Hi,
I want to grant access to my ISP modem's admin panel from the LAN zone only, and not from other zones (which may also have access to WAN). What is the best way to do it?
For now i setup one rule that allows access to the modem from LAN only, and a second rule which blocks every other access to the modem, in this order.
config rule
option src 'lan'
option name 'allow_modem_lan'
option target 'ACCEPT'
option dest 'wan'
list dest_ip '192.168.10.1'
list proto 'all'
config rule
option dest 'wan'
option target 'REJECT'
list dest_ip '192.168.10.1'
option src '*'
option name 'reject_modem_fwd'
list proto 'all'
But now every access to the modem is blocked, even from LAN. Looking up how these rules translate into iptables, I see (in the following order):
Chain FORWARD (policy DROP)
...
zone_wan_dest_REJECT all -- 0.0.0.0/0 192.168.10.1 /* !fw3: reject_modem_fwd */
zone_lan_forward all -- 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
...
Chain zone_lan_forward (1 references)
...
zone_wan_dest_ACCEPT all -- 0.0.0.0/0 192.168.10.1 /* !fw3: allow_modem_lan */
...
So I would say traffic is not going through now just because the zone_wan_dest_REJECT
(reject_modem_fwd, i.e. the one that blocks all forwards to the modem) is reached before everything else and zone_wan_dest_ACCEPT
(allow_modem_lan) never hits. I can tell this from the counters too...
At this point, is the ordering of these generated rules even consistent? Isn't it supposed to generate rules according to the order in the config (and in LuCI)? Do you suggest a different approach to achieve this setup?
Thanks.