Restricting access to LuCI and SSH server to only certain IP addresses

panomitrius · December 30, 2020, 11:32am

I'd like to harden my firewall to restrict access to the luci web interface (https) and ssh to only certain ip addresses (which I've assigned static DHCP leases to). I guess this could be done with custom firewall rules, but I haven't managed to configure them in a way that works. My network is running on 192.168.0.X. Any ideas?

ulmwind · December 30, 2020, 3:34pm

Yes, exactly firewall. So what is your question?

See rules section.

panomitrius · December 30, 2020, 4:09pm

So my question is what firewall rules do I set to restrict access to the routers SSH server and LuCI interface to for example 192.168.0.2 and 192.168.0.3 but block all other IPs from accessing it?

ulmwind · December 30, 2020, 6:20pm

Have you read manual above?

I think, the best option for you:
1)

config rule
	option	name		'Allow SSH for custom IP'
	option	src		'lan'
	option	src_ip		'192.168.0.2'
	option	dest_port	'22 80'
	option	proto		'tcp'
	option	target		'ACCEPT'

config zone
	option	name		'lan'
...
	option	input		'REJECT'
...

Please, be careful to apply it, and make sure, you can reset router in case total block of access.

panomitrius · December 31, 2020, 11:20am

Alright, I read it before but couldn't find my way through it. I thought I was suppose to create custom rules with iptables commands. Thanks @ulmwind, I'll try that and get back to you

panomitrius · January 2, 2021, 9:23am

I've tried it now, but the following lines in firewall.user

config rule
	option	name		'Allow SSH for custom IP'
	option	src         'lan'
	option	src_ip		'192.168.0.2'
	option	dest_port	'22 80 443'
	option	proto		'tcp'
	option	target		'ACCEPT'

config zone
	option	name		'lan'
	option  dest_port   '22 80 443'    
	option	proto		'tcp'
	option	input		'REJECT'

Is rejected by the firewall, which is giving the output:

 * Running script '/etc/firewall.user'
You cannot use UCI in firewall includes!

ulmwind · January 2, 2021, 9:46am

firewall.user is place for shell commands (e.g. iptables). Add lines to /etc/config/firewall

trendy · January 2, 2021, 10:12am

This is wrong, don't add it. The zone doesn't take ports or protocol. If you are not sure just use the Luci to do all these things, rather than blindly copy-pasting in the configuration files.

panomitrius · January 2, 2021, 10:15am

I see! I'll have a look around..

panomitrius · January 2, 2021, 10:23am

Can I specify a rule with a range if IP addresses within option src_ip, like 192.168.0.2-192.168.0.255?

panomitrius · January 2, 2021, 10:49am

I looked around and installed the iptables-mod-iprange package, then I created 2 custom rules through LuCI:

config rule
	option dest_port '22 80 443'
	option src 'lan'
	option name 'Allow SSH LuCI for custom IP'
	list src_ip '192.168.0.2'
	option dest 'lan'
	list dest_ip '192.168.0.1'
	option target 'ACCEPT'

config rule
	option dest_port '22 80 443'
	option src 'lan'
	option name 'Disallow other traffic'
	option dest 'lan'
	list dest_ip '192.168.0.1'
	option extra '-m iprange --src-range 192.168.0.2-192.168.0.254'
	option target 'REJECT'

However, that doesn't block my phone's access to establish a web connection to the router. What's wrong with the those rules?

trendy · January 2, 2021, 11:05am

Remove these.

panomitrius · January 2, 2021, 11:16am

Great, works! Thank you @trendy

openwrtforever · January 2, 2021, 8:32pm

I like the option that Linksys firmware has, allow access to router from Ethernet only and block from Wifi, I wish Openwrt had the same option so that no one from Wifi can access luci.

trendy · January 2, 2021, 9:47pm

While there is no turn key solution, you can do that with the help of
https://openwrt.org/packages/pkgdata/kmod-br-netfilter
https://openwrt.org/packages/pkgdata/kmod-ipt-physdev

system · January 12, 2021, 9:47pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.