Hello,
I made this firewall script to DROP everything by default and allow few ports and few domains to communicate for my specific device :
#Change Default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Flush the INPUT / OUTPUT / FORWARD tables
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
#Allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "inSSH dport"
iptables -I INPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "inSSH sport"
iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "outSSH sport"
iptables -I OUTPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "outSSH dport"
#Change Default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Accept everything that go throught the lo interface
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "lo INPUT"
iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "lo OUTPUT"
#Accept everything on the local network
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
#DNS accept
iptables -A INPUT -i "$(uci get network.wan.ifname)" -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o "$(uci get network.wan.ifname)" -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i "$(uci get network.wan.ifname)" -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o "$(uci get network.wan.ifname)" -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
#Open PORTS
iptables -A INPUT -j ACCEPT -p udp --sport 123
iptables -A OUTPUT -j ACCEPT -p udp --dport 123
iptables -A FORWARD -j ACCEPT -p udp --sport 123
iptables -A FORWARD -j ACCEPT -p udp --dport 123
iptables -A INPUT -j ACCEPT -p tcp --dport 443
iptables -A OUTPUT -j ACCEPT -p tcp --sport 443
iptables -A FORWARD -j ACCEPT -p tcp --sport 443
iptables -A FORWARD -j ACCEPT -p tcp --dport 443
#Authorise domains
iptables -A FORWARD -s github.com -j ACCEPT -m comment --comment "github"
iptables -A FORWARD -d github.com -j ACCEPT -m comment --comment "github"
iptables -A FORWARD -s balena-cloud.com -j ACCEPT -m comment --comment "balena-cloud.com"
iptables -A FORWARD -d balena-cloud.com -j ACCEPT -m comment --comment "balena-cloud.com"
iptables -A FORWARD -s docker.com -j ACCEPT -m comment --comment "docker.com"
iptables -A FORWARD -d docker.com -j ACCEPT -m comment --comment "docker.com"
iptables -A FORWARD -s docker.io -j ACCEPT -m comment --comment "docker.io"
iptables -A FORWARD -d docker.io -j ACCEPT -m comment --comment "docker.io"
iptables -t nat -I POSTROUTING -o "$(uci get network.wan.ifname)" -j MASQUERADE
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
I put these rules inside firewall.user. At the moment my device has a IPv4. Then I have a look inside iptables and I can see that only few of the rules applied in INPUT, OUTPUT and FORWARD chains :
root@OpenWrt:~# iptables -vnL
Chain INPUT (policy ACCEPT 5 packets, 302 bytes)
pkts bytes target prot opt in out source destination
267 28559 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 /* inSSH sport */
2 176 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* inSSH dport */
16 1088 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* lo INPUT */
25 1794 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT udp -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
243 34211 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
2 646 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
241 33565 zone_wan_input all -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1806 475K ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
22 1672 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
1409 403K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
26 2615 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
11 1508 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
15 1107 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* outSSH dport */
47 6874 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 /* outSSH sport */
36 3514 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* lo OUTPUT */
30 4321 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
53 3764 ACCEPT udp -- * eth1.2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * eth1.2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
120 9120 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
50 8500 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
48 8420 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
2 80 zone_wan_output all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (2 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
15 1107 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
15 1107 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
2 646 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
2 646 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
2 646 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
2 80 DROP all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
15 1107 ACCEPT all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
241 33565 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
5 180 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
236 33385 zone_wan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
2 80 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
2 80 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
231 33083 ACCEPT all -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
So I restarted the firewall to apply my firewall.user rules using service firewall restart and they look applied :
root@OpenWrt:~# service firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
And the rules :
root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 24 packets, 4514 bytes)
pkts bytes target prot opt in out source destination
33 2732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 /* inSSH sport */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* inSSH dport */
16 1396 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* lo INPUT */
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
4 469 ACCEPT udp -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 896 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
3 228 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
10 735 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT all -- * * 140.82.118.4 0.0.0.0/0 /* github */
0 0 ACCEPT all -- * * 0.0.0.0/0 140.82.118.4 /* github */
0 0 ACCEPT all -- * * 35.172.177.65 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 35.173.3.255 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 34.232.40.183 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 3.214.163.243 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 52.4.95.48 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 34.195.49.195 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 54.152.127.232 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 52.71.139.107 0.0.0.0/0 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.71.139.107 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 54.152.127.232 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 34.195.49.195 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.4.95.48 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 3.214.163.243 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 34.232.40.183 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 35.173.3.255 /* balena-cloud.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 35.172.177.65 /* balena-cloud.com */
0 0 ACCEPT all -- * * 3.217.62.246 0.0.0.0/0 /* docker.com */
0 0 ACCEPT all -- * * 52.86.8.163 0.0.0.0/0 /* docker.com */
0 0 ACCEPT all -- * * 52.205.36.130 0.0.0.0/0 /* docker.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.205.36.130 /* docker.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.86.8.163 /* docker.com */
0 0 ACCEPT all -- * * 0.0.0.0/0 3.217.62.246 /* docker.com */
0 0 ACCEPT all -- * * 52.54.178.62 0.0.0.0/0 /* docker.io */
0 0 ACCEPT all -- * * 3.91.211.1 0.0.0.0/0 /* docker.io */
0 0 ACCEPT all -- * * 52.207.42.240 0.0.0.0/0 /* docker.io */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.207.42.240 /* docker.io */
0 0 ACCEPT all -- * * 0.0.0.0/0 3.91.211.1 /* docker.io */
0 0 ACCEPT all -- * * 0.0.0.0/0 52.54.178.62 /* docker.io */
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* outSSH dport */
15 1772 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 /* outSSH sport */
16 1396 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* lo OUTPUT */
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
4 229 ACCEPT udp -- * eth1.2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * eth1.2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 380 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (0 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (0 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (0 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (0 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (0 references)
pkts bytes target prot opt in out source destination
0 0 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (0 references)
pkts bytes target prot opt in out source destination
0 0 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
3 380 ACCEPT all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (0 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (0 references)
pkts bytes target prot opt in out source destination
0 0 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_wan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (0 references)
pkts bytes target prot opt in out source destination
3 380 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
3 380 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1.2 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Then I restart my device, and with wireshark which looks at the connections on the br-lan interface, I now have an IPv6 attributed to my device :
I can imagine my firewall script is not working at all, but I don't understand why I have an IPV6 now, so I have a lot of questions :
1 - Why not all my rules are applied at restart ?
2 - Why the FW3 rules are applied even the INPUT, OUTPUT and FORWARD chain are flushed ?
3 - Why I have an IPV6 when I restart my device ?
4 - What is wrong in the script ?
Router : Linksys WRT3200ACM (OpenWRT)
Thank you everybody,
Alex