Harden your OpenWRT

Privacix · April 2, 2024, 8:11pm

Small guide how to harden your OpenWRT. I am using drop instead of reject to reduce CPU load.

via UCI

Allow critical ports:

config rule
    option src 'lan'
    option dest_port '80,443,22'
    option proto 'tcp'
    option target 'ACCEPT'

Limit SSH Access:

config rule
    option src 'lan'
    option src_ip '192.168.1.0/24'
    option dest_port '22'
    option proto 'tcp'
    option target 'ACCEPT'

config rule
    option src 'lan'
    option dest_port '22'
    option proto 'tcp'
    option target 'DROP'

Deny anything else:

config default_policy
    option input 'DROP'

Block Port Scans:

config rule
    option src 'lan'
    option dest_port '!22,80,443'
    option proto 'tcp'
    option target 'DROP'

Block SYN Flood Attacks:

config rule
    option src 'lan'
    option proto 'tcp'
    option tcpflags 'SYN'
    option limit '1/s'
    option limit_burst '3'
    option target 'ACCEPT'

config rule
    option src 'lan'
    option proto 'tcp'
    option tcpflags 'SYN'
    option target 'DROP'

Block ICMP (Ping) Requests:

config rule
    option src 'lan'
    option proto 'icmp'
    option icmp_type 'echo-request,timestamp-request,address-mask-request'
    option target 'DROP'

Block portmapper:

config rule
    option src 'lan'
    option dest_port '111'
    option proto 'tcp'
    option target 'DROP'

config rule
    option src 'lan'
    option dest_port '111'
    option proto 'udp'
    option target 'DROP'

Allow legitimate to reduce errors:

config rule
    option src 'lan'
    option proto 'tcp'
    option ctstate 'ESTABLISHED,RELATED'
    option target 'ACCEPT'

Block NetBIOS:

config rule
    option src 'lan'
    option dest_port '137-139'
    option proto 'tcp'
    option target 'DROP'

config rule
    option src 'lan'
    option dest_port '137-139'
    option proto 'udp'
    option target 'DROP'

Block SMB (Server Message Block):

config rule
    option src 'lan'
    option dest_port '445'
    option proto 'tcp'
    option target 'DROP'

Block Telnet:

config rule
    option src 'lan'
    option dest_port '23'
    option proto 'tcp'
    option target 'DROP'

Block DNS Tunneling:

config rule
    option src 'lan'
    option sport '53'
    option proto 'udp'
    option target 'DROP'

Block ICMP Redirects:

config rule
    option src 'lan'
    option proto 'icmp'
    option icmp_type 'redirect'
    option target 'DROP'

Block useless IP connections:

config rule
    option src 'lan'
    option src_ip '192.168.1.0/24'
    option dest_ip '192.168.1.0/24'
    option target 'ACCEPT'

config default_policy
    option input 'DROP'

Block Large Packets:

config rule
    option src 'lan'
    option proto 'tcp'
    option tcpflags 'SYN'
    option tcpmss '1:1024'
    option target 'DROP'

Block New Connections Without SYN:

config rule
    option src 'lan'
    option proto 'tcp'
    option tcpflags '!SYN'
    option ctstate 'NEW'
    option target 'DROP'

Block New Connections Without ACK:

config rule
    option src 'lan'
    option proto 'tcp'
    option tcpflags '!SYN'
    option ctstate 'NEW'
    option target 'DROP'

After adding these rules to /etc/config/firewall, you can apply the changes by restarting the firewall service or rebooting your OpenWrt device.

via IPtables

Easy way:

Allow critical ports:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Limit SSH Access

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Deny anything else

iptables -A INPUT -j DROP

Expert way

Block Port Scans
Port scans are used by bad actors to find open ports and services on your network. This rules can mitigate risk.

iptables -A INPUT -p tcp --match multiport ! --dports 22,80,443 -j DROP

This rule drops all incoming TCP traffic that does not match the ports you've specified (in example: SSH, HTTP, HTTPS).

Limit SSH Access
Consider limiting it to specific IP addresses or ranges to prevent brute force attacks.

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Replace 192.168.1.0/24 with the IP range you wish to allow.

Block SYN Flood Attacks
SYN flood attacks aim to consume server resources by sending a large number of SYN requests.

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

This rule allows a maximum of 3 SYN packets per second, dropping any additional packets. This should be enough for regular usage.

Block ICMP (Ping) Requests
ICMP requests can be used for reconnaissance or to map your network. Also they can be used for DDOS. Blocking them can help reduce this risks.

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type address-mask-request -j DROP

Block portmapper
It is not typically needed for most home networks.

iptables -A INPUT -p tcp --dport 111 -j DROP
iptables -A INPUT -p udp --dport 111 -j DROP

Allow legitimate to reduce errors

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Save and Apply Rules

iptables-save > /etc/iptables.up.rules

Block NetBIOS
NetBIOS used in Windows environments for file sharing and printer sharing. Most of you never used it.

iptables -A INPUT -p tcp --dport 137:139 -j DROP
iptables -A INPUT -p udp --dport 137:139 -j DROP

Block SMB (Server Message Block)
SMB is used for file sharing and printer sharing. Blocking it can prevent unauthorized access to shared resources. Can cause problems with LAN printers.

iptables -A INPUT -p tcp --dport 445 -j DROP

Block Telnet
Telnet is just insecure protocol. Hardly recommend to block.

iptables -A INPUT -p tcp --dport 23 -j DROP

Block DNS Tunneling
DNS tunneling can be used to bypass firewalls

iptables -A INPUT -p udp --sport 53 -j DROP

Block ICMP Redirects
ICMP redirects can be used to redirect traffic to malicious servers. This prevents MITM attacks.

iptables -A INPUT -p icmp --icmp-type redirect -j DROP

Block useless IP connections

iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -j DROP

Block Large Packets
Against DOS and DDOS

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1:1024 -j DROP

Block New Connections Without SYN
This will help to reduce attack vector

iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Block New Connections Without ACK
Blocking new connections that do not start with an ACK packet can help prevent certain types of attacks.

iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Save them:

iptables-save > /etc/iptables.up.rules

And apply them on boot by adding the following to /etc/rc.local:

/sbin/iptables-restore < /etc/iptables.up.rules

flygarn12 · April 2, 2024, 8:23pm

Some or all of this is probably a lot easier to do in uci code.

But the big issue is more towards the fact that we left iptables to history in like 2021 (or 2022 whenever fw4 was introduced)?

krazeh · April 2, 2024, 8:34pm

I suspect a good chunk of it is entirely unnecessary. For the remainder (if there is any) I agree it's probably a lot easier just using UCI code (or even easier in Luci).

Pico · April 2, 2024, 8:44pm

this hardening tip is debated every once in a while in threads here in the forum and also many small blogs.

Just because the tip is repeated a lot does not make it a more safe choice and does not make the default reject wrong. „How many“ practical CPU savings are you expecting?

Also make sure you understand, what it means, to bypass Luci or UCI on firewall changes: the next Luci/uci triggered config change might overwrite iptables changes

Privacix · April 2, 2024, 8:44pm

Added to post! Thank you!
This post was in my draft, so I didn’t wrote that

krazeh · April 2, 2024, 8:49pm

Now I've seen the UCI version I'm even more convinced the rules are entirely unnecessary.

Privacix · April 2, 2024, 8:51pm

Can I hear arguments? Most of them to prevent DDOS. Unfortunately, it is regular practice if you share connection with many unknown individuals

krazeh · April 2, 2024, 8:54pm

Perhaps don't do that then. Or create a guest interface in it's own firewall zone, reject/drop (as desired) access to the router, then specifically allow only desired traffic. Put the unknown individuals on that interface.

hecatae · April 2, 2024, 9:05pm

Is it nftables these days?

flygarn12 · April 2, 2024, 9:09pm

Yea, it is. I don’t really know what to say about the fact that you all have missed all available information for about 2-3 years that has been released about firewall 4.

Privacix · April 2, 2024, 9:22pm

Yes. It is for such interfaces. But some rules I implemented in main interface. Consider me paranoid

krazeh · April 2, 2024, 9:25pm

It frankly smacks of a list of 'rules' created by someone who has read too much and doesn't really understand what it is they're doing.

flygarn12 · April 2, 2024, 9:42pm

Now with the uci rules section at the top.

Rule number 5…
Have you actually used OpenWrt or read the manual for the firewall because we have a checkbox in luci for syn flood protection, and it has been around for ages.
Or as uci option synflood_protect .

But still (3’rd attempt to break the news to you), the only supported firewall in OpenWrt is firewall 4 and that only have support for nftables so what are we supposed to do with a list of iptables rules?

efahl · April 2, 2024, 9:43pm

My take on drop vs reject is that every case is different. If I'm writing a rule on the WAN, for say a public SSH server, I'm going to drop as I don't even want to acknowledge to the potential bad actor that I even exist. For my LAN-facing, DoH block rules, I send reject as I want to tell local hosts "Yeah, I hear you, but stop trying that."

psherman · April 2, 2024, 10:47pm

While this is often seen as desirable, it has potential collateral impacts. While the reply from a REJECT rule can be used to indicate presence and thus be used by a bad actor to brute-force your device, setting it to DROP can (in specific situations) cause increased traffic or even inadvertant DoS situations. Specifically, TCP relies on the ack packets, even if it is a reject. Without an ack, the sender may keep resending on the premise that the packets got lost. The result is that non-malicious traffic may increase when otherwise it would have simply understood and honored the REJECT response. This is why the default configuration has the wan zone input rule set to REJECT and not DROP.

flygarn12 · April 3, 2024, 4:19am

When looking at the drop/reject log for wan zone the bad actors are to 99,999% probing the specific registered communication ports like 22, 80, 443 etc to find servers to mess around with.
To search around on the internet for icmp answers in general doesn’t seem to be of anyones interest. Usually that is the ISP doing that when you report connection problem…

But what I have found when talking about ICMPv6 is that if you want a lot of kernel errors and undefined droped packages in system log, then block ICMPv6. This has especially high effect factor for internal network traffic if you only have ipv4 from ISP.

moeller0 · April 3, 2024, 5:44am

How so? The classic approach to DOS someone is simply to 'flood the ingress with bogus packets, crowding out legitimate traffic'. I fail to see how your rules help?

Regarding reject versus drop, my ISP generates differential responses whether an IP is in use or not, so drop does not make my router magically invisible... (drops are harder to use to fingerprint the OS I grant you that).
Disallowing ICMP echo requests means no more delay/availability checking via smokeping or similar services (thinkbroadband's free quality monitor comes to mind) this is a trade off (like most security decisions) that should at least be mentioned somewhere if you propose your set of rules for general consumption.

lleachii · April 3, 2024, 6:28am

In a kinda reflected DDoS, the SRC and DST IP could both be victims.

The malicious actor (or botnet, etc.) is on an ISP able to spoof SRC IPs
The packet arriving at the DST WAN is rejected
These reject/etc. replies are transmitted to the victim's [spoofed] SRC IP

But if the malicious actor already knows the IP to be that of the victim (i.e. the victim is a specific and intended target), not even DROP rules will stop an overwhelming flood of bogus packets consuming your inbound bandwidth.

flygarn12 · April 3, 2024, 8:31am

True, that is nothing the endpoint of the water hose can do if the water hose is full and pressurized…

That is pretty much the business idea of Cloudflare. “We take the incoming water on this hose and you go play with another hose we have prepared with less water in it”

papdee · April 4, 2024, 5:56am

I am just not important enough to be worth DDOSing. If someone were to DDOS me I would be quite awestruck that I was worth being selected for a DDOS attack and what possible notoriety the attacker would hope to gain by DDOSing me.