I'm new to OpenWRT and I need to create a firewall rule in order to route all TCP packets to some port, but with exclusion of local address!
I tried following but with no success. Seems target is different from iptables!
# Exclude local and LAN addresses
uci add firewall rule
uci set firewall.@rule[-1].name='Exclude local and LAN addresses'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].dest='*'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].dest_ip='0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4'
uci set firewall.@rule[-1].target='RETURN'
uci commit firewall
# Route all traffic to 12345
uci add firewall rule
uci set firewall.@rule[-1].name='Route all traffic'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].dest='*'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].target='REDIRECT'
uci set firewall.@rule[-1].dest_port='12345'
uci commit firewall
I also used this for second part with no success:
uci add firewall redirect
uci set firewall.@redirect[-1].src=lan
uci set firewall.@redirect[-1].name='Route all traffic'
uci set firewall.@redirect[-1].proto=tcp
uci set firewall.@redirect[-1].target=DNAT
uci set firewall.@redirect[-1].dest_ip=127.0.0.1
uci set firewall.@redirect[-1].dest_port=12345
The traffic has to go somewhere... without an address, it has nowhere to go. You can redirect it to the router itself if the router is supposed to process that traffic (aside from routing/redirecting)... but the traffic has to go somewhere.
Answering your question from the title -- all the firewall UCI arguments can be found here:
Yeah, I've seen it, but I didn't find the list of all possible values for firewall.@rule[-1].target=???
What exactly are you trying to achieve?
In fact I have socks5 running on 127.0.0.1:12345 and I want to route wan traffic through it, so I should bypass the local adresses and avoid routing it, but the RETURN value for target is not valid option like the one in iptables. I just want to avoid local addresses unchanged and route other traffics to port 12345.
This is a bit tricky and I am not sure it can be accomplished in luci.
The firewall rules are applied at filter table. The redirects are applied in nat table. You need to exclude (or ACCEPT) the packets with destination the private networks in the nat table as well.
By default the kernel refuses to route packets with the loopback as source or destination.
You'll need to play with the sysctl route_localnet values, so better make socks5 listen on all interfaces.
Create a set containing the IP addresses to be excluded.
#/etc/config/firewall
config ipset
option name 'localnets'
option match 'dest_net'
option enabled '1'
list entry '10.0.0.0/8'
list entry '172.16.0.0/12'
list entry '192.168.0.0/16'
config redirect
option name 'Redirect-all-but-localnets'
option target 'DNAT'
option src 'lan'
list proto 'tcp'
option src_dport '0-65535'
option ipset '!localnets'
option dest_port '12345'
Note that a DNAT rule cannot have '*' as source.
If you have multiple zones, create as many rules as needed.
Check the rule for hits by running nft list chain inet fw4 dstnat_lan