Setting up a deny all firewall with exceptions

krys · June 11, 2021, 2:52pm

Hi,

I'm trying to set up a OutdoorRouter 4G EZR33-Y4U running OpenWrt with a deny all with exceptions firewall. I've tried several things using resources found on these forums, but to no avail I'm unable to get the result I want.

Now I do know a thing or two about iptables but I'm no expert, and I'm a complete noob on OpenWrt, so I'm probably misunderstanding something in my attempts.

I want to deny all inbound connections to a device on the lan (IP 192.168.30.221) and the router, but allow through connections on the following ports:

allow port 22 for SSH inbound (I understand the security concerns, will end up using keys)
allow port 5938 for Teamviewer inbound

By default the router comes with the following /etc/config/firewall file

root@OutdoorRouter:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'MOBILE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

I've tried adding:

config rule
		option enabled '1'
		option src 'wan'
		option dest 'lan'
		option name 'Allow_ports'
		option family 'ipv4'
		option proto 'all'
		option src_port '22 5938'
		option dest_port '22 5938'
		option target 'ACCEPT'

config rule
		option enabled '1'
		option src 'wan'
		option name 'Drop_All'
		option family 'ipv4'
		option proto 'all'
		option target 'DROP'

I've also tried setting it up via Custom Rules in the LuCI interface with the following, but again to no avail.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT --proto udp --sport 53 --jump ACCEPT
iptables -A OUTPUT --proto udp --dport 53 --jump ACCEPT
iptables -A OUTPUT --proto tcp --dport 53 --jump ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A PREROUTING -p multiport -m multiport --dports 22,5938 -j ACCEPT

iptables -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

Hope someone can help me figure this out, most of the time I try and add something it doesn't make a difference to who can and can't connect, I'm at my wit's end.

Kind Regards,
Krys

mk24 · June 11, 2021, 2:57pm

To deny everything on LAN except SSH, make the LAN default input rule REJECT then add a rule to accept src lan, TCP port 22.

This will break LAN computers usage of the router for DHCP and DNS, so you probably want rules for those too. You could set the DHCP server to configure LAN PCs to an external DNS.

Teamviewer would be a forward to the PC running Teamviewer. Though I thought applications like that usually make outgoing connections so the remote access works without special firewalling.

krys · June 11, 2021, 3:14pm

Hey,

I'm not trying to deny anything within the lan, just connections that are coming from the wan to lan. So that anything trying to access devices within the lan from the internet will be denied if not connecting via port 22 or 5938.

Hope that clears it up.

trendy · June 11, 2021, 3:39pm

By default zone wan has INPUT and FORWARD set to REJECT.

krys · June 11, 2021, 3:46pm

@takimata it is not in this case as I presume OutdoorRouter have edited the default OpenWrt setup.

@trendy the device comes with OpenWrt installed and preconfigured as such, I imagine that OutdoorRouter set this up, as I've copied this from the file after resetting the device to factory defaults.

So setting INPUT and FORWARD to REJECT will stop it from allowing outside connections, and then what rule do I need to allow forwarding only on those two ports? how far up or down the file does it need to go?

Apologies for all the questions, I'm just very confused at the moment.

Kind Regards,
Krys

trendy · June 11, 2021, 3:57pm

This is not official OpenWrt and who knows what else they have screwed, as this is a major security hole.
There is a lan->wan forwarding only, so nothing is allowed from wan->lan, unless the a connection has been opened already from the lan.
I suppose you have only one public IP on the wan interface, so your only option is to create redirects (port forwards), not rules. Careful not to use the server ports in src_port option, as it is usually not the case.
Also teamviewer opens a connection from the lan and uses that one to accept incoming connections as @mk24 pointed out.

krys · June 11, 2021, 4:14pm

Thanks for the heads up and information guys.

I'm going to have another go at this tomorrow evening when I get my hands on the router again.

I'll try setting those wan zone options to REJECT and add port forwards and see where I can get with it. Will report how I get along.

Kind Regards,
Krys