Firewall with Iptables

Hello,

I made this firewall script to DROP everything by default and allow few ports and few domains to communicate for my specific device :

#Change Default policy to ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#Flush the INPUT / OUTPUT / FORWARD tables
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#Allow SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "inSSH dport"
iptables -I INPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "inSSH sport"
iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "outSSH sport"
iptables -I OUTPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "outSSH dport"

#Change Default policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Accept everything that go throught the lo interface
iptables -A INPUT -i lo -j ACCEPT -m comment --comment "lo INPUT"
iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "lo OUTPUT"

#Accept everything on the local network
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
 
#DNS accept
iptables -A INPUT -i "$(uci get network.wan.ifname)" -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o "$(uci get network.wan.ifname)" -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i "$(uci get network.wan.ifname)" -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o "$(uci get network.wan.ifname)" -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

#Open PORTS
iptables -A INPUT -j ACCEPT -p udp --sport 123
iptables -A OUTPUT -j ACCEPT -p udp --dport 123
iptables -A FORWARD -j ACCEPT -p udp --sport 123
iptables -A FORWARD -j ACCEPT -p udp --dport 123

iptables -A INPUT -j ACCEPT -p tcp --dport 443
iptables -A OUTPUT -j ACCEPT -p tcp --sport 443
iptables -A FORWARD -j ACCEPT -p tcp --sport 443
iptables -A FORWARD -j ACCEPT -p tcp --dport 443

#Authorise domains
iptables -A FORWARD -s github.com -j ACCEPT -m comment --comment "github"
iptables -A FORWARD -d github.com -j ACCEPT -m comment --comment "github"
iptables -A FORWARD -s balena-cloud.com -j ACCEPT -m comment --comment "balena-cloud.com"
iptables -A FORWARD -d balena-cloud.com -j ACCEPT -m comment --comment "balena-cloud.com"
iptables -A FORWARD -s docker.com -j ACCEPT -m comment --comment "docker.com"
iptables -A FORWARD -d docker.com -j ACCEPT -m comment --comment "docker.com"
iptables -A FORWARD -s docker.io -j ACCEPT -m comment --comment "docker.io"
iptables -A FORWARD -d docker.io -j ACCEPT -m comment --comment "docker.io"

iptables -t nat -I POSTROUTING -o "$(uci get network.wan.ifname)" -j MASQUERADE
iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I put these rules inside firewall.user. At the moment my device has a IPv4. Then I have a look inside iptables and I can see that only few of the rules applied in INPUT, OUTPUT and FORWARD chains :

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy ACCEPT 5 packets, 302 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  267 28559 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 /* inSSH sport */
    2   176 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* inSSH dport */
   16  1088 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* lo INPUT */
   25  1794 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     udp  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    0     0 ACCEPT     tcp  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  243 34211 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    2   646 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  241 33565 zone_wan_input  all  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1806  475K ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123
   22  1672 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
 1409  403K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
   26  2615 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
   11  1508 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   15  1107 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* outSSH dport */
   47  6874 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 /* outSSH sport */
   36  3514 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* lo OUTPUT */
   30  4321 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      
   53  3764 ACCEPT     udp  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
  120  9120 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   50  8500 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
   48  8420 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    2    80 zone_wan_output  all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   15  1107 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
   15  1107 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   646 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    2   646 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   646 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    80 DROP       all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
   15  1107 ACCEPT     all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  241 33565 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    5   180 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  236 33385 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    80 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
    2    80 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  231 33083 ACCEPT     all  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

So I restarted the firewall to apply my firewall.user rules using service firewall restart and they look applied :

root@OpenWrt:~# service firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

And the rules :

root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 24 packets, 4514 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   33  2732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 /* inSSH sport */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* inSSH dport */
   16  1396 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* lo INPUT */
    0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
    4   469 ACCEPT     udp  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    0     0 ACCEPT     tcp  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12   896 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123
    3   228 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443
   10   735 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     all  --  *      *       140.82.118.4         0.0.0.0/0            /* github */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            140.82.118.4         /* github */
    0     0 ACCEPT     all  --  *      *       35.172.177.65        0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       35.173.3.255         0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       34.232.40.183        0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       3.214.163.243        0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       52.4.95.48           0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       34.195.49.195        0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       54.152.127.232       0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       52.71.139.107        0.0.0.0/0            /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.71.139.107        /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            54.152.127.232       /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            34.195.49.195        /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.4.95.48           /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            3.214.163.243        /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            34.232.40.183        /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            35.173.3.255         /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            35.172.177.65        /* balena-cloud.com */
    0     0 ACCEPT     all  --  *      *       3.217.62.246         0.0.0.0/0            /* docker.com */
    0     0 ACCEPT     all  --  *      *       52.86.8.163          0.0.0.0/0            /* docker.com */
    0     0 ACCEPT     all  --  *      *       52.205.36.130        0.0.0.0/0            /* docker.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.205.36.130        /* docker.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.86.8.163          /* docker.com */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            3.217.62.246         /* docker.com */
    0     0 ACCEPT     all  --  *      *       52.54.178.62         0.0.0.0/0            /* docker.io */
    0     0 ACCEPT     all  --  *      *       3.91.211.1           0.0.0.0/0            /* docker.io */
    0     0 ACCEPT     all  --  *      *       52.207.42.240        0.0.0.0/0            /* docker.io */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.207.42.240        /* docker.io */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            3.91.211.1           /* docker.io */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            52.54.178.62         /* docker.io */

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* outSSH dport */
   15  1772 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 /* outSSH sport */
   16  1396 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* lo OUTPUT */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.0/24      
    4   229 ACCEPT     udp  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    5   380 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:443

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
    3   380 ACCEPT     all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth1.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   380 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
    3   380 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth1.2 *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Then I restart my device, and with wireshark which looks at the connections on the br-lan interface, I now have an IPv6 attributed to my device :

I can imagine my firewall script is not working at all, but I don't understand why I have an IPV6 now, so I have a lot of questions :
1 - Why not all my rules are applied at restart ?
2 - Why the FW3 rules are applied even the INPUT, OUTPUT and FORWARD chain are flushed ?
3 - Why I have an IPV6 when I restart my device ?
4 - What is wrong in the script ?

Router : Linksys WRT3200ACM (OpenWRT)

Thank you everybody,
Alex

  • What rules weren't applied???
  • Why do you have hostnames in some of your iptables rules!?!?
  • I don't see this.
  • Are you referring to the General Rules?
  • This means you always had IPv6
  • Do you mean there's no IPv6 firewall now?
  • If so, that's because you flushed the IPv6 rules
  • You're not using the UCI firewall.
  • You're adding hostnames to an iptables rule

Also, per the community guidelines, please refrain from signing posts.

1 Like

You're applying simplified host based iptables rules (and concepts) here. But OpenWRT and its fw3 (using UCI) uses zone based rules that explicitly controls traffic flowing zone to zone.

Most of us will fully recommend that you get your rules configured correctly in UCI. If you really want to do something manual, use specific chains marked as custom by fw3 (Example: /* !fw3: Custom wan input rule chain */).

3 Likes

I should use this method for configuring the rules so ?
https://oldwiki.archive.openwrt.org/doc/uci/firewall

No, refrain from using the archive pages if a current article exists.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration

1 Like

So I should use this kind of formatting for example :slight_smile: ?

config rule
    option  target      'REJECT'
    option  proto       'tcp'
    option  src         'lan'
    option  src_ip      '192.168.1.2'
    option  src_mac     '00:11:22:33:44:55'
    option  src_port    '80'
    option  dest        'wan'
    option  dest_ip     '194.25.2.129'
    option  dest_port   '120'

That is a good example.

  • Although, I don't know many clients that use tcp/80 as a source port.
  • Also, I don't think you need to match both MAC and IP - as this rule won't work if your client changes IP.
1 Like

No worries, it's only an example coming from the documentation page
I will use this kind of writting to make my rules but should I put my configuration inside /etc/firewall.user or I modify the existing file /etc/config/firewall ?

1 Like

@4lexO, that's a very good question.

  • Firewall rules in the UCI syntax are added to /etc/config/firewall
  • Rules in iptables syntax are added to /etc/firewall.user
3 Likes

So if I make rules with UCI I have to add them to /etc/config/firewall right ?
Just want to be sure...

To note again:

1 Like

With the UCI, can I whitelist domains or it's only IP based ?

In order to be able to block/whitelist domains you should enable ipset configuration, that will enable dnsmasq to add matching domains to an ipset list and iptables use that list to reload configuration and block related ip's...

2 Likes