-line_instructions

OWRT==OpenWRT just for less typing :))

I don't think this advice is universally applicable. IMO what they meant is that changing rules via fw3 or fw4 uci interface is not recommended. This is not what geoip-shell is doing. Rather it directly creates iptables or nftables chains and rules. Generally this code is tested and it works. The UCI-related commands simply create the UCI settings which enable the firewall include to work.

1 Like

In principle you can get away leaving simple rules for both firewall auto-include places. If you need to play with interface names or dynamic ports you need 2 separate scripts.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Hmm, what you are talking about? I am using OpenWRT build by myself from official repo with addition of my package(a c-based program for modifying http/https traffic in a special way, works as a transparent proxy ). And the question is about packaging and init(procd) system of OpenWRT. I am creating my own package that consist of a binary program file and a procd-based init script to run at start and stop of the program(service unit). Unfortunately to function correctly there is a need to create a firewall rule(to forward http/https traffic to my program ) at start of my program and obligatorily delete this rule at stop of my program.

So, I need to create a init script for start and stop my program together with adding/deleting firewall rules.

So should present no significant problem producing system info.

once again I don't have OpenWRT burned at router currently, the one I have at current location is not working due to PS age (tl-wr741nd v1, about 15 years old), tomorrow I'll get a new one and could run provided commands, but for development I even don't need any hardware, my question is about software development for modern v17+ OpenWRT(I was previously developed for OWRT White Russian, v10 if I don't mistaken, but have lost credentials of my forum account), and there was an other init system, sysV, if I don't mistaken, and fw rules were written directly without uci.

If your rule can be expressed in config/firewall you can add it via UCI, or you leave script and nft fragment in filesystem for other kind of rules. If you said what rule is...

Excuse to hijack this thread, but I am curious. Having used and modified squid in the past, also as transparent proxy, whats the special benefit of your program ? BTW, anybody using such a tool will be able to introduce the required firewall rules himself.

2 Likes

I already have said a usual redirect rule in iptables syntax something like:

iptables -t nat -I PREROUTING -p tcp  -m multiport --dports 80,443 -j REDIRECT --to-port 777
1 Like

I surely can write rules by myself, but I am asking for best practices in case of different fw options (fw3/fw4).

The proxy has goal to be minimal(could run at 4mb ROM boards) and could bypass some dpi injection of a few 3rd world countries.

Hmm, adding fw rules to init scripts seems to be not a regular practice, the only one I have found is:

and

It is better than hardcoded rules, but I am not sure that it will work both with fw3 and fw4