Granting access to ISP modem from LAN zone only and rules ordering

xorbug · October 1, 2021, 8:04am

Hi,
I want to grant access to my ISP modem's admin panel from the LAN zone only, and not from other zones (which may also have access to WAN). What is the best way to do it?

For now i setup one rule that allows access to the modem from LAN only, and a second rule which blocks every other access to the modem, in this order.

config rule
        option src 'lan'
        option name 'allow_modem_lan'
        option target 'ACCEPT'
        option dest 'wan'
        list dest_ip '192.168.10.1'
        list proto 'all'

config rule
        option dest 'wan'
        option target 'REJECT'
        list dest_ip '192.168.10.1'
        option src '*'
        option name 'reject_modem_fwd'
        list proto 'all'

But now every access to the modem is blocked, even from LAN. Looking up how these rules translate into iptables, I see (in the following order):

Chain FORWARD (policy DROP)
...
zone_wan_dest_REJECT  all  --  0.0.0.0/0            192.168.10.1         /* !fw3: reject_modem_fwd */
zone_lan_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
...

Chain zone_lan_forward (1 references)
...
zone_wan_dest_ACCEPT  all  --  0.0.0.0/0            192.168.10.1         /* !fw3: allow_modem_lan */
...

So I would say traffic is not going through now just because the zone_wan_dest_REJECT (reject_modem_fwd, i.e. the one that blocks all forwards to the modem) is reached before everything else and zone_wan_dest_ACCEPT (allow_modem_lan) never hits. I can tell this from the counters too...

At this point, is the ordering of these generated rules even consistent? Isn't it supposed to generate rules according to the order in the config (and in LuCI)? Do you suggest a different approach to achieve this setup?

Thanks.

vgaetera · October 1, 2021, 8:28am

uci set firewall.@rule[-2].src="*"
uci set firewall.@rule[-2].src_ip="lan"
uci commit firewall
/etc/init.d/firewall restart

Note that wildcard source zone rules always override non-wildcard ones.

xorbug · October 1, 2021, 10:33am

Hi @vgaetera thanks,

So if I get it right, this now matches by source subnet rather than source zone right? In my case this is working well, but what about the latter (which i tried to implement before)?

This one is good to know, thanks.

vgaetera · October 2, 2021, 12:40am

Yep, that should fix the order of your permissive and restrictive rules.

What exactly?

xorbug · October 2, 2021, 7:40am

I mean, just out of curiosity, what if I really wanted to do source zone matching and not source subnet matching? The rules were failing as per the first post... is it a wrong approach in general?

vgaetera · October 2, 2021, 7:56am

That's also possible, but you must avoid using wildcard source rules.
Just create zone-specific prohibitive rules for each zone that you want to restrict access.

system · October 12, 2021, 7:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.