config forwarding
option src 'lan'
option dest 'wan'
Which will allow to forward all traffic from lan to wan.
Maybe put that server on separate zone and allow forwarding between this zone and the lan zone but not the to the wan zone. Then you can use your accept rules.
//edit
Whops, I should have read your entire first post that used a block all rule :x
To get the actual rule that was generated you can use iptables-save:
I've tried this with two simple rules and it works exactly as expected. I'm truly perplexed about why these same rules aren't working for the OP (unless I'm missing something when reading their rules).
Scenario:
I have an OpenWrt 21.02.2 router (my dev/experimental device)
The WAN is connected to my normal LAN (10.0.1.0/24)
The OpenWrt LAN is 192.168.1.0/24
My Mac is connected to the OpenWrt LAN @ 192.168.1.219.
The single upstream device allowed is 10.0.1.2 (my Unifi Cloudkey)
The two rules of interest are here:
config rule
option name 'allow-ck'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
list dest_ip '10.0.1.2'
option target 'ACCEPT'
config rule
option name 'block-all-else'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
option target 'REJECT'
With the second rule enabled, I can access only 10.0.1.2 and nothing else upstream. With that rule disabled, I can access all upstream devices and the internet.
iptables-save | grep shows rules pretty identical to the ones you all posted. I've experimented with what this output is with and without macs and protos specified and it all looks exactly as expected.
So
iptables rules ARE being generated (as they should be) and can be viewed with iptables-save.
According to "route" and "traceroute" the host IS routing through the OpenWRT box (as it should).
The host has no OTHER ways to route to the internet. Hardware limitations on the box known to me aside, an "ifconfig" on the box shows only enp1s0 and lo.
INSPITE of all of this, a "wget forum.openwrt.org" from the host in question succeeds.
CONCLUSION: Configs are correct, but the firewall is not filtering.
So the question now is: WHY might firewall rules be present on an OpenWRT box and yet those rules not be enforced? Assuming that OpenWRT is like other linux I'm familiar with and iptables filtering happens at the kernel level, how would I begin to troubleshoot this??
How complex is your setup? Is it unreasonable to reset the router to defaults and rebuild your configuration (in fact, I'd recommend re-flashing 21.02.2 and not preserving settings). You could try reflashing and then restoring a backup, but there is a chance the backup may contain whatever is causing the issues in the first place, thus why I'd suggest rebuilding manually. If your configuration isn't complex, you could probably have this done in ~10 minutes.
Not to trivialize this part, but if this is the hardest aspect, I think resetting is the best option!
Use the sysupgrade image and flash your router -- do not keep settings. When the flashing is complete, make your subnet change and create your firewall rules... hopefully it will work.