I'm new to LEDE routers and I'm trying to do a basic configuration of my firewall but more restrictive than the default configuration.
It's simple, I just need to allow :
the "LAN zone" devices to communicate in HTTP/HTTPS to the internet on the "WAN zone"
the "LAN zone" to access the router by SSH so that I can configure the router when needed with Putty
the "LAN zone" to Ping "LAN zone" & "WAN zone". No Ping from the WAN to LAN.
I've tried to configure the router but when I reboot after configuring it, the devices in the "LAN zone" don't have Internet and i can't access to the router by SSH on Putty. So I need to reset the router to make it work again
Can someone tell me what's wrong with what I want to do and how i've configured the firewall, please ?
Moreover, the configuration below need to be integrated in /etc/config/firawall and not in /etc/firewall.user, am I right ?
Anything that can make the configuration better is welcomed and thanked!
config defaults
# syn_flood obsoleted by synflood_protect setting
option synflood_protect 1
option input REJECT
option output REJECT
option forward REJECT
# Uncomment this line to disable ipv6 rules
option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input REJECT
option output REJECT
option forward REJECT
config zone
option name wan
list network 'wan'
list network 'wan6'
list network 'wan2'
option input REJECT
option output REJECT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Start of custom rules
# PING RULES IN&OUT
config rule
option enabled '1'
option target 'ACCEPT'
option family 'ipv4'
option name 'PING-OUT-REQUEST'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'lan'
option dest 'wan'
config rule
option enabled '1'
option target 'ACCEPT'
option family 'ipv4'
option name 'PING-IN-REPLY'
option proto 'icmp'
list icmp_type 'echo-reply'
option src 'wan'
option dest 'lan'
# SSH RULES IN&OUT
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'SSH-IN'
option proto 'tcp'
option src_ip '192.168.1.1/24'
option src_port '22'
option dest 'lan'
option dest_port '22'
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'SSH-OUT'
option proto 'tcp'
option src 'lan'
option src_port '22'
option dest_ip '192.168.1.1/24'
option dest_port '22'
# DNS RULES IN&OUT
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'DNS-IN'
option proto 'udp'
option src 'wan'
option src_port '53'
option dest 'lan'
option dest_port '53'
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'DNS-OUT'
option proto 'udp'
option src 'lan'
option src_port '53'
option dest 'wan'
option dest_port '53'
# HTTP RULES IN&OUT
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'HTTP-IN'
option proto 'tcp'
option src 'wan'
option src_port '80'
option dest 'lan'
option dest_port '80'
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'HTTP-OUT'
option proto 'tcp'
option src 'lan'
option src_port '80'
option dest 'wan'
option dest_port '80'
# HTTPS RULES IN&OUT
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'HTTPS-IN'
option proto 'tcp'
option src 'lan'
option src_port '443'
option dest 'wan'
option dest_port '443'
config rule
option enabled '1'
option family 'ipv4'
option target 'ACCEPT'
option name 'HTTPS-OUT'
option proto 'tcp'
option src 'wan'
option src_port '443'
option dest 'lan'
option dest_port '443'
# End of custom rules
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
This is allowed by default. Is your desire is to restrict all except for these protocols, only allowing HTTP/HTTPS?
This is also enabled by default. Not sure why you are having difficulty accessing the router unless you turned off the ssh server (dropbear) or added additional firewall rules. Keep in mind that initially, there is no password (first step should be to add a password), but you can get to it with root@<openwrt_device_IP_address>.
EDIT: I wrote this before actually looking at your firewall rules -- you've actively locked yourself out by setting your LAN to reject/reject/reject and also adding the ssh rule that only allows connections from the host 192.168.1.1 (your router, I assume)
Pings should not be able to reach the actual LAN from the WAN by default. However, the WAN will respond to pings by default. You can disable or delete the default firewall rule called allow-ping.
Looking at your firewall rules, you are causing the default LAN behavior to be rejected entirely (input, output, forward), so it is not a surprise that you have to reset it. Why are you doing that? Same with your WAN. And then you added a rule that will only allow ssh incoming connections from the device itself (thus locking yourself out yet again).
It seems to met that you should start with the default firewall rules. Add or modify one rule at a time so you don't mess things up.
Please clarify your intentions, as it seems like you're trying to re-invent the wheel here (essentially everything you want is there by default).
And yes, /etc/config/firewall is the place you should be doing most of your edits. /etc/firewall.user is for special case type firewall rules.
Following up on point 1 earlier... if you want to block all but http and https (caveat later), just add these three rules (in this order) to your /etc/config/firewall file:
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option dest_port '80'
option name 'Allow-http'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'allow-https-to-wan'
option dest_port '443'
config rule
option src 'lan'
option dest 'wan'
option name 'drop-all-other-lan-to-wan'
option target 'DROP'
This allows port 80 (http) and port 443 (https) to be forwarded from LAN > WAN, but then drops everything else. This will restrict clients on this LAN to only using the web.
Now for the caveat -- this really only restricts by port (i.e. allow 80 and 443, drop all else). It does not perform deep packet inspection, and therefore cannot actually block by protocol. So it will still be possible to connect to a proxy server or an OpenVPN server or the like over one of these two ports and still get access to other services (such as ssh, ftp, smtp, imap, and pretty much anything else, assuming it is 'tunneled' in some fashion via port 80 or port 443 (external server required, of course).
Thank you Psherman for your long and informative answers.
Yes, I would like to block everything and give acces to other ports if needed afterward.
I'm not sure to understand those rules below(config defaults and config zone).
If I refuse them, there's no more connection even if I put the rules (HTTP/HTTPS) like in your last answer ?
What are the functions of the config default and the config zone ?
I taugh config default is the last rule to take actions if the traffic don't find a rule matching for him so that i don't need to block everything like you did in the rule 'drop-all-other-lan-to-wan' ?
How am I suppose to configure the "config zone" and "config default" if I want to block everything except HTTP/HTTP and autorize SSH from LAN to the router, please ?
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'usb_wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
basically I removed the general forwarding from LAN > WAN. Then I added two rules -- one allowing forwarding from LAN > WAN with dest port 80, and the other with dest port 443.
The general settings are input = accept, output = accept, forward = reject.
LAN forwarding are accept for all (but no explicit forwarding to the WAN)
WAN is input=reject, output=accept, forward=reject
Here is the default firewall modified in the ways I described
Default /etc/config/firewall + remove LAN > WAN forwarding and add LAN > WAN for 80 and 443
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'allow-lan-80'
option dest_port '80'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'allow-lan-443'
option dest_port '443'
```
`
