There is a router with OpenWRT installed
There are such settings nftables (standard settings after install)
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 637 bytes 55595 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 7 bytes 1632 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 27 bytes 9206 accept comment "!fw4: Allow-DHCP-Renew"
jump drop_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
jump drop_to_wan
}
chain accept_to_wan {
meta nfproto ipv4 oifname "eth0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname "eth0" counter packets 13691 bytes 1110343 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
}
chain reject_to_wan {
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
chain drop_from_wan {
iifname "eth0" counter packets 5308 bytes 928113 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
oifname "eth0" counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
}
There is a server in LAN with a torrent downloader
In my understanding, any traffic from wan cannot get to lan (this is even written in the openwrt documentation and for access you need to specify in the "port forwarding" section which port and where to forward), but in the torrent interface I see that there is active file distribution.
How to configure the firewall so that by default forwarding from wan to lan is allowed only to certain partners?
Sorry for appearing bureaucratic, just lests start with checking config that renders your firewall ruleset
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
# qos and upnp if those are in use.
Fairly simple - install miniupnpd-nftables, then luci-app-upnp and enable it.
Your LAN/WAN config is default, thus miniupnpd defaults are perfectly fine to supply your qtorrent with upnp and pcp.
Alternative is to forward static port (luci->network->firewall ->port forward -> wan tcp udp port 12345 to ip 192.168.1.x port 12345)
If your router is warming up under gigabit in gigabit out you can enable firewall soft offload. Hardware offload interferes with wifi often.
Yes, torrent connects to outside, tracker gives others' open ports.
There are even more hackish solutions used by VoIP.
Dont trust everything AI bots post as relevant in such sites (neither answer talks the essence)
