Rejected request from RFC1918 IP to public server address

Hello

I have an AX6S with OpenWrt and a machine on a Vlan in 192.168.60.100 which hosts a web server (grafana)

I have a domain that points to my public IP address

Before configuring anything I look that a request on this domain (port 80) returns me not a connection failure but

Forbidden
Rejected request from RFC1918 IP to public server address

If I redirect from port 80 to my IP 192.168.60.100 with the correct port I get the same error.

When there is no redirection, which OpenWrt service returns this error to me and why?
The next question is: what is the best practice to redirect the domain to this IP:port?

Thanks in advance

2 Likes

THANKS

I should have mentioned that I searched for things and found this uhttp.

but I don't understand at all
-Why is uhttp active on port 80 by default (for LuCi if I understand correctly)? Why does the router respond on this port by default? Why isn't he just not responding?
-The concept of "RFC1918 to public" which is illustrated by

Reject requests from RFC1918 IP addresses
directed to the servers public IP(s).
This is a DNS rebinding countermeasure.

Here I have a request from public to private, not the other way around. :thinking:

Can you reformulate DNS rebinding “for dummies”? I don't understand why my router needs to protect itself from a connection through a malicious domain when it is just supposed to not respond to requests ?

Since I don't understand that, I don't understand:
-The consequence of removing rfc1918_filter
-How do I redirect to my local server? Is it enough to remove the filter or do we have to act on uhttpd to make it a reverse proxy? what else ?

Because improper access attempts are prevented by the firewall, instead of locking the port bindings/ service configurations to a specific interface/ subnet. Why, because the number and order of interfaces is known at (before-) build time (varying between devices), because users tend to reconfigure their subnets/ IP ranges, etc. It would be a support nightmare having to changes multiple configurations at once, rather than doing it once at the firewall level.

2 Likes

Sorry but these are still difficult concepts for me.
Besides the fact that I don't understand why the router responds to a request that it doesn't want (I understand that you are answering this question), I don't see how I should redirect external requests on port 80 to my server placed on a vlan.

I understand that the RFC1918 filter is important and should not be deleted
Should the uhttpd web server serve as a reverse proxy? What else ?

Thanks

You can edit /etc/config/uhttpd to listen on only internal addresses if you want. See the online documentation/guide for uhttpd section Securing uHTTPd for details.

[OpenWrt Wiki] uHTTPd Web Server Configuration

You can check what is listening on what using netstat -tunlp.

Nothing to do on uhttpd, just create a forwarding on the firewall.

uci add firewall redirect
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='test'
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='80'
uci set firewall.@redirect[-1].dest_ip='192.168.60.100'
uci set firewall.@redirect[-1].dest_port='80'
uci set firewall.@redirect[-1].reflection='0'
uci commit firewall
service firewall restart
1 Like

Thanks
but this is what I tried from the beginning and which gives me the same error whether the rule is active or not :

Rejected request from RFC1918 IP to public server address

my Firewall file


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'lan0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan0'

config forwarding
	option src 'lan0'
	option dest 'wan'

config zone
	option name 'lan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan6'
	option input 'REJECT'

config forwarding
	option src 'lan6'
	option dest 'wan'

config zone
	option name 'lan5'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan5'
	option input 'REJECT'

config forwarding
	option src 'lan5'
	option dest 'wan'

config zone
	option name 'lan9'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan9'
	option input 'REJECT'

config zone
	option name 'villaMaria'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VillaMaria'
	option input 'REJECT'

config forwarding
	option src 'villaMaria'
	option dest 'wan'

config zone
	option name 'lan8'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan8'
	option input 'REJECT'

config zone
	option name 'lan1'
	option output 'ACCEPT'
	list network 'lan1'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'lan7'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan7'
	option input 'REJECT'

config zone
	option name 'lan2'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan2'
	option input 'REJECT'

config forwarding
	option src 'lan8'
	option dest 'wan'

config forwarding
	option src 'lan1'
	option dest 'wan'

config forwarding
	option src 'lan7'
	option dest 'wan'

config forwarding
	option src 'lan2'
	option dest 'wan'

config forwarding
	option src 'lan0'
	option dest 'lan9'

config forwarding
	option src 'lan5'
	option dest 'lan9'

config rule
	option name 'Allow-DHCP-DNS-cactus'
	option src 'lan6'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DHCP-DNS'
	option src 'lan9'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DHCP-DNS-Leaf'
	option src 'lan5'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DHCP-DNS-VillaMaria'
	option src 'villaMaria'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DNS-Serveur'
	option src 'lan8'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-DNS-Toi'
	option src 'lan1'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DHCP-DNS-Atelier'
	option src 'lan7'
	option target 'ACCEPT'
	option dest_port '53 67'

config rule
	option name 'Allow-DHCP-lan2'
	option src 'lan2'
	option target 'ACCEPT'
	option dest_port '53 67'

config forwarding
	option src 'lan0'
	option dest 'lan2'

config forwarding
	option src 'lan0'
	option dest 'lan7'

config forwarding
	option src 'lan0'
	option dest 'lan6'

config forwarding
	option src 'lan0'
	option dest 'villaMaria'

config forwarding
	option src 'lan0'
	option dest 'lan1'


config include 'estab'
	option path '/etc/nftables.d/estab.sh'

config redirect
	option dest 'lan1'
	option target 'DNAT'
	option name 'grafana'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.60.143'
	option dest_port '3000'
	option enabled '0


Your rule for grafana is disabled and points to a different IP (.60.143)
If you enable it and point to the correct IP (.60.100) does it work? If not, you'll need to check the web server running the grafana.

1 Like

60.143 is the good Ip and I unchecked enable after testing so as not to leave an invalid rule.

For the moment I can't find anything concerning RFC1918 in the grafana ...I'm looking for

Is there no problem with the INPUT OUTPUT and FORWARD of my zones?

I understood things with this wonderful video

but looking at my config I wonder if I don't know even less than before looking at it

The port forwarding is bypassing these settings. You can run a tcpdump or wireshark on the grafana host to verify that it receives the forwarded packets.

1 Like