Custom iptables configuration in /etc/firewall.user

lloowen · March 17, 2021, 10:42pm

I'm trying to enable a custom iptables rule in the /etc/firewall.user configuration file, without any success.

My iptables rule is:

iptables -I FORWARD -s 192.168.1.213 -d 0.0.0.0 -j DROP

I've tried various combinations, INPUT, OUTPUT with the corresponding interface(e.g. br-lan and or eth0:2), but with no success. Do I have to incorporate 'WAN' and 'LAN' in the iptable rule?

Grateful for any help. Thanks..

vgaetera · March 17, 2021, 10:50pm

Do you want to block access to the router or the Internet?
Have you properly attached interfaces to the firewall zones?
Is the firewall service enabled and running?

lloowen · March 17, 2021, 11:03pm

"Do you want to block access to the router or the Internet?"
I want to block access to the internet.

"Have you properly attached interfaces to the firewall zones"
Yes.

"Is the firewall service enabled and running"
Yes. I've used the web interface to configure port forwarding and traffic rules which work.

vgaetera · March 17, 2021, 11:16pm

The custom rules don't fit well the firewall service configuration.
That's the last resort workaround that you shouldn't normally use.
Better utilize native syntax:

uci -q delete firewall.filter_fwd
uci set firewall.filter_fwd="rule"
uci set firewall.filter_fwd.name="Filter-Forward"
uci set firewall.filter_fwd.src="lan"
uci set firewall.filter_fwd.src_mac="00:11:22:33:44:55"
uci set firewall.filter_fwd.dest="wan"
uci set firewall.filter_fwd.proto="all"
uci set firewall.filter_fwd.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

It helps avoid race conditions and works for both IPv4 and IPv6.

lloowen · March 19, 2021, 6:20pm

Thank you for the code snippet. I tried it but it didn't work. Seems like the only method that works is if I create the rules for the device by using the web gui at network/firewall/traffic-rules page.

What I was trying to achieve was to get the rules for my device in the /etc/firewall.user file, were I could then alter it via a simple sed command that would be run via cron, in effect a timer based on off internet kill switch for one device. I didn't want to risk using the main /etc/config/firewall file, but had no choice in the end.

I succeeded in the end by adding the device information at the very bottom of the /etc/config/firewall file with the 'option enable '1' ' at the very bottom of the file. Then it was easy to change that one line from '1' to '0' plus a firewall restart after every edit, to be able to allow or block internet access based on time of day.

I'm sure there is a better and safer way than messing around with cron, sed on the main config file..

Thanks for your help though.

lleachii · March 19, 2021, 6:36pm

???

You didn't incorrectly use @reboot with cron in an embedded device - did you?

(I notice the Wiki mentions this; but it's not possible [on an embedded device]. Other forum posts mention it, and I recently had to try it - so I know it to be so.)

Such rules can go in /etc/rc.local - or the above mentioned firewall.user file (if a firewall rule respectively).

lloowen · March 19, 2021, 6:57pm

No I did this:

#Switch on
00 6 * * * /bin/sed -i '$s/1/0/' /etc/config/firewall && /etc/init.d/firewall restart

#Switch off
59 23 * * * /bin/sed -i '$s/0/1/' /etc/config/firewall && /etc/init.d/firewall restart

The very last line in the /etc/config/firewall file is:

option enable '1'

This current config works, but I'm sure there must be a better more elegant way to do this. I would prefer to use the /etc/firewall.user file, but whatever I do in that file does not work.

lleachii · March 19, 2021, 7:18pm

You can use the UCI command to enable/disable it...unfortunately, I donno the command-line method, though.

@vgaetera, can you help 'em out?

Also, did you try /etc/init.d/firewall reload

pavelgl · March 19, 2021, 7:25pm

Change that rule to

iptables -I FORWARD -s 192.168.1.213/32 -d 0.0.0.0/0 -j DROP

and it will work.

vgaetera · March 20, 2021, 12:00am

You are doing it wrong.

There's the proper way to apply time restrictions and filter established connections.

lloowen · March 20, 2021, 3:34pm

Thanks for the links to the proper way to do this I knew there was a better way to get this done. However when I look at the screen shot as seen from the time restrictions
page, I don't have those time based settings present in my webgui. Perhaps it has something to do with what router one has.
But I like this solution.
My hack is working for the time being, but I'd like to have these parental control options available on my firewall settings.

Thanks again.

vgaetera · March 20, 2021, 6:18pm

Ignore the screenshot, it's obsolete.
Time restrictions should be on the separate tab while editing the rule.
Or, simply run the command-line section below and it should create the rule that you can edit.
It's significantly more reliable than the cron-based hack.

lloowen · March 21, 2021, 9:35am

Is it possible to have different stop and start times, depending on what day of the week it is? I see from the command line option you can choose start and stop for various days of the week, but what if you wanted to have a later stop time on the weekends for example.
I want to have earlier stop times on schooldays, but on the weekend the stop time could be later. This would only apply for one device on the LAN

vgaetera · March 21, 2021, 9:59am

Limit the existing firewall rule to specific week days.
Then add another rule with different week days.
You can use the code snippet from the wiki as an example.