Iptables "ACCEPT all -- anywhere anywhere" is at the beginn of chain x if "config defaults option x 'ACCEPT'" is set

I noticed if I set the option ACCEPT to the default values of OUTPUT and INPUT in the firewall config file, that it places the following line at the beginn of the INPUT and OUTPUT chain of the iptables.

ACCEPT all -- anywhere anywhere /* !fw3 */

Should this line not be at the end of the INPUT / OUTPUT chain?
Otherwise it would not accept any drops which would come later, or are I am wrong?

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_input  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_output  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_output  all  --  anywhere             anywhere             /* !fw3 */

I have tried to block outgoing ICMP redirects, but it was not successful, probably for this reason.
https://forum.openwrt.org/t/openwrt-sends-icmp-redirect-with-wrong-ip-address-for-openvpn-tun-interface/21556/13

# opkg list firewall
firewall - 2018-07-26-aa8846bb-1 - This package provides a config-compatible C implementation of the UCI firewall.

# iptables-save -t filter | grep INPUT
:INPUT ACCEPT [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
r1:~# opkg list firewall
firewall - 2018-07-26-aa8846bb-1
r1:~# iptables-save -t filter | grep INPUT
:INPUT ACCEPT [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i usb0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_VPN_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_VPN_input

r1:~# iptables-save -t filter | grep OUTPUT
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o usb0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_VPN_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_VPN_output

The iptables -L listing is incomplete and omits -i (incoming interface) and -o (outgoing interface).
This makes the "accept all from lo"-rule appear to be a rule that accepts all traffic from all IPs, which it isn't.

Hmm, why does the following rule in "/etc/config/firewall" not prevent OpenWRT to send out ICMP redirects?

config rule
        option enabled '1'
        option name 'ICMP redirect disable'
        option family 'ipv4'
        option proto 'icmp'
        option icmp_type 'redirect'
        option src '*'
        option dest '*'
        option target 'REJECT'

This helps as also described there:

iptables -I FORWARD -p icmp --icmp-type redirect -j DROP

The rule above will not match traffic emitted by the kernel itself, for that you'll need an additional output rule (which you can achive by only specifying option dest '*' without option src '*').

A more reliable way is to prevent the generation if redirects in the first place through sysctl:
sysctl -w net.ipv4.conf.all.send_redirects=0.

You can persist that in /etc/sysctl.conf

I already tried "net.ipv4.conf.all.send_redirects=0", but it did not work, because it looks in my case that the ICMP redirect comes from the VPN server where this router is connected to via an OpenVPN tun interface.

Should not option src * be the right setting in this case?
I also put the drop rule which worked into the FORWARD rule.

I don't see why your uci rule wouldn't work (maybe change target REJECT to target DROP to exactly replicate your manual rule).

Also flush the conntrack table (echo f > /proc/net/nf_conntrack) after reloading the firewall to ensure that its not lingering established/related streams which still allow the ICMP redirects.

If it still fails, provide the relevant parts of iptables-save here so that I can take a closer look at the rule layout.

I added DROP rules with and without the src option and performed a reboot of the device, but it is still sending ICMP redirects.

r1:~# tcpdump -nni br-lan icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
14:25:41.966768 IP 10.102.0.33 > 10.1.139.1: ICMP echo request, id 1, seq 2280, length 40
14:25:41.967726 IP 10.1.139.1 > 10.102.0.33: ICMP echo reply, id 1, seq 2280, length 40
14:25:41.984633 IP 10.102.0.1 > 10.1.139.1: ICMP redirect 10.102.0.33 to host 10.102.0.33, length 68
14:25:42.964640 IP 10.102.0.33 > 10.1.139.1: ICMP echo request, id 1, seq 2281, length 40
14:25:42.964882 IP 10.1.139.1 > 10.102.0.33: ICMP echo reply, id 1, seq 2281, length 40
14:25:42.977948 IP 10.102.0.1 > 10.1.139.1: ICMP redirect 10.102.0.33 to host 10.102.0.33, length 68

These is my relevant firewall configuration:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wan_rndis'
        list network 'wan_cdc'
        list network 'wan_3g'
        list network 'wan_pptp'
        list network 'wan_pppoe'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option enabled '1'
        option name 'ICMP redirect disable'
        option proto 'icmp'
        option target 'DROP'
        option icmp_type 'redirect'
        option src '*'
        option dest '*'

config rule
        option enabled '1'
        option name 'ICMP redirect disable'
        option proto 'icmp'
        option target 'DROP'
        option icmp_type 'redirect'
        option dest '*'

iptables:

r1:~# iptables-save
# Generated by iptables-save v1.6.2 on Thu Sep 20 14:33:07 2018
*nat
:PREROUTING ACCEPT [634:61071]
:INPUT ACCEPT [36:3114]
:OUTPUT ACCEPT [237:17347]
:POSTROUTING ACCEPT [13:847]
:postrouting_VPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i usb0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o usb0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
-A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 20 14:33:07 2018
# Generated by iptables-save v1.6.2 on Thu Sep 20 14:33:07 2018
*mangle
:PREROUTING ACCEPT [81461:67054561]
:INPUT ACCEPT [1345:139528]
:FORWARD ACCEPT [79662:66868084]
:OUTPUT ACCEPT [1628:228494]
:POSTROUTING ACCEPT [81283:67096298]
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Sep 20 14:33:07 2018
# Generated by iptables-save v1.6.2 on Thu Sep 20 14:33:07 2018
*filter
:INPUT ACCEPT [1:68]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_VPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_VPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_dest_REJECT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i usb0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_VPN_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 5 -m comment --comment "!fw3: ICMP redirect disable" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i usb0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_VPN_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_VPN_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 5 -m comment --comment "!fw3: ICMP redirect disable" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o usb0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_VPN_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_VPN_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_VPN_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_VPN_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
-A zone_VPN_forward -m comment --comment "!fw3: Custom VPN forwarding rule chain" -j forwarding_VPN_rule
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_REJECT
-A zone_VPN_input -m comment --comment "!fw3: Custom VPN input rule chain" -j input_VPN_rule
-A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3: Custom VPN output rule chain" -j output_VPN_rule
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN forwarding policy" -j zone_VPN_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o usb0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o usb0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o usb0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i usb0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Sep 20 14:33:07 2018

Even if you see incoming traffic, it doesn't mean it will pass the firewall:

As a matter of fact, tcpdump is the first software found after the wire (and the NIC, if you will) on the way IN , and the last one on the way OUT .

Wire -> NIC -> tcpdump -> netfilter/iptables

iptables -> tcpdump -> NIC -> Wire

The rule setup looks okay, semantically. Is it possible that the ICMP traffic is regardes as established or related maybe? In this case it likely wouldn't catch it.

I actually watch the outgoing traffic on br-lan with tcpdump -nni br-lan icmp and I also can see that it stops if I manually add my DROP. So I think the monitoring is fine.

Good point, it looks like it is.
When I add another DROP before the RELATED,ESTABLISHED line then it prevents OpenWRT sending out these ICMP redirects.

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
DROP       icmp --  anywhere             anywhere             icmp redirect
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
DROP       icmp --  anywhere             anywhere             icmp redirect /* !fw3: ICMP redirect disable */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Is this the way how it should be that the "ICMP redirect" is related (I guess its not established)?
I unterstand that it is required for some ICMP messages like errors or echo-requests.

Is this the way how it should be that the uci rule firewall rules get added after the RELATED,ESTABLISHED line and not before?
On this way is there no chance to drop such a packet with uci rules.

Looks like rule-section has no priority-related options:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules
So use include-section:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes
And better use special chain forwarding_rule for custom rules which is processed before RELATED,ESTABLISHED-rule.

connection tracking does track icmp packets but there is no ESTABLISHED state, so the match will fail. I suspect something else in your rule set is causing a match/end-target so that your rule is not run.

I have this fw3 rule that successfully drops the icmp types to a server:

config rule
        option family 'ipv4'
        option proto 'icmp'
        option icmp_type 'echo-request echo-reply redirect'
        option src '*'
        option dest '*'
        option target 'DROP'
        option name 'DROP-ICMP-FORWARD'
        option enabled '1'

creating the following netfilter chain:

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: DROP-ICMP-FORWARD */
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0 /* !fw3: DROP-ICMP-FORWARD */
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 5 /* !fw3: DROP-ICMP-FORWARD */
zone_secure_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_dmz_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_guest_forward  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
reject     all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

@Michael.Uray
OK, I looked at the kernel code a little - not enough to fully understand "why", but enough to have an idea of what's going on. An icmp message can cause the connection to be in a RELATED state, which would match the ACCEPT end-chain rule.

I can't recreate your scenario, but I strongly suspect if you remove the RELATED flag from the ACCEPT rule then the icmp DROP after that rule will be matched. TCP uses the RELATED state for when the connection is pending to go in/out of the ESTABLISHED state so removing it from the ACCEPT rule is not a solution.

But you did the best fix, which is a rule before the ACCEPT....

@dturvene the original problem has already been solved:

Thanks! I wasn't aware of the other thread...

The echo response package was sent from the D1 device and I think the ICMP redirect was an answer to it, so this is the reason why it was considered as related.

So I would say only this question is left:

Using special chains: input_rule, forwarding_rule, output_rule.
Network > Firewall > Custom Rules:

iptables -A input_rule ...
iptables -A forwarding_rule ...
iptables -A output_rule ...

I understand that I can use the mentioned iptable rule there. I am just wondering if the UCI firewall rules which get added to the iptables are right, because they get added after the RELATED and ESTABLISHED line.
Would it be better if they would get added before, or is it good how it is right now, because there are other disadvantages on the other way?