[Firewall] Block OUTGOING traffic from LAN hosts to specific public IP - does not work

czezz · December 23, 2025, 2:41pm

Hi everyone,
Im trying to sort out how to block OUTGOING traffic from my LAN (any LAN host) to specific host on internet.
For this test, Im using: 74.125.29.101 as the host that I want to block traffic to.

I have added this rule to default OpenWRT /etc/config/firewall (at the end of the file in case it matters):

config rule                                                                                   
        option name 'Drop_outgoing_test'
        option family 'ipv4'
        option proto 'all'
        option src '*'
        option dest '*'
        option dest_ip '74.125.29.101'
        option target 'REJECT'

Restarted firewall:

root@OpenWrt:~# /etc/init.d/firewall restart

Test - it looks that the rule did NOT block outgoing traffic from LAN to 74.125.29.101. However, it blocked incoming traffic from 74.125.29.101.

Terminal 1:

root@lanhost1:~# curl 74.125.29.101
curl: (7) Failed to connect to 74.125.29.101 port 80: Connection refused

Terminal 2:

root@lanhost1:~# tcpdump -n host 74.125.29.101
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:21:04.491950 IP 192.168.1.194.44114 > 74.125.29.101.80: Flags [S], seq 1733053839, win 29200, options [mss 1460,sackOK,TS val 848699177 ecr 0,nop,wscale 6], length 0
15:21:04.492739 IP 74.125.29.101.80 > 192.168.1.194.44114: Flags [R.], seq 0, ack 1733053840, win 0, length 0

Questions:

What am I doing wrong here?
How to block OUTGOING traffic to 74.125.29.101 ?

frollic · December 23, 2025, 2:44pm

source lan, destination wan ?

all connections initiated from the wan side are rejected by default, you don't have to create a rule for them.

brada4 · December 23, 2025, 3:22pm

Connection is rejected. All according to your rule...

czezz · December 23, 2025, 4:06pm

The following tcpdump tells me that traffic to 74.125.29.101 (SYN) have escaped.
Then, 74.125.29.101 did respond and only this response is rejected by the FW.

15:21:04.491950 IP 192.168.1.194.44114 > 74.125.29.101.80: Flags [S], seq 1733053839, win 29200, options [mss 1460,sackOK,TS val 848699177 ecr 0,nop,wscale 6], length 0
15:21:04.492739 IP 74.125.29.101.80 > 192.168.1.194.44114: Flags [R.], seq 0, ack 1733053840, win 0, length 0

This is NOT what I want to achieve.
What I want is that (outgoing) traffic to the destination is REJECTED already by my router: 192.168.1.194.44114 > 74.125.29.101.80

psherman · December 23, 2025, 4:12pm

As @frollic stated, it is best to use the source and destination zones.

After that, new connections will be rejected. But existing ones will not be blocked unless you flush the firewall / connection tracking.

czezz · December 23, 2025, 4:23pm

If I get it right, u want me guys to replace my rule with this?
If so, I have already tried that and it worked the same as having ‘*‘. (so didnt really blocked outgoing traffic to 74.125.29.101).

I will give it a go anyway and capture tcpdump (later today)

config rule                                                                                   
        option name 'Drop_outgoing_test'
        option family 'ipv4'
        option proto 'all'
        option src 'lan'
        option dest 'wan'
        option dest_ip '74.125.29.101'
        option target 'REJECT'

psherman · December 23, 2025, 4:34pm

That looks better. Once you've done that, reboot the router to ensure that the entire firewall is loaded fresh with no existing connections.

mk24 · December 23, 2025, 5:39pm

The reject actually came from inside your router. It builds a fake reject packet that appears to be from the remote site. The endpoint PC is expecting to see a response from the remote public IP. It would ignore a packet with a source of the router's IP.

If you were to tcpdump on the router wan, you will see that nothing is actually sent or received from the router to the Internet.

You can also see from the timestamps that the connection was rejected in less than 1 ms. It did not go to the Internet.

brada4 · December 23, 2025, 6:23pm

fw4 by default sends TCP reset for "reject tcp" rules.
REF: https://github.com/openwrt/firewall4/blob/b6e5157527d361f99ad52eaa6da273cb0f2dfd59/root/usr/share/firewall4/templates/ruleset.uc#L197

_bernd · December 23, 2025, 7:00pm

We should point out that this is not Everytime the case.
Like if a router sends you network or host unreachable, that icmp packet comes of course from a router and not with an address of the original target.

mk24 · December 23, 2025, 7:40pm

And the ICMP standard defines a message for "Host administratively prohibited" (i.e. your attempt to reach that host was blocked by this router's firewall) but it is not used in practice.

brada4 · December 23, 2025, 8:23pm

From nftables manual

ICMPVX CODE TYPE

Name Keyword Size Base type

ICMPvX Code icmpv6_type 8 bit integer

The ICMPvX Code type abstraction is a set of values which overlap between ICMP and ICMPv6 Code types to be used from the inet family.

Table 23. keywords may be used when specifying the ICMPvX code

Keyword Value

no-route 0

port-unreachable 1

host-unreachable 2

admin-prohibited 3

not 100% certain but I think ubuntu ufw goes for option 2 in all cases...

wilsonyan · December 23, 2025, 11:36pm

nvm was for another thread

czezz · December 24, 2025, 11:59am

Yes, indeed! Thank you very much @mk24
I applied the rule from my previous post (where option src 'lan' and option dest 'wan' are explicitly defined).

Then by generating traffic, indeed i see no traffic going to 74.125.29.101 via WAN interface.
Instead it is reverted back to 192.168.1.194 host.

root@OpenWrt:~# tcpdump -i any -n host 74.125.29.101
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:46:51.800994 lan4  In  IP 192.168.1.194.44128 > 74.125.29.101.80: Flags [S], seq 1549112665, win 29200, options [mss 1460,sackOK,TS val 856413908 ecr 0,nop,wscale 6], length 0
11:46:51.801015 br-lan In  IP 192.168.1.194.44128 > 74.125.29.101.80: Flags [S], seq 1549112665, win 29200, options [mss 1460,sackOK,TS val 856413908 ecr 0,nop,wscale 6], length 0
11:46:51.801239 br-lan Out IP 74.125.29.101.80 > 192.168.1.194.44128: Flags [R.], seq 0, ack 1549112666, win 0, length 0
11:46:51.801258 lan4  Out IP 74.125.29.101.80 > 192.168.1.194.44128: Flags [R.], seq 0, ack 1, win 0, length 0
11:46:51.801272 eth0  Out IP 74.125.29.101.80 > 192.168.1.194.44128: Flags [R.], seq 0, ack 1, win 0, length 0

Thanks again @mk24
I guess this is built-in functionality in nftables and it is triggered whenever it hits outgoing traffic REJECT rule?

system · January 3, 2026, 12:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Keyword	Value
no-route	0
port-unreachable	1
host-unreachable	2
admin-prohibited	3