Hi,
I'm trying to set up a OutdoorRouter 4G EZR33-Y4U running OpenWrt with a deny all with exceptions firewall. I've tried several things using resources found on these forums, but to no avail I'm unable to get the result I want.
Now I do know a thing or two about iptables but I'm no expert, and I'm a complete noob on OpenWrt, so I'm probably misunderstanding something in my attempts.
I want to deny all inbound connections to a device on the lan (IP 192.168.30.221) and the router, but allow through connections on the following ports:
- allow port 22 for SSH inbound (I understand the security concerns, will end up using keys)
- allow port 5938 for Teamviewer inbound
By default the router comes with the following /etc/config/firewall file
root@OutdoorRouter:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'MOBILE'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
I've tried adding:
config rule
option enabled '1'
option src 'wan'
option dest 'lan'
option name 'Allow_ports'
option family 'ipv4'
option proto 'all'
option src_port '22 5938'
option dest_port '22 5938'
option target 'ACCEPT'
config rule
option enabled '1'
option src 'wan'
option name 'Drop_All'
option family 'ipv4'
option proto 'all'
option target 'DROP'
I've also tried setting it up via Custom Rules in the LuCI interface with the following, but again to no avail.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT --proto udp --sport 53 --jump ACCEPT
iptables -A OUTPUT --proto udp --dport 53 --jump ACCEPT
iptables -A OUTPUT --proto tcp --dport 53 --jump ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A PREROUTING -p multiport -m multiport --dports 22,5938 -j ACCEPT
iptables -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
Hope someone can help me figure this out, most of the time I try and add something it doesn't make a difference to who can and can't connect, I'm at my wit's end.
Kind Regards,
Krys