How to make `fw3 flush` persistent?

Installing and Using OpenWrt Network and Wireless Configuration
1

My two questions:

  1. How to make fw3 flush persistent?
  2. How can I edit / remove the rules shown by fw3 print?

The higher goal:
I want to switch to nftables and therefore I want to flush all iptable rules persistently.

What I already tried:

  • Flush all uci firewall rules. I flushed the content of /etc/config/firewall, e.g. uci show firewall prints nothing
  • iptables -L, iptables -X and iptables-save (Does exactly what I want, but is not persistent)
  • fw3 flush. Get's me to the goal too but isn't persistent too. At every reboot all rules shown by fw3 print are applied again.
  • Install ipset to get rid of one error message when doing fw3 flush

Output of fw3 print:

iptables -t filter -P INPUT filter
iptables -t filter -P OUTPUT filter
iptables -t filter -P FORWARD filter
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule

Thanks in advance :slight_smile:

2

/etc/init.d/firewall -> {start,etc. etc} + /etc/hotplug.d/iface/20-firewall

1 Like
3

So here's how I solved it (not all steps may be necessary to achieve my goal):

  1. Remove all uci firewall rules: echo "" > /etc/config/firewall
  2. fw3 flush
  3. service firewall disable (That was the step that was missing, can't believe I did not think of that myself)
  4. opkg remove luci-app-firewall --force-depends To remove the firewall tab from LuCi, as we can not configure nftables yet.
  5. reboot
1 Like
4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.