[SOLVED] Reorder Firewall Rules in what way? For parental controls [Solved]

mattbatt · April 13, 2023, 4:13am

OK I feel like an idiot because I'm definitely missing something obvious.
I'm trying to set up an SSID for my kids to use that disables the internet at bedtime.
I keep seeing over and over again "make sure you reorder the firewall rules" and a link to this stub of instructions that I can't make heads or tails of. https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections

How do I determine in what order my Firewall rules should be in?
What comes first?
What needs to come after the time restriction?

Am I supposed to take the text in that little amputated instruction and put in the command line? (which I can only infer from the "CAT" command.)
The first line is creating a file named "/etc/nftables.d/estab.sh" and then does all of it end up in the file?

I've been bashing my head into one roadblock or another for hours trying to set up a simple "hey it's after 8 pm no internet on the SSID "Kids"".

Feel free to call me an idiot for missing something very basic, I sure as "crap" feel like an idiot.

trendy · April 13, 2023, 5:10am

The ESTABLISHED and RELATED rule should not have precedence over the time blocking rule. That is the idea behind the script to reorder the rules.

mattbatt · April 13, 2023, 5:23am

Okay You obviously think I'm smarter than I actually am, and I appreciate the compliment, however What are Established and Related rules?

lleachii · April 13, 2023, 5:42am

trendy · April 13, 2023, 7:52am

In a nutshell, firewall by default allows responses to already allowed packets, or keeps allowing all packets which belong to an established connection.
That means that if a kid connects to youtube at 21:59, keeps the connection open at all times, and the parental rule starts at 22:00, then the firewall would allow it by default.
But if we re-order the rules, then the parental rule will be evaluated first, then the RELATED/ESTABLISHED.

mattbatt · April 13, 2023, 5:51pm

Thank you for your responses. I think I get it now, but I'm at work away from my router. Should I just move the time rule to be the first rule in the firewall stack? Or will that break other things?
I tried running that script and it still wasn't blocking new connections so I assumed I did something wrong. How can I tell if it reordered anything? What should I make sure it is above?

Thank you again.

MattBatt

trendy · April 13, 2023, 9:29pm

It won't make any difference. The rule to allow RELATED/ESTABLISHED is automatically added.

You can verify the running firewall configuration:

iptables-save -c; ip6tables-save -c; nft list ruleset

mattbatt · April 14, 2023, 4:16am

My fault for not specifying that I'm running 22.03 so there is no iptables

Model	Linksys EA7300 v1
Architecture	MediaTek MT7621 ver:1 eco:3
Target Platform	ramips/mt7621
Firmware Version	OpenWrt 22.03.3 r20028-43d71ad93e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a
Kernel Version	5.10.161

 iptables-save -c; ip6tables-save -c; nft list ruleset
-ash: iptables-save: not found
-ash: ip6tables-save: not found

I did about 30 minutes of searching and found out that you accounted for that eventuality because the third command is for NFtables. This also explains why the error shows up so often in the forum and everyone ignores it. LOL I'm a useless noob

So my time restrictions rule still isn't working yet, but I should go to bed.
Thanks again for your assistance.

trendy · April 14, 2023, 7:17am

You can post the output here so we can have a look.

mattbatt · April 16, 2023, 7:28pm

I'm back. I was chasing down a whole other issue where my Kindle would just stop connecting, I think I've fixed it.

Anywho here are the results sanitized to the best of my ability
Is there an easier way than manually redacting in notepad?

Darn it. The firewall rules for time (Ma_timeSchool) would normally be enabled on Sunday and Monday but I was troubleshooting the connectivity issues above and forgot to reinstate them before grabbing the NFT LIST.

 nft list ruleset
table inet fw4 {
        flowtable ft {
                hook ingress priority filter
                devices = { lan1, lan2, lan3, lan4, wan }
                flags offload
        }

        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-VLAN.99" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "br-VLAN.3" jump input_3_zone comment "!fw4: Handle 3_zone IPv4/IPv6 input traffic"
                iifname "br-VLAN.66" jump input_66_zone comment "!fw4: Handle 66_zone IPv4/IPv6 input traffic"
                iifname "br-VLAN.4" jump input_4_zone comment "!fw4: Handle 4_zone IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                meta l4proto { tcp, udp } flow add @ft
                iifname "br-VLAN.99" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "br-VLAN.3" jump forward_3_zone comment "!fw4: Handle 3_zone IPv4/IPv6 forward traffic"
                iifname "br-VLAN.66" jump forward_66_zone comment "!fw4: Handle 66_zone IPv4/IPv6 forward traffic"
                iifname "br-VLAN.4" jump forward_4_zone comment "!fw4: Handle 4_zone IPv4/IPv6 forward traffic"
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-VLAN.99" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "br-VLAN.3" jump output_3_zone comment "!fw4: Handle 3_zone IPv4/IPv6 output traffic"
                oifname "br-VLAN.66" jump output_66_zone comment "!fw4: Handle 66_zone IPv4/IPv6 output traffic"
                oifname "br-VLAN.4" jump output_4_zone comment "!fw4: Handle 4_zone IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-VLAN.99" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname "br-VLAN.3" jump helper_3_zone comment "!fw4: Handle 3_zone IPv4/IPv6 helper assignment"
                iifname "br-VLAN.66" jump helper_66_zone comment "!fw4: Handle 66_zone IPv4/IPv6 helper assignment"
                iifname "br-VLAN.4" jump helper_4_zone comment "!fw4: Handle 4_zone IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_66_zone comment "!fw4: Accept lan to 66_zone forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-VLAN.99" counter packets 2420 bytes 157298 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-VLAN.99" counter packets 1405 bytes 196016 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 23 bytes 8158 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 1 bytes 44 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 412 bytes 29664 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 23 bytes 1656 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                oifname "wan" counter packets 88662 bytes 15277880 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "wan" counter packets 550 bytes 25239 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_3_zone {
                tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: M@_DHCP_DNS"
                udp dport { 53, 67, 68 } counter packets 640 bytes 53992 accept comment "!fw4: M@_DHCP_DNS"
                jump reject_from_3_zone
        }

        chain output_3_zone {
                jump accept_to_3_zone
        }

        chain forward_3_zone {
                meta l4proto tcp meta hour "02:28:16"-"06:00" meta day { "Tuesday", "Wednesday", "Thursday" } counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Ma_timeSchool"
                meta l4proto udp meta hour "02:28:16"-"06:00" meta day { "Tuesday", "Wednesday", "Thursday" } counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Ma_timeSchool"
                meta l4proto tcp meta hour "03:28:16"-"06:00" meta day { "Friday", "Saturday" } counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Ma_timeWend"
                meta l4proto udp meta hour "03:28:16"-"06:00" meta day { "Friday", "Saturday" } counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: Ma_timeWend"
                jump accept_to_wan comment "!fw4: Accept 3_zone to wan forwarding"
                jump reject_to_3_zone
        }

        chain helper_3_zone {
        }

        chain accept_to_3_zone {
                oifname "br-VLAN.3" counter packets 45 bytes 13140 accept comment "!fw4: accept 3_zone IPv4/IPv6 traffic"
        }

        chain reject_from_3_zone {
                iifname "br-VLAN.3" counter packets 126 bytes 12246 jump handle_reject comment "!fw4: reject 3_zone IPv4/IPv6 traffic"
        }

        chain reject_to_3_zone {
                oifname "br-VLAN.3" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject 3_zone IPv4/IPv6 traffic"
        }

        chain input_66_zone {
                tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: IOT_DHCP_DNS"
                udp dport { 53, 67, 68 } counter packets 32 bytes 4850 accept comment "!fw4: IOT_DHCP_DNS"
                jump reject_from_66_zone
        }

        chain output_66_zone {
                jump accept_to_66_zone
        }

        chain forward_66_zone {
                jump accept_to_wan comment "!fw4: Accept 66_zone to wan forwarding"
                jump reject_to_66_zone
        }

        chain helper_66_zone {
        }

        chain accept_to_66_zone {
                oifname "br-VLAN.66" counter packets 12 bytes 3376 accept comment "!fw4: accept 66_zone IPv4/IPv6 traffic"
        }

        chain reject_from_66_zone {
                iifname "br-VLAN.66" counter packets 9 bytes 504 jump handle_reject comment "!fw4: reject 66_zone IPv4/IPv6 traffic"
        }

        chain reject_to_66_zone {
                oifname "br-VLAN.66" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject 66_zone IPv4/IPv6 traffic"
        }

        chain input_4_zone {
                tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: Guest_DHCP_DNS"
                udp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: Guest_DHCP_DNS"
                jump reject_from_4_zone
        }

        chain output_4_zone {
                jump accept_to_4_zone
        }

        chain forward_4_zone {
                jump accept_to_wan comment "!fw4: Accept 4_zone to wan forwarding"
                jump reject_to_4_zone
        }

        chain helper_4_zone {
        }

        chain accept_to_4_zone {
                oifname "br-VLAN.4" counter packets 0 bytes 0 accept comment "!fw4: accept 4_zone IPv4/IPv6 traffic"
        }

        chain reject_from_4_zone {
                iifname "br-VLAN.4" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject 4_zone IPv4/IPv6 traffic"
        }

        chain reject_to_4_zone {
                oifname "br-VLAN.4" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject 4_zone IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }
}

trendy · April 16, 2023, 7:40pm

Looks good, the RELATED/ESTABLISHED in forward chain are lower than the others.

mattbatt · April 17, 2023, 3:44pm

Well thanks again for all of your help but my solution was in another castle. Apparently I'm an idiot and I had two LAN bridges running which was causing all sorts of havoc on my router. Including but not limited to the firewall rules intermittently working and not working.
Again this was a self inflicted injury from following an outdated tutorial and the incomplete update to the tutorial for OpenWRT 21. https://youtu.be/4t_S2oWsBpE?t=234
https://youtu.be/qeuZqRqH-ug?t=698

I really wish someone could write a software package to set up VLANs for separate SSIDs there are an awful lot of "go here, click this, then this, type this, don't do this" it seems fairly formulaic and repeatable. But that's a topic for another day.

Thanks again.

system · April 27, 2023, 3:45pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.