I want to block all devices by default and allow specific mac addresses to access internet, and for the blocked mac addresses, i want them to access specific ip addresses or sites by default without even knowing the mac addresses before hand. How do i achieve this using nftables?
- remove lan to wan default zone forwarding
- make a rule allowing forwarding to allowed DST IPs (i.e. without knowing MAC)
- create an allow rule listing those MACs
1 Like
Thanks, can you please share the specific ssh commands i need to run?
- We would need to know you configuration for that
cat /etc/config/firewall
cat /etc/config/network
- I use the method of editing the relevant config file, so another use would need to provide the relevant UCI commands for SSH
Here is my cat /etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
option masq6 '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config rule 'glipv6_guest_dhcp'
option name 'Allow-DHCP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '546:547'
option family 'ipv6'
config rule 'glipv6_guest_icmp'
option name 'Allow-ICMP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'icmp'
option dest_port '58'
option family 'ipv6'
config rule 'https_wan'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config rule 'ssh_wan'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
Adn here is my cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde3:52a6:baad::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option macaddr '94:83:c4:46:6c:0e'
config device
option name 'eth1'
option macaddr '94:83:c4:46:6c:0e'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option isolate '0'
option ip6assign '64'
option ip6hint '0000'
option ip6ifaceid '::1'
option ip6class 'local'
config device
option name 'eth0'
option macaddr '94:83:c4:46:6c:0d'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option classlessroute '0'
option metric '10'
option ipv6 '1'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '0'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '0'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '0'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
option ip6prefix 'fde3:52a6:baad::/48'
option ip6assign '64'
option ip6hint '0001'
option ip6ifaceid '::1'
option ip6class 'guest'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'modem_1_1_2_6'
option ifname '@modem_1_1_2'
option proto 'dhcpv6'
option disabled '0'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
And here is the simple configuration i came up with after afew google searches, everything works well with except that the allowed mac address still can't access internet:
table inet filter {
set allowed_macs {
type ether_addr
elements = { 2a:7a:85:8b:79:9a }
}
set allowed_destinations {
type ipv4_addr
elements = { 8.8.4.4, 8.8.8.8,
45.223.139.195, 192.168.8.180 }
}
chain forward {
type filter hook forward priority filter; policy drop;
ether saddr @allowed_macs counter packets 2179 bytes 333641 accept
ether saddr != @allowed_macs ip daddr @allowed_destinations counter packets 34 bytes 9795 accept
}
}
I appreciate any help thanks.
Your firewall configuration is full of options that won't work with fw4/nftables.
You don't need to create an additional custom table, just follow the advice given by @lleachii :
Assuming the rules should work for both zones (lan and guest), remove both forwardings 
config ipset
option name 'allowed_destinations'
option match 'dest_net'
list entry '8.8.4.4/32'
list entry '8.8.8.8/32'
list entry '45.223.139.195/32'
list entry '192.168.8.180/32'
config rule
option name 'Allowed_for_everyone'
option src '*'
option dest '*'
option ipset 'allowed_destinations'
list proto 'all'
option target 'ACCEPT'
config rule
option name 'MACs_unlimited'
option src '*'
option dest '*'
list src_mac '2a:7a:85:8b:79:9a'
list proto 'all'
option target 'ACCEPT'
If you don't feel comfortable editing the configuration files directly, let us know and we'll help you with the uci commands.
1 Like
Awesome, I need help the uci commands. Also if possible, i would like to ssh into my router and add or remove mac addresses on the fly, I'll appreciate the commands for that too.
uci -q del firewall.@forwarding[-1]
uci -q del firewall.@forwarding[-1]
uci add firewall ipset
uci set firewall.@ipset[-1].name='allowed_destinations'
uci set firewall.@ipset[-1].match='dest_net'
uci add_list firewall.@ipset[-1].entry='8.8.4.4/32'
uci add_list firewall.@ipset[-1].entry='8.8.8.8/32'
uci add_list firewall.@ipset[-1].entry='45.223.139.195/32'
uci add_list firewall.@ipset[-1].entry='192.168.8.180/32'
uci add firewall rule
uci set firewall.@rule[-1].name='Allowed_for_everyone'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].dest='*'
uci set firewall.@rule[-1].ipset='allowed_destinations'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='MACs_unlimited'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].dest='*'
uci add_list firewall.@rule[-1].src_mac='2a:7a:85:8b:79:9a'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
n=$(uci show firewall | grep MACs_un | cut -d "[" -f2 | cut -d "]" -f1)
uci add_list firewall.@rule[$n].src_mac='aa:bb:cc:cc:ee:ff' #<-- add
uci del_list firewall.@rule[$n].src_mac='2a:7a:85:8b:79:9a' #<-- remove
To save and apply the changes:
uci commit firewall
/etc/init.d/firewall restart
1 Like
Awesome. The config works well, but i get this warning when i run
/etc/init.d/firewall restart
Don't know if it's of any concern
Warning: Option @zone[1].masq6 is unknown
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
Warning: Section @zone[2] (guest) cannot resolve device of network 'guest'
Warning: Option 'sambasharewan'.dest_proto is unknown
Warning: Section 'sambasharewan' does not specify a protocol, assuming TCP+UDP
Warning: Option 'sambasharelan'.dest_proto is unknown
Warning: Section 'sambasharelan' does not specify a protocol, assuming TCP+UDP
Warning: Option 'glnas_ser'.dest_proto is unknown
Warning: Section 'glnas_ser' does not specify a protocol, assuming TCP+UDP
Warning: Option 'webdav_wan'.dest_proto is unknown
Warning: Section 'webdav_wan' does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[2] (guest) has no device, network, subnet or extra options
* Clearing IPv4 filter table
* Clearing IPv4 nat table
* Clearing IPv4 mangle table
* Clearing IPv4 raw table
* Deleting ipset allowed_destinations
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-DHCP'
* Rule 'Allow-DNS'
* Rule #16
* Rule #17
* Rule #18
* Rule #19
* Rule #20
* Rule #21
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 mangle table
* Rule 'process_mark'
* Rule 'process_mark_dns'
* Rule 'process_mark_stubby'
* Rule 'process_explict_vpn'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 raw table
* Zone 'lan'
- Using automatic conntrack helper attachment
* Zone 'wan'
* Zone 'guest'
- Using automatic conntrack helper attachment
* Clearing IPv6 filter table
* Clearing IPv6 nat table
* Clearing IPv6 mangle table
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Allow-DHCP'
* Rule 'Allow-DNS'
* Rule 'Allow-DHCP-IPV6'
* Rule 'Allow-ICMP-IPV6'
* Rule #16
* Rule #17
* Rule #18
* Rule #19
* Rule #20
* Rule #21
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 mangle table
* Rule 'process_mark'
* Rule 'process_mark_dns'
* Rule 'process_mark_stubby'
* Rule 'process_explict_vpn'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.nat6'
nat6: Firewall config="cfg02dc81" zone="lan" zone_masq6="0".
nat6: Firewall config="cfg03dc81" zone="wan" zone_masq6="1".
nat6: Found firewall zone_name="wan" with zone_masq6="1" zone_masq6_privacy="1".
nat6: Setting up masquerading nat6 for zone_name="wan" with zone_masq6_privacy="1"
nat6: Ensuring ip6tables chain="zone_wan_postrouting" contains our MASQUERADE.
nat6: Ensuring ip6tables chain="zone_wan_input" contains our permissive DNAT rule.
nat6: Ensuring ip6tables chain="zone_wan_forward" contains our permissive DNAT rule.
nat6: Found device="eth0" for network_name="wan".
nat6: Enabling IPv6 temporary addresses for device="eth0".
nat6: Accepting router advertisements on eth0 even if forwarding is enabled (required for temporary addresses)
nat6: Using temporary addresses for outgoing connections on interface eth0
nat6: Already configured device="eth0", so leaving as is.
nat6: Done setting up nat6 for zone="wan" on devices: eth0
nat6: Firewall config="cfg19dc81" zone="guest" zone_masq6="0".
* Running script '/etc/firewall.vpn_client_deal_leak.sh'
iptables v1.8.7 (legacy): Couldn't load target `deal_client_leak':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
! Failed with exit code 1
* Running script '/usr/bin/gl_block.sh'
* Running script '/etc/firewall.vpn_server_policy.sh'
Lastly do i need to run:
uci commit firewall
/etc/init.d/firewall restart
Everytime i update the mac address list?
Sorry but I can't comment on this for several (confusing) reasons:
This is a typical output of restarting fw3, not fw4.
AFAIK dest_proto is a wrong option.
All of these rules are not listed in the firewall config you posted.
Yes.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.