Custom rules from 21.02 to 22.03

genuser1 · February 12, 2023, 3:52pm

My router in a virtual machine x86 is still on 21.02.

I want to move it to 22.03 and when I created another vm x86 with 22.03 to see the differences I noticed that the custom rules tab in the firewall section is gone.

In my 21.02 vm I have this custom rule:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to x.x.x.253:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to x.x.x.253:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s x.x.x.253 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s x.x.x.253 --dport 53 -j ACCEPT

How do I translate this to fw4/22.03?

Thank you.

efahl · February 12, 2023, 5:45pm

Change your iptables calls to iptables-translate on some machine that has that package installed (maybe already on your router) and see what it generates. You'll also need to look at the new rule structure and chain names to see where they go.

As far as I can tell, it should look something like this:

nft add rule inet fw4 srcnat  counter  masquerade 

nft add rule inet fw4 dstnat iifname "br-lan" tcp dport 53 counter dnat to x.x.x.253:53
nft add rule inet fw4 dstnat iifname "br-lan" udp dport 53 counter dnat to x.x.x.253:53

nft add rule inet fw4 srcnat iifname "br-lan" ip saddr x.x.x.253 tcp dport 53 counter accept
nft add rule inet fw4 srcnat iifname "br-lan" ip saddr x.x.x.253 udp dport 53 counter accept

You can use nft list ruleset to view the whole collection as it currently exists. You can view just a single chain using nft list chain inet fw4 dstnat, plus you could just execute any of the above commands and then immediately list its chain to see its effect.

Other stuff that might be handy:

Adding -a, as in nft -a list blah blah, shows the "handle" of each rule
nft delete rule inet fw4 dstnat handle NNN removes the rule from that chain
Handles are dynamic, so every time you create one it's incremented and never reused until you restart the firewall from scratch (fw4 restart).

lleachii · February 13, 2023, 10:55am

BTW, I see no reason for these custom rules. They could be reduced/converted to UCI format - then it'll be no need to translate. These rules seem fairly basic.

genuser1 · February 13, 2023, 11:54am

@lleachii
I'm sure these rules are basic. I am not the greatest firewall person. However, this is the only rules I have in my current custom rules tab which forces all clients to use my pihole for dns.

I am just trying to figure out how to get the same results in 22.03.

lleachii · February 13, 2023, 2:14pm

Correct, I was suggesting placing the rules into the UCI-standard file /etc/config/firewall.

To do so - I suggested translating into UCI instead of raw nft.

This lends me to believe you have an interface unassigned to a Zone in the firewall. Zones that need masquerade can be set with a simple check on the web GUI. This is just one example. Seeing that file would be helpful.

genuser1:

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to x.x.x.253:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to x.x.x.253:53
iptables -t nat -I PREROUTING -i br-lan -p tcp -s x.x.x.253 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s x.x.x.253 --dport 53 -j ACCEPT

config redirect                                   
        option target 'DNAT'                 
        option src 'lan'                  
        option proto 'tcp'
        option proto 'udp'
        option src_dport '53'                
        option dest_port '53'                     
        option name 'xxxxx'            
        option dest_ip x.x.x.253'

The 3 remaining rules: TCP, UDP then specifying the SRC - are all repetitious and redundant. Regarding the last 2 input from SRC rules - an input allow rule on the correct zone would allow this traffic.

genuser1 · March 16, 2023, 12:56pm

So I managed to consolidate my iptables rules down to two. After translating to nftables they look like this now:

nft add rule ip nat PREROUTING iifname "wan" ip saddr != 192.168.1.253 ip daddr != 192.168.1.253 udp dport 53 counter dnat to 192.168.1.253
nft add rule ip nat PREROUTING iifname "wan" ip saddr != 192.168.1.253 ip daddr != 192.168.1.253 tcp dport 53 counter dnat to 192.168.1.253

When I try to enter one of those lines via the openwrt cli I get "Error: Could not process rule: No such file or directory".

I am unsure how to proceed from this.

lleachii · March 22, 2023, 11:16am

The rules can't be reduced to UCI?

genuser1 · March 22, 2023, 11:53am

They probably could be reduced to uci but since I use linux in other areas it would benefit me more to learn nftables so that I can apply it to other systems.

genuser1 · March 24, 2023, 11:27am

I have since reverted my owrt 22.03 installation to iptables just to get a working router stood up and have the dns hijack rules work.

On the side I have also stood up a virtual network to further work on figuring out the nftables rules to make dns hijacking work.

For now the nftable rules in owrt for dns hijacking (at least the way I would like to have it work) is on the backburner.

system · April 3, 2023, 11:28am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.