Hello community,
Should I setup the firewall rules over the WAN zone which get eth1.2 interface or on the LAN zone which get br-lan interface
AFAIK OpenWRT does the abstraction of the interfaces but I want to work with IPTABLES
I am confused about the difference between setting the rules on the WAN zone and on the LAN zone.
"Zones" are a good abstraction for firewall rules that allow people to think about "traffic from (or to) what's plugged into my WAN" (or "LAN", or ...). The base rules that implement this abstraction are pretty tightly woven in, so sticking with that abstraction is a good idea for even expert users (unless they're going to completely rewrite all the rules and not use UCI/LuCI to manage their firewall).
You can use iptables rules within the framework established by the default OpenWrt install.
Yes the script will be under /etc/firewall.user in IPTABLES format
Do I have to add the shabang in the firewall.user file : #!/bin/sh ?
If I use the fw3 rules by default I imagine won't have to specify the interfaces like "eth1.2" or "br-lan" if there is already "input_wan_rule" or "input_lan_rule" ?
I want to setup a drop policy by default and open few ports
Okey thank you.
I used the firewall.user and the rules where added to the present rules, it is okey to flush everything at the beginning of the firewall.user script ?
And so if I use the UCI, should I REJECT on the WAN zone or on the LAN zone to block everything by default ?
What rules should I add to not be locked out (I use a computer to connect to the router through SSH) ?
No, you'll wipe most of the other firewall setup by fw3.
We don't know what your intentions are, so no clue how you should block. FYI, OpenWrt sets up WAN INPUT to block by default anyways. I'm truly confused why you want to block everything on LAN.
Input to LAN is permitted by default, so you shouldn't need rules (unless you change or remove them). Then you would have to allow things like DNS, DHCP, etc.
I really think you should try to understand the UCI firewall, instead of piecemeal iptables rules.
I think you should use the Firewall page on the LuCI web GUI if you're having difficulty
I tried with the UCI firewall but I don't know on which zone I have to reject everything : WAN or LAN ?
I tried to use the LuCI web GUI also but still don't understand about WAN and LAN.
I want to block everything and ACCEPT only few ports and domains (I will use IPSET for this I think)
In IPTABLES I see the input_rule, is it a chain I have to create because I can't see it anywhere in the default rules ?
LOL...I've told you twice, we don't know what your're trying to block, so no clue what it means to "reject everything." Perhaps you don't clearly understand what what "reject everything" means on a Linux device.
WARNING, THIS WILL REJECT EVERYTHING - once applied you will loose connection to your OpenWrt device:
# in /etc/config/firewall
config rule
option name 'Block-Everything'
option src '*'
option proto 'all'
option family 'any'
option target 'REJECT'
The domains may be difficult...I also don't know why you want access to other DNS servers if you're blocking so much...
In this case, it seems you want to REJECT FORWARDING from LAN to WAN, except for the above. This will be separate from blocking clients access to LAN side of router and blocking from WAN to router (probably were your zone confusion is coming from).
Remove rule allowing forward from LAN to WAN
Add rules allowing forward to the listed ports
Simply edit the rule I posted above - so it blocks from SRC LAN to DST WAN
It's probably a point I misunderstand, could you precise more your idea behind this ? Is there a method to put directly the URL and then the firewall will reload it to see if the addresses have changed OR I have to find every address for each URL and use an IPSET configuration?
If I reject the access from the WAN zone to the LAN zone I will still have access to the router through SSH (In the case I don't make a rule that accept it) ?