OpenWrt Firewall Zones are TRASH - How to only use iptables?

I am very familiar with iptables and would much prefer to have the standard Openwrt Firewall rules with "zones" converted into iptables while also adding my own.

Something like this for example just seems much more sensible and secure than what is being done by default with these stupid zones.

###Drop invalid packets ### 
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

###Drop TCP packets that are new and are not SYN ### 
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 
###Drop SYN packets with suspicious MSS value ### 
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

###Drop SYN attacks
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
##Added 11NOV2020
##iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
##Added 11NOV2020
iptables -A INPUT –p tcp –m state --state NEW –j DROP

##Added 11NOV2020
###Force Fragments packets check
###Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP

###Block packets with Bogus TCP flags ### 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  

###Drop ICMP (you usually don't need this protocol) (Prevents SMURF Attacks) ### 
iptables -t mangle -A PREROUTING -p icmp -j DROP 
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP

###Disable IGMP
iptables -t mangle -A PREROUTING -p igmp -j DROP
iptables -A INPUT -a -p igmp -j DROP
iptables -A OUTPUT -a -p igmp -j DROP

iptables -A FORWARD DROP
iptables -A INPUT DROP
iptables -A OUTPUT ACCEPT

That is simple, just /etc/init.d/firewall stop & /etc/init.d/firewall disable. If you also want to disable the corresponding ui pages (in case you use luci) you could do so by removing /etc/config/firewall. Finally add your desired iptables rules to /etc/rc.local

4 Likes

Thank you that makes sense, but can both firewalls co-exist at the same time? I noticed that the docs mention the users ability to use zones amd log via iptables. Does this include full usage of iptables or is it limited to just the log target?

I don't fully understand your question but the zone based firewall is just a kind of preprocessor generating iptables rules out of the abstract /etc/config/firewall settings. It can coexist with other manual iptables rules to some extent, with the usual caveats of having multiple processes managing iptables rules (they might flush/delete each others chains, stage rules which are not reached because there's a prior final verdict rule elsewhere etc.)

1 Like