I miss something simple regarding firewall

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a simple use case:

  • Zone X is based on device tun0 that is a PtP OpenVPN 10.8.0.2 (local) and 10.8.0.1 (remote).
  • Zone Y is classical default br-lan with address 192.168.0.199

My firewall is configure with:

  • X => Y, ACCEPT, ACCEPT, REJECT, No Masquerade
  • Y, ACCEPT, ACCEPT, ACCEPT, No Masquerade
  • a specific SNAT to 192.168.0.199 for everything getting to Y but not belonging to Y.

I don't want my routeur to be reach through 10.8.0.2 but 192.168.0.199. So I want to set X input to REJECT. But then, I can't connect from X to the router at the 10.8.0.2 address, but I can't either connect from X to the router at the 192.168.0.199 address while I've got the forward right and Y zone input is set to ACCEPT. By the way, in this case, I can ping from X any hosts on Y, but the router.

I know it's in fact a netfilter question, but I'm really interesting by the answer.

Regards,

2

The access to the router through any of its available interfaces is controlled only by the input chain.
The forward chain is responsible for packets that neither originate from nor are destined for the router, but they traverse the device (they are routed).

That's why when you set the default input policy for zone X to reject, you cannot access the router through either 10.8.0.2 or 192.168.0.199, but you can still ping devices on Y.

To achieve what you want, you can set the default input policy for zone X to drop/reject and create an allow rule, or set it to accept and create a deny rule:

config rule
	    option src 'X'        
	    option name 'Allow-from-VPN'
	    option dest_port '22 80 443'
	    option dest_ip '192.168.0.199'
	    list proto 'tcp'
	    option family 'ipv4'        
        option target 'ACCEPT'

config rule
	    option src 'X'        
	    option name 'Deny-from-VPN'
	    option dest_ip '10.8.0.2'
	    option proto 'all'
	    option target 'REJECT'
3 Likes
3

It makes sense. I though there were like a loopback interface, the packet leaving the the router on the 192.168.0.0 network/interface and re-entering at 192.168.0.199. But, is there even a way to implement such a thing? Like a PREROUTING rule that would DNAT traffic for 10.8.0.2 to 192.168.0.199?

I have to try for curiosity. It depends on how OpenWRT implement firewall rules. netfilter will see a packet coming from tun0 but going to IP 192.168.0.199. Routing decision will be INPUT but depending on the rules it may ACCEPT/REJECT.