Ethernet administration configuration

I'm looking to have only my Ethernet ports able to configure the router via SSH and Luci.

Merely guessing due to your lack of details:

Other options include placing the WiFi clients in another Interface/firewall zone.

2 Likes

OK the wording from "wrtechnopat" is better than mine (THX to him).
In AP mode I want to have only my ethernet port able to configure the AP via SSH or Luci
What is the suggestion?

Huh?

You were given 2 suggestions and a firewall rule in the other thread, that's why I linked it.

Those same 2 suggestions offered to you - I offer to this OP. Lastly, I tested the rule, WiFi still needs to be on its own Interface.

iptables -t filter -I INPUT -i wlan0 -p tcp --dport 80 -j DROP

Screenshot from 2019-12-13 14-43-19

Screenshot from 2019-12-13 14-43-53

OK, most probably I'm still doing wrong
I realized looking at your screen capture that you let the bridge wlan0/lan active => this is resolving my IP alloc issue when setting up a new inetrface for wlan0

Now I have a new interface for wlan0, named wifitest, protocol static IP
The lan (eth0.1) still bridged to wlan0
see network config below:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdcb:6afe:cb13::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.66.56'

config device 'lan_dev'
option name 'eth0.1'
option macaddr '20:28:18:a1:5f:da'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config device 'wan_dev'
option name 'eth0.2'
option macaddr '20:28:18:a1:5f:db'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'

config interface 'wifitest'
option proto 'static'
option ipaddr '192.168.66.253'
option netmask '255.255.255.0'

I have added your custom firewall rule
see /etc/firewall.user listing

root@OpenWrt:~# cat /etc/firewall.user

This file is interpreted as shell script.

Put your custom iptables rules here, they will

be executed with each firewall (re-)start.

Internal uci firewall chains are flushed and recreated on reload, so

put custom rules into the root chains e.g. INPUT or FORWARD or into the

special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t filter -I INPUT -i wlan0 -p tcp --dport 80 -j DROP

restarted the firewall or reboot donnot change the behaviour => still able to connect to router using wifi

I have listed the iptable without identifying the custom rule (inserted or not?) see below:

root@OpenWrt:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:www
ACCEPT all -- anywhere anywhere /* !fw3 /
input_rule all -- anywhere anywhere /
!fw3: Custom input rule chain /
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /
!fw3 /
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN /
!fw3 /
zone_lan_input all -- anywhere anywhere /
!fw3 /
zone_lan_input all -- anywhere anywhere /
!fw3 /
zone_wan_input all -- anywhere anywhere /
!fw3 */

Chain FORWARD (policy DROP)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* !fw3: Custom forwarding rule chain /
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /
!fw3 /
zone_lan_forward all -- anywhere anywhere /
!fw3 /
zone_lan_forward all -- anywhere anywhere /
!fw3 /
zone_wan_forward all -- anywhere anywhere /
!fw3 /
reject all -- anywhere anywhere /
!fw3 */

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 /
output_rule all -- anywhere anywhere /
!fw3: Custom output rule chain /
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /
!fw3 /
zone_lan_output all -- anywhere anywhere /
!fw3 /
zone_lan_output all -- anywhere anywhere /
!fw3 /
zone_wan_output all -- anywhere anywhere /
!fw3 */

Chain forwarding_lan_rule (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination

Chain forwarding_wan_rule (1 references)
target prot opt source destination

Chain input_lan_rule (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination

Chain input_wan_rule (1 references)
target prot opt source destination

Chain output_lan_rule (1 references)
target prot opt source destination

Chain output_rule (1 references)
target prot opt source destination

Chain output_wan_rule (1 references)
target prot opt source destination

Chain reject (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere /* !fw3 / reject-with tcp-reset
REJECT all -- anywhere anywhere /
!fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 /
DROP all -- anywhere anywhere /
!fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* !fw3 /
ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_lan_forward (2 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /* !fw3: Custom lan forwarding rule chain /
zone_wan_dest_ACCEPT all -- anywhere anywhere /
!fw3: Zone lan to wan forwarding policy /
ACCEPT all -- anywhere anywhere ctstate DNAT /
!fw3: Accept port forwards /
zone_lan_dest_ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_lan_input (2 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* !fw3: Custom lan input rule chain /
ACCEPT all -- anywhere anywhere ctstate DNAT /
!fw3: Accept port redirections /
zone_lan_src_ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_lan_output (2 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* !fw3: Custom lan output rule chain /
zone_lan_dest_ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /* !fw3 /
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED /
!fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID /* !fw3: Prevent NAT leakage /
ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */

Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /* !fw3: Custom wan forwarding rule chain /
zone_lan_dest_ACCEPT esp -- anywhere anywhere /
!fw3: Allow-IPSec-ESP /
zone_lan_dest_ACCEPT udp -- anywhere anywhere udp dpt:isakmp /
!fw3: Allow-ISAKMP /
ACCEPT all -- anywhere anywhere ctstate DNAT /
!fw3: Accept port forwards /
zone_wan_dest_REJECT all -- anywhere anywhere /
!fw3 */

Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* !fw3: Custom wan input rule chain /
ACCEPT udp -- anywhere anywhere udp dpt:bootpc /
!fw3: Allow-DHCP-Renew /
ACCEPT icmp -- anywhere anywhere icmp echo-request /
!fw3: Allow-Ping /
ACCEPT igmp -- anywhere anywhere /
!fw3: Allow-IGMP /
ACCEPT all -- anywhere anywhere ctstate DNAT /
!fw3: Accept port redirections /
zone_wan_src_REJECT all -- anywhere anywhere /
!fw3 */

Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* !fw3: Custom wan output rule chain /
zone_wan_dest_ACCEPT all -- anywhere anywhere /
!fw3 */

Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere /* !fw3 */

Any idea about why it doesn't work as expected?

  • You should properly use codeboxes to post output

Screenshot from 2019-12-14 00-50-50

  • You should consider using your own thread, and not hijacking another's

Not accurate.

Yes, I did leave LAN as is. I left the default WiFi disabled and setup a second one (you could also separate the default, etc. - if you want to confuse yourself further). I named that Interface wifi_test, and assigned it to the LAN firewall zone. It only consists of wlan0; and the rule works.

:man_facepalming:

Yep.