Hi all. I use OpenWRT since about 2013 with a TP-Link WDR4300 back then, and now an Archer C2600. With LEDE, I started using more advanced firewall rules. My basic Idea is to REJECT everything which is not explicitly allowed and log the denied connections.
I achieved this with the following config in /etc/config/firewall:
config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' option log '1'
However, since upgrading to OpenWRT 18.06 (tried with 18.06.1 and 18.06.4), logging stopped working. (I just copied the /etc/config/firewall file from the LEDE installation)
Before, I could see Denied Outbound Connections with logread, this is not possible anymore. If I enable logging for e.g. the WAN connection, I see log entries.
iptables -L indicates that the necessary firewall rules seem to be present:
From a lan client device are you still seeing rejections when you try to connect to something not allowed through?
(I just copied the /etc/config/firewall file from the LEDE installation)
This could be the problem , recommendation when upgrading major releases (eg. 17.x to 18.x) is to export all your configs, upgrade with default settings, then manually apply your settings again adjusting when things are different in the new version.
Firewall rules all seem to work as intended. For example, if I disable the "Allow Ping from LAN to WAN rule", a ping to the Internet would result in "Destination Port unreachable" - which means packets get denied instead of dropped (or even allowed).
I think the problem could be that the rulesets ( i never used 17 ) fork into specific chains for "zone/interface/direction" very early on in the chainsets.
So the way your used to doing it ... would need to be applied per zone / direction in order to be picked up. manually dumping the rulesets with "iptables-save" is the clearest way to get a handle on where your rule is sitting.... ( pay attention to the custom "lan_zone_xyz" fragmentations )
Perhaps the gui would work too... don't use it myself... ( for the firewall anyway )... I do know that something just does not look right in the syntax you've posted in your original post.
This is a the general raw format for intercepting prior to the directional/zone rules.... it's not the most efficient way to do things... but it highlights why and where rules further down don't catch things...
#### NEW LOG CHAIN
iptables -N mylog
#### RULE/RULES TO CATCH AND LOG
iptables -A mylog MATCHONLYTHESETHINGS -j LOG --log-prefix "thesethingsmatchedXYZ " --log-level $myloglevel
( you may want a matching DROP rule here )
#### GO BACK TO THE OTHER RULES
iptables -A mylog -j RETURN
#### EARLY IN THESE CHAINS JUMP TO mylog for checking ( try putting them at different places in each zone/chain probably lan_forward with source ip... once your confident you can have mylog drop everything )
iptables -I input_rule 1 -j mylog
iptables -I forwarding_rule 1 -j mylog
iptables -I output_rule 1 -j mylog