OpenWrt - iptable rules

Hello,

The rules below have been tested and work perfectly with bridge /br1, br2. br3.../, but in OpenWrt this cannot happen. I offer three options. Would any of them work at the OpenWrt?

First otion - iptable with devices

Restrict eth0.2 from accessing eth0.3 and visa versa:

iptables -I FORWARD -i eth0.2 -o eth0.3 -m state --state NEW -j DROP
iptables -I FORWARD -i eth0.3 -o eth0.2 -m state --state NEW -j DROP

Restrict eth0.2 and eth0.3 from accessing the management interface of the router:

iptables -I INPUT -i eth0.2 -m state --state NEW -j DROP
iptables -I INPUT -i eth0.2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth0.2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0.2 -p tcp --dport 53 -j ACCEPT

iptables -I INPUT -i eth0.3 -m state --state NEW -j DROP
iptables -I INPUT -i eth0.3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth0.3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth0.3 -p tcp --dport 53 -j ACCEPT

Devices:

eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address

eth1 - wan and wan6 interfaces
eth0 - processor

WiFi - bridge with eth0.1

Interfaces:

wan/wan6
lan
Staff
HR

Second otion - iptable with interfaces

Restrict Staff from accessing HR and visa versa:

iptables -I FORWARD -i Staff -o HR -m state --state NEW -j DROP
iptables -I FORWARD -i HR -o Staff -m state --state NEW -j DROP

Restrict Staff and HR from accessing the management interface of the router:

iptables -I INPUT -i Staff -m state --state NEW -j DROP
iptables -I INPUT -i Staff -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i Staff -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i Staff -p tcp --dport 53 -j ACCEPT

iptables -I INPUT -i HR -m state --state NEW -j DROP
iptables -I INPUT -i HR -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i HR -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i HR -p tcp --dport 53 -j ACCEPT

Devices:

eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address

eth1 - wan and wan6 interfaces
eth0 - processor

WiFi - bridge with eth0.1

Interfaces:

wan/wan6
lan
Staff
HR

Tlhird option - iptable with IP addresses of interfaces

Restrict 10.0.5.1/Staff/ from accessing 10.0.4.1/HR/ and visa versa:

iptables -I FORWARD -i 10.0.5.1 -o 10.0.4.1 -m state --state NEW -j DROP
iptables -I FORWARD -i 10.0.4.1 -o 10.0.5.1 -m state --state NEW -j DROP

Restrict 10.0.5.1/Staff/ and 10.0.4.1/HR/ from accessing the management interface of the router:

iptables -I INPUT -i 10.0.5.1 -m state --state NEW -j DROP
iptables -I INPUT -i 10.0.5.1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i 10.0.5.1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i 10.0.5.1 -p tcp --dport 53 -j ACCEPT

iptables -I INPUT -i 10.0.4.1 -m state --state NEW -j DROP
iptables -I INPUT -i 10.0.4.1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i 10.0.4.1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i 10.0.4.1 -p tcp --dport 53 -j ACCEPT

Devices:

eth0.1 - lan interface/admin/ - IP: 192.168.1.1/DHCP/ with a static lease at a specific mac address.
eth0.2 - Staff interface - IP: 10.0.5.1/DHCP/ with a static lease at a specific mac address.
eth0.3 - HR interface - IP: 10.0.4.1/DHCP/ with a static lease at a specific mac address

eth1 - wan and wan6 interfaces
eth0

WiFi - bridge with eth0.1

Interfaces:

wan/wan6
lan
Staff
HR

OpenWrt firewall uses zone based configuration.
So what you want to do can be done as such:
zone staff doesn't have forwarding to zone HR and vice versa.
zone staff and HR have INPUT drop. They also accept 67 and 53.
Look for example the wiki for guest interface.

Is that right?

Restrict Staff from accessing HR and visa versa:

config	rule
	option	src		'Staff'
	option	dest		'HR'
	option	proto		'tcp'
	option	family		'ipv4'
	option	dest_port	'80 443'
	option	target		'REJECT'
	option	name		'REJECT-Staff-ZONE to HR-ZONE-HTTP'
	option	enabled		'1'


config	rule
	option	src		'HR'
	option	dest		'Staff'
	option	proto		'tcp'
	option	family		'ipv4'
	option	dest_port	'80 443'
	option	target		'REJECT'
	option	name		'REJECT-HR-ZONE to Staff-ZONE-HTTP'
	option	enabled		'1'

No, this is not correct. If you don't allow forwardings from one zone to another, the default action is to drop. Have you enabled forwardings between HR and Staff zones?

No, I have not enabled forwardings between zones

Then there is no need to add those rules.

I just want the lan zone to communicate with the other two zones / staff and hr /.

Can you send a Screenshot of the LuCI Firewall page please

Put 'Staff' and 'HR' into separate firewall zones. Use the examples on the page @trendy linked to earlier (Guest Wi-Fi basics) to configure the zone and required firewall rules.