Firewall not working at all

Seems like the firewall is allowing everyting no matter what I try. I want to block web admin access (http, https, ssh - if setting dropbear to listen on wan) from the internet. Allowed only 8.8.8.8, denied everything else (yes, should be implicit, just to be sure), still able to connect with http and ssh from the internet. Firewall seems to be running fine.

root@OpenWrt:~# /etc/init.d/firewall status
active with no instances

tried reloading, restarting, etc. Rules are in place:

config rule
        option name 'mAdministrace'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'
        list src_ip '8.8.8.8'

config rule
        option name 'mAdministraceDeny'
        option src 'wan'
        option dest_port '80'
        option target 'DROP'

config rule
        option name 'mAdminHTTPS'
        option src 'wan'
        option dest_port '443'
        option target 'ACCEPT'
        list src_ip '8.8.8.8'

config rule
        option name 'mAdminHTTPdeny'
        option src 'wan'
        option dest_port '443'
        option target 'DROP'

config rule
        option name 'mSSHallow'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'
        list src_ip '8.8.8.8'

config rule
        option name 'mSSHdeny'
        option src 'wan'
        option dest_port '22'
        option target 'DROP'

What else can I try?

I assume you tested access from another internet host? When trying to reach the wan IP from within the LAN, then LAN policies are applied (allow all), not WAN ones.

1 Like

Yes, I am not on LAN, but sitting in my office trying to figure out how to block attackers reaching my home router.

Please prove the complete output of nft list ruleset and uci show firewall. The excerpts you posted look fine (apart from the fact that src_ip 8.8.8.8 is not going to match unless you're operating from Google's nameservers)

Thanks. Yes, I redacted external IP I want to allow with google ns.

nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "eth0", "br-lan" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "eth0", "br-lan" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "eth0", "br-lan" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname { "eth0", "br-lan" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname { "eth0", "br-lan" } counter packets 3795 bytes 235256 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "eth0", "br-lan" } counter packets 4743 bytes 872445 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                ip saddr 8.8.8.8 tcp dport 80 counter packets 0 bytes 0 accept comment "!fw4: mAdministrace"
                ip saddr 8.8.8.8 udp dport 80 counter packets 0 bytes 0 accept comment "!fw4: mAdministrace"
                tcp dport 80 counter packets 0 bytes 0 drop comment "!fw4: mAdministraceDeny"
                udp dport 80 counter packets 0 bytes 0 drop comment "!fw4: mAdministraceDeny"
                ip saddr 8.8.8.8 tcp dport 443 counter packets 0 bytes 0 accept comment "!fw4: mAdminHTTPS"
                ip saddr 8.8.8.8 udp dport 443 counter packets 0 bytes 0 accept comment "!fw4: mAdminHTTPS"
                tcp dport 443 counter packets 0 bytes 0 drop comment "!fw4: mAdminHTTPdeny"
                udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: mAdminHTTPdeny"
                ip saddr 8.8.8.8 tcp dport 22 counter packets 0 bytes 0 accept comment "!fw4: mSSHallow"
                ip saddr 8.8.8.8 udp dport 22 counter packets 0 bytes 0 accept comment "!fw4: mSSHallow"
                tcp dport 22 counter packets 0 bytes 0 drop comment "!fw4: mSSHdeny"
                udp dport 22 counter packets 0 bytes 0 drop comment "!fw4: mSSHdeny"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
        }

        chain accept_to_wan {
                oifname "eth0" counter packets 0 bytes 0 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "eth0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "eth0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname { "eth0", "br-lan" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname "eth0" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname { "eth0", "br-lan" } jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
                meta nfproto ipv4 tcp dport 53 counter packets 26 bytes 1352 dnat ip to 192.168.1.1:53 comment "!fw4: family-dns redirect for lan zone"
                meta nfproto ipv4 udp dport 53 counter packets 615 bytes 44341 dnat ip to 192.168.1.1:53 comment "!fw4: family-dns redirect for lan zone"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 109.239.67.58 tcp dport 4500 dnat ip to 192.168.1.145:4500 comment "!fw4: mVPN (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 109.239.67.58 udp dport 4500 dnat ip to 192.168.1.145:4500 comment "!fw4: mVPN (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 109.239.67.58 tcp dport 500 dnat ip to 192.168.1.145:500 comment "!fw4: mVPN2 (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 109.239.67.58 udp dport 500 dnat ip to 192.168.1.145:500 comment "!fw4: mVPN2 (reflection)"
        }

        chain srcnat_lan {
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 192.168.1.145 tcp dport 4500 snat ip to 192.168.1.1 comment "!fw4: mVPN (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 192.168.1.145 udp dport 4500 snat ip to 192.168.1.1 comment "!fw4: mVPN (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 192.168.1.145 tcp dport 500 snat ip to 192.168.1.1 comment "!fw4: mVPN2 (reflection)"
                ip saddr { 109.109.109.109/24, 192.168.1.0/24 } ip daddr 192.168.1.145 udp dport 500 snat ip to 192.168.1.1 comment "!fw4: mVPN2 (reflection)"
        }

        chain dstnat_wan {
                meta nfproto ipv4 tcp dport 4500 counter packets 0 bytes 0 dnat ip to 192.168.1.145:4500 comment "!fw4: mVPN"
                meta nfproto ipv4 udp dport 4500 counter packets 0 bytes 0 dnat ip to 192.168.1.145:4500 comment "!fw4: mVPN"
                meta nfproto ipv4 tcp dport 500 counter packets 0 bytes 0 dnat ip to 192.168.1.145:500 comment "!fw4: mVPN2"
                meta nfproto ipv4 udp dport 500 counter packets 0 bytes 0 dnat ip to 192.168.1.145:500 comment "!fw4: mVPN2"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }
}

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan' 'wan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.family_dns_lan=redirect
firewall.family_dns_lan.proto='tcp' 'udp'
firewall.family_dns_lan.src_dport='53'
firewall.family_dns_lan.dest_ip='192.168.1.1'
firewall.family_dns_lan.target='DNAT'
firewall.family_dns_lan.src='lan'
firewall.family_dns_lan.dest='lan'
firewall.family_dns_lan.name='family-dns redirect for lan zone'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='mVPN'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='4500'
firewall.@redirect[1].dest_ip='192.168.1.145'
firewall.@redirect[1].dest_port='4500'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='mVPN2'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='500'
firewall.@redirect[2].dest_ip='192.168.1.145'
firewall.@redirect[2].dest_port='500'
firewall.@rule[7]=rule
firewall.@rule[7].name='mAdministrace'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest_port='80'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].src_ip='8.8.8.8'
firewall.@rule[8]=rule
firewall.@rule[8].name='mAdministraceDeny'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest_port='80'
firewall.@rule[8].target='DROP'
firewall.@rule[9]=rule
firewall.@rule[9].name='mAdminHTTPS'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='443'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src_ip='8.8.8.8'
firewall.@rule[10]=rule
firewall.@rule[10].name='mAdminHTTPdeny'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest_port='443'
firewall.@rule[10].target='DROP'
firewall.@rule[11]=rule
firewall.@rule[11].name='mSSHallow'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest_port='22'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src_ip='8.8.8.8'
firewall.@rule[12]=rule
firewall.@rule[12].name='mSSHdeny'
firewall.@rule[12].src='wan'
firewall.@rule[12].dest_port='22'
firewall.@rule[12].target='DROP'

You have attached also wan interface to the lan zone, and thus allowed all traffic from wan.

2 Likes

That was it! Thanks a lot! <3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.