Firewall problem in LEDE

vbill · April 7, 2018, 1:28pm

Hello
I have a little problem with the LEDE 17.01.4 r3560 firewall.
I want to cut off internet for some mac address at specific times.
I created a file cronfw.sh with inside:

#!/bin/sh
Insert rule for forwarding established connection traffic, just before the final rule (reject)
new_rule_num=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -c1)
iptables -I FORWARD $new_rule_num -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Delete first rule for forwarding established connection traffic
old_rule_num=$(iptables -v -L FORWARD --line-numbers | grep ESTABLISHED | cut -c1 | sed -n 1p)
iptables -D FORWARD $old_rule_num

I installed the file cronfw.sh in ect/ with scp

I added in the screduled task: */5 * * * * * * /etc/cronfw.sh

Then I created my rules

It works but not completely:
the internet is allowed at the right time and cut off at the right time but not current connections
I explain myself: if a new request is made after the hour this one is cut but a connection in progress, like a download / streaming / games session ect, is not cut.
I am forced to make a restart of the firewall in lede system/startup

My base is https://openwrt.org/docs/guide-user/firewall/parental-controls

Does anyone have a solution

Translated with www.DeepL.com/Translator

mikma · April 7, 2018, 4:39pm

You can use the program conntrack in the package with the same name if you want to delete an existing connection.

phuque99 · April 8, 2018, 12:22am

You can use cron to handle the blocking and unblocking timing, with something simple like:

To block:

iptables -I forwarding_rule -p all -m mac --mac-source <mac-address> -j REJECT
ip6tables -I forwarding_rule -p all -m mac --mac-source <mac-address> -j REJECT

To unblock:

iptables -D forwarding_rule -p all -m mac --mac-source <mac-address> -j REJECT
ip6tables -D forwarding_rule -p all -m mac --mac-source <mac-address> -j REJECT

dwp · April 26, 2019, 8:37am

Hi, I realise there has been no traffic here for sometime. I was following the instructions on https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls and couldn't get it to work. It turns out that this was because I had set drop_invalid to 1 in my /etc/config/firewall rules which created an additional line that also needs to be moved.

I therefore added the following to the script - can the page be updated please?

check=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
if [ $check -gt 0 ]; then
  rule_del=$(iptables -v -L FORWARD --line-numbers | grep reject | cut -d ' ' -f 1)
  iptables -I FORWARD $rule_del -m conntrack --ctstate invalid -j DROP
  rule_del=$(iptables -v -L FORWARD --line-numbers | grep INVALID | cut -d ' ' -f 1 | sed -n 1p)
  iptables -D FORWARD $rule_del
  # Get rid of any duplicate INVALID rules (these seem to be caused when restarting the firewall)
  count=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
  while [ $count -gt 1 ]; do
      rule_num=$(iptables -v -L FORWARD --line-numbers | grep INVALID | cut -d ' ' -f 1 | sed -n 1p)
      iptables -D FORWARD $rule_num
      count=$(iptables -v -L FORWARD --line-numbers | grep INVALID | wc -l)
  done
fi

Thank you

Donald

Hegabo · April 26, 2019, 9:05am

It's a wiki; everybody can edit.

dwp · April 26, 2019, 9:23am

I tried logging in and it doesn't let me - different credentials?

Hegabo · April 26, 2019, 9:35am

Yes, you would need to register there as well.