I'd like to harden my firewall to restrict access to the luci web interface (https) and ssh to only certain ip addresses (which I've assigned static DHCP leases to). I guess this could be done with custom firewall rules, but I haven't managed to configure them in a way that works. My network is running on 192.168.0.X. Any ideas?
Yes, exactly firewall. So what is your question?
See rules section.
So my question is what firewall rules do I set to restrict access to the routers SSH server and LuCI interface to for example 192.168.0.2 and 192.168.0.3 but block all other IPs from accessing it?
Have you read manual above?
I think, the best option for you:
config rule option name 'Allow SSH for custom IP' option src 'lan' option src_ip '192.168.0.2' option dest_port '22 80' option proto 'tcp' option target 'ACCEPT'
config zone option name 'lan' ... option input 'REJECT' ...
Please, be careful to apply it, and make sure, you can reset router in case total block of access.
Alright, I read it before but couldn't find my way through it. I thought I was suppose to create custom rules with iptables commands. Thanks @ulmwind, I'll try that and get back to you
I've tried it now, but the following lines in firewall.user
config rule option name 'Allow SSH for custom IP' option src 'lan' option src_ip '192.168.0.2' option dest_port '22 80 443' option proto 'tcp' option target 'ACCEPT' config zone option name 'lan' option dest_port '22 80 443' option proto 'tcp' option input 'REJECT'
Is rejected by the firewall, which is giving the output:
* Running script '/etc/firewall.user' You cannot use UCI in firewall includes!
firewall.user is place for shell commands (e.g. iptables). Add lines to /etc/config/firewall
This is wrong, don't add it. The zone doesn't take ports or protocol. If you are not sure just use the Luci to do all these things, rather than blindly copy-pasting in the configuration files.
I see! I'll have a look around..
Can I specify a rule with a range if IP addresses within
option src_ip, like 192.168.0.2-192.168.0.255?
I looked around and installed the iptables-mod-iprange package, then I created 2 custom rules through LuCI:
config rule option dest_port '22 80 443' option src 'lan' option name 'Allow SSH LuCI for custom IP' list src_ip '192.168.0.2' option dest 'lan' list dest_ip '192.168.0.1' option target 'ACCEPT' config rule option dest_port '22 80 443' option src 'lan' option name 'Disallow other traffic' option dest 'lan' list dest_ip '192.168.0.1' option extra '-m iprange --src-range 192.168.0.2-192.168.0.254' option target 'REJECT'
However, that doesn't block my phone's access to establish a web connection to the router. What's wrong with the those rules?
Great, works! Thank you @trendy
I like the option that Linksys firmware has, allow access to router from Ethernet only and block from Wifi, I wish Openwrt had the same option so that no one from Wifi can access luci.
While there is no turn key solution, you can do that with the help of
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.