Firewall4 / NFtables Tips and Tricks

Hi,
I am using latest Openwrt build using imagebuilder.
Question:

  • ping is not working for me from wan (I verified it using web ping tool to ping my public public IP address)

Very likely, I have error in my configuration:

root@np1:~# less /etc/config/firewall
...
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option syn_flood '1'
        option synflood_protect '1'
        option synflood_rate '25/s'
        option synflood_burst '50'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option disable_ipv6 '0'
        option tcp_ecn '1'
        option tcp_syncookies '1'
        option tcp_window_scaling '1'
...
config rule
        option name 'Allow-ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        # option src_ip '192.168.0.0/16 10.0.0.0/8'
        option target 'ACCEPT'
...

I tried the following, but with no luck :frowning:

root@np1:~# less /etc/nftables.d/20-custom.nft
chain user_input_2a {
    ip protocol icmp icmp type echo-request counter accept
    ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
}

chain user_input_2b {
    type filter hook input priority -900; policy accept;
    iifname @wan_interfaces jump user_input_2a
}

With # nft list ruleset command I can see:

root@np1:~# nft list ruleset
...
        chain user_input_2a {
                ip protocol icmp icmp type echo-request counter packets 0 bytes 0 accept
                ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
        }

        chain user_input_2b {
                type filter hook input priority -900; policy accept;
                iifname @wan_interfaces jump user_input_2a
        }
...

Many thanks for your comments!

Forgot to say 2 weeks ago, thanks for the hint on the counter on my custom chain.

Here's another counter question: is there some way to turn on counters for each of the auto-generated rules/chains created to implement what's configured in /etc/config/firewall? Many but not all of the rules have counters on them in 22.03.0-rc1

I used to have bunch of the following rules in my config:

iptables -t nat -I PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1

How can I translate that to fw4 /etc/config/firewall?
So far my attempt looked like below however tcpdump shows a lot of connections to different addresses.

config redirect
       option name 'IoT NTP redirect to router'
       list proto 'udp'
       option src 'IoT'
       option src_dport '123'
       option dest_port '123'
       option src_dip '!192.168.1.1'
       option dest_ip '192.168.1.1'
       option target 'DNAT'
       option dest 'IoT' # that is actually router interface 192.168.1.1

config redirect
        option name 'lan NTP redirect to router'
        list proto 'udp'
        option src 'lan'
        option src_dport '123'
        option dest_port '123'
        option src_dip '!10.0.0.1'
        option dest_ip '10.0.0.1'
        option target 'DNAT'
        option dest 'lan' # that is actually router interface 10.0.0.1

This would be awesome and can probably solve:

Could you suggest the nft analogues of the rules?

iptables -A POSTROUTING -o eth2 -t mangle -j TTL --ttl-set 64
iptables -A PREROUTING -i eth2 -t mangle -m ttl --ttl 1 -j TTL --ttl-inc 4
# /etc/nftables.d/90-mangle-ttl.nft

chain mangle_ttl_out {
    type filter hook postrouting priority mangle;
    meta nfproto ipv4 oifname eth2 ip ttl set 64
}

chain mangle_ttl_in {
    type filter hook prerouting priority mangle;
    meta nfproto ipv4 iifname eth2 ip ttl 1 ip ttl set 5
}

Notes:

  1. If you want to treat IPv6 as well, remove the meta nfproto ipv4 part.
  2. nftables does not support an equivalent to iptables' --ttl-inc yet, but since "match ttl 1, increment by 4" is just a static rewrite from TTL 1 to TTL 5 basically, a fixed nftables set expression will do the job as well.
2 Likes

Is upnp broken with firewall4?

1 Like

is there any fw4 rule to masquerade and forward all internet dns request to local dns server? i m using below port forward/redirect rule for ipv4 traffic but not able to get ipv6 working other than just blocking.

i know we cant masquerade ipv6 traffic since there is no nat. not sure if there is any option other than blocking outright, pls suggest.

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_ip '!192.168.1.250'
	option src_dport '53'
	option name 'redirect-DNS'
1 Like

This is what I did in the past, now I just block it.

# Redirect all DNS Queries to Router (IPv6)
ip6tables -t nat -A zone_lan_prerouting -p udp -m set ! --match-set ipset-lan-pihole src --dport 53 -j DNAT --to-destination [fd57:11da:b11c::153]:53 -m comment --comment "DNS, ports 53"
ip6tables -t nat -A zone_lan_prerouting -p tcp -m set ! --match-set ipset-lan-pihole src --dport 53 -j DNAT --to-destination [fd57:11da:b11c::153]:53 -m comment --comment "DNS, ports 53"

# MASQUERADE to avoid reply from unexpected source
ip6tables -t nat -A zone_wan_postrouting -d fd57:11da:b11c::1 -p tcp --dport 53 -m comment --comment "MASQUERADE" -j MASQUERADE
ip6tables -t nat -A zone_wan_postrouting -d fd57:11da:b11c::1 -p udp --dport 53 -m comment --comment "MASQUERADE" -j MASQUERADE
1 Like