Help needed to create fw4 rule

cmangla · December 29, 2022, 11:08am

Please help me create a firewall rule that

Matches traffic originating in "lan" zone destined for 10.192.0.0/10 or [FC00::]/7
Sends that traffic to a service running on the router listening on 0.0.0.0:9040 and [::]:9040

I'm running OpenWrt 22.03.2. I would prefer to do this via Luci, but I am also fine with just editing /etc/config/firewall.

You may guess that this is for Tor, which is correct. I have visited the wiki pages "Tor Client" and "Tor Extra", but they just led to more confusion. This is because the setup there is more complicated than I want. I've got the DNS redirection working fine, just need help with this rule. This setup is only for occasional visits to a .onion website, and not for strict privacy preservation. When in need of privacy, I use Tor Browser.

While trying various things, I also created an interface called 'Tor', gave it static IP 10.192.0.0/10 and [FC00::]/7, and put it in a firewall zone called 'Tor'. This was probably pointless, but just mentioning it in-case it can be used for the rule I need.

lleachii · December 29, 2022, 11:56am

Port forward.

Whoa, wouldn't have guessed that...

Have you seen? -https://openwrt.org/docs/guide-user/services/tor/extras#selective_routing

cmangla · December 29, 2022, 12:19pm

Yes, I saw that before asking the question here and it left me more confused. It is more complicated than want I need/want. Not sure if ipset is still available in nftables (fw4). I also want to, preferably, just stick with the usual lan->wan forwarding and not have to create the "Allow-NonTor-Forward" rule; just want to create a rule only intercept the Tor destined traffic as I asked for.

cmangla · December 29, 2022, 12:20pm

Also, at least from the GUI, the port forward only seems to work for IPv4 and not IPv6.

lleachii · December 29, 2022, 12:24pm

Yes, it is.

OK, from what I see in the Wiki, it does that. How does the Wiki not provide that?

(FYI, I also have a hard time reading UCI CLI, I personally use the file method.)

cmangla · December 29, 2022, 12:45pm

Ok, so a more specific question, if I create the following rule will that work?:

config redirect
	option target 'DNAT'
	option name 'Tor-fwd-ipv6'
	option src 'lan'
	option src_dport '0-65535'
	option dest_ip '2a02:8010:6807:10::1'
	option dest_port '9040'
	option src_dip 'FC00::/7'
	option reflection '0'

Similar rule for ipv4 is working fine.

lleachii · December 29, 2022, 12:49pm

Probably not without setting up NAT for IPv6.

Correct.

cmangla · December 29, 2022, 3:45pm

I went with this for the ipv6 redirect and it seems to be working:

config ipset 'torv6'
	option name 'torv6'
	option family 'ipv6'
	option match 'net'
	list entry 'fc00::/8'

config redirect
	option target 'DNAT'
	option name 'Tor-fwd-ipv6'
	option src 'lan'
        option src_dport '0-65535'
	option family ipv6
	option dest_port '9040'
	option ipset 'torv6 dest'
	option reflection 0

system · January 8, 2023, 3:45pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.