My firewall rules is a real mess!

Hi,

As you can see in this screenshot, it's very complex for me to manage and master rules on my firewall... Is there a way to simplify firewall rules in OpenWRT? I have some questions to ask in order to decide which approach will suit best for me.

1/ Can i flush all zones and work only with default tables / chains (no zones)?
2/ Will I loose all the benefits of the GUI in Luci because it's working with zones?
3/ Do I have to clear rules in /etc/config/firewall too and only use iptables?
4/ Can I use nftables for firewalling AND keep iptables executable because some programs/scripts only work with iptables?

Thank in advance for your help :wink:

what do you NEED to do?

2 Likes

My definitive goal is to manage perfectly my router, especially the firewall part (I work in networking but I'm a newbie in OpenWRT and firewalling with Linux).

At the moment, i'm trying to route traffic from one of my computer to one of the two OpenVPN tunnels up on my router. For testing, I've created 2 distincts zones with masquerading (interfaces tun0 and tun1), I'v created a route table named "devpn" and typed these commands:

iptables -t mangle -A PREROUTING -s IP_COMPUTER -j MARK --set-mark 1234
ip rule add fwmark 1234 lookup devpn
ip route add default via 10.8.0.1 dev tun0 table devpn

Because it's not working from the computer, the problem may be filtering... I tried to put accept rules in few FORWARD tables but no success :frowning:

Maybe it will be simpler to manage the router with only iptables rules and the default tables/chains... no zones.

1 Like

Thanks Vgaetera, I was aware of this package but I dont want to use this, especially because my purpose can be achieve with 3 or 4 commands... and it serves my goal to understand and manage my router :wink:

Yes.

/etc/init.d/firewall disable
/etc/init.d/firewall stop

Yes.

No.

uci show firewall.@include[0]
iptables-save | grep -i -e custom

Yes, but they work independently, so your firewall management workload will double.

1 Like

Thank for your answers vgaetera, it helps me a lot!

I've managed to make it works with simple iptables rules (see below) but I think I'll move to nftables someday. For the moment, I'll stick with the default zones and rules and test my custom rules with iptables CLI and default tables / chains :slight_smile:

These rules allow a lan computer to reach www.ip.me via the openvpn tunnel

    iptables -t mangle -I PREROUTING -d 134.209.78.99 -j MARK --set-mark 12345
    echo '111   devpn' >> /etc/iproute2/rt_tables
    ip rule add fwmark 12345 lookup devpn
    ip route add default via 10.8.0.1 dev tun0 table devpn
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
    iptables -I FORWARD -d 134.209.78.99 -i br-lan -o tun0 -j ACCEPT
2 Likes

In this case you should use the custom chains to add your rules:

iptables-save | grep -i -e custom

Otherwise, the ruleset will be messed due to dynamic configuration changes.