Well, when you do it without list proto 'all', it actually prints some message like "Rule Block All - no protocol detected, assuming 'all'."
But I tried it with the list proto 'all' directive and no dice. 
And not just pings, I'm testing with "wget forum.openwrt.org"
Re: Packages. . . not really. I had to install luci manually.
Really? LuCI is included by default in all official stable release builds.
Because there is:
config forwarding
option src 'lan'
option dest 'wan'
Which will allow to forward all traffic from lan to wan.
Maybe put that server on separate zone and allow forwarding between this zone and the lan zone but not the to the wan zone. Then you can use your accept rules.
//edit
Whops, I should have read your entire first post that used a block all rule :x
To get the actual rule that was generated you can use iptables-save:
iptables-save | grep 'Block All'
-A zone_lan_forward -s 192.168.24.200/32 -p tcp -m mac --mac-source 28:f6:c9:a6:13:3e -m comment --comment "!fw3: Block All" -j zone_wan_dest_REJECT
-A zone_lan_forward -s 192.168.24.200/32 -p udp -m mac --mac-source 28:f6:c9:a6:13:3e -m comment --comment "!fw3: Block All" -j zone_wan_dest_REJECT
That is with no proto option specified.
With proto all:
iptables-save | grep 'Block All'
-A zone_lan_forward -s 192.168.24.200/32 -m mac --mac-source 28:f6:c9:a6:13:3e -m comment --comment "!fw3: Block All" -j zone_wan_dest_REJECT
To make this work with both IPv4 and IPv6 you maybe want to remove the source ipv4 and only use the mac.
iptables-save | grep 'Block All'
-A zone_lan_forward -m mac --mac-source 24:4b:fe:5b:be:9b -m comment --comment "!fw3: Block All" -j zone_wan_dest_REJECT
ip6tables-save | grep 'Block All'
-A zone_lan_forward -m mac --mac-source 24:4b:fe:5b:be:9b -m comment --comment "!fw3: Block All" -j zone_wan_dest_REJECT
I've tried this with two simple rules and it works exactly as expected. I'm truly perplexed about why these same rules aren't working for the OP (unless I'm missing something when reading their rules).
Scenario:
The two rules of interest are here:
config rule
option name 'allow-ck'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
list dest_ip '10.0.1.2'
option target 'ACCEPT'
config rule
option name 'block-all-else'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
option target 'REJECT'
With the second rule enabled, I can access only 10.0.1.2 and nothing else upstream. With that rule disabled, I can access all upstream devices and the internet.
Here are the iptables rules:
root@OpenWrt:~# iptables-save | grep allow-ck
-A zone_lan_forward -s 192.168.1.219/32 -d 10.0.1.2/32 -m comment --comment "!fw3: allow-ck" -j zone_wan_dest_ACCEPT
root@OpenWrt:~# iptables-save | grep block-all-else
-A zone_lan_forward -s 192.168.1.219/32 -m comment --comment "!fw3: block-all-else" -j zone_wan_dest_REJECT
For completeness sake, here is my complete firewall file:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'allow-ck'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
list dest_ip '10.0.1.2'
option target 'ACCEPT'
config rule
option name 'block-all-else'
list proto 'all'
option src 'lan'
list src_ip '192.168.1.219'
option dest 'wan'
option target 'REJECT'`
It's better to use iptables-save -c so you can see the hit counters, not just the rules.
Hey guys. Thanks for all your help here.
iptables-save | grep shows rules pretty identical to the ones you all posted. I've experimented with what this output is with and without macs and protos specified and it all looks exactly as expected.
So
CONCLUSION: Configs are correct, but the firewall is not filtering.
So the question now is: WHY might firewall rules be present on an OpenWRT box and yet those rules not be enforced? Assuming that OpenWRT is like other linux I'm familiar with and iptables filtering happens at the kernel level, how would I begin to troubleshoot this??
How complex is your setup? Is it unreasonable to reset the router to defaults and rebuild your configuration (in fact, I'd recommend re-flashing 21.02.2 and not preserving settings). You could try reflashing and then restoring a backup, but there is a chance the backup may contain whatever is causing the issues in the first place, thus why I'd suggest rebuilding manually. If your configuration isn't complex, you could probably have this done in ~10 minutes.
No complex at all. This and changing the ip range from 192.168.1.* to 192.168.24.* are the only changes we've made from stock OpenWRT.
The PITA is that now I have to drive over there. 
Not to trivialize this part, but if this is the hardest aspect, I think resetting is the best option!
Use the sysupgrade image and flash your router -- do not keep settings. When the flashing is complete, make your subnet change and create your firewall rules... hopefully it will work.
Can you post the iptables-save -c ? It might save you the trip over there.
Hey everyone!
I reflashed openWRT as psherman suggested and it is now working as expected. Very weird, but. . . great! I really appreciate all your help.
For future googlers: Firewall whitelist by ip howto. 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.