[Solved] Building iptables firewall

I am using 19.07 x86. I attempted to use this firewall ruleset. I lost ssh connection and had to rewrite the x86 file. I need direction to make this ruleset functional. These are the steps I took.

1. Navigated from luci web interface to system>startup> disabled firewall service
2. ssh into x86, use vi to write new firewall into /etc/rc.local
3. reboot
4. no connection

This is the ruleset I used. eth0 is LAN eth1 is WAN.

# clear iptable rules

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X


# reset counters

iptables -Z


# set default policies

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD REJECT
iptables -t nat -A PREROUTING ACCEPT
iptables -t nat -A INPUT ACCEPT
iptables -t nat -A OUTPUT ACCEPT
iptables -t nat -A POSTROUTING ACCEPT

# wan MTU fixing

iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


# NAT traffic going out the WAN interface.

iptables -A POSTROUTING -o eth1 -j MASQUERADE


# forward from LAN to WAN

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


# Fix loopback settings

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT


# Allow traffic on lan

iptables -A INPUT -i eth0 -j ACCEPT


# SSH - accept from LAN

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT


# enable traceroute rejections to get sent out

iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable


# DNS - accept from LAN

iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT


# SSH - accept from LAN

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT


# DHCP client requests - accept from LAN

iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT


# allow known connections

iptables -A -m conntrack --ctstate DNAT -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# Allow incoming traffic from the firewall

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# Allow outgoing traffic from the firewall

iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT


# User initiated and related traffic

# Allow forwardings from WAN to LAN for established and related connections aswell as for DNAT

iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# Internet access from subnets

iptables -A FORWARD -m conntrack --ctstate NEW -j ACCEPT

I did forget to include one of these two bits but I am not sure which one will work.

iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

and

iptables -A INPUT -s 10.1.1.2/32 -j ACCEPT

Any help is much appreciated.

Without looking too much in the configuration I believe it failed because it doesn't have the path for iptables.
Regardless, manual iptables management is not supported function, there is fw3 for that.

I would like to build the firewall without altering the network config i.e

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan'
        option input 'ACCEPT'
        option network 'lan'

config zone
        option output 'ACCEPT'
        option name 'wan'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option dest 'wan'
        option src 'lan'

I know that bit of code generates the entire iptables firewall but I want OpenWRT to:

build the network half - wan, lan, bridge, dhcp, ip's

then I build the firewall half - traffic routing.

OpenWRT builds the network layout and I can keep the LuCI interface + insert my own firewall. I want to run a barebones firewall with cake sqm but I do not have enough experience to go through repositories and this way is just faster.

We wish you well; but wiping the firewall and using manual entries is not a supported function...hence fw3. There's quite a few threads of OPs with issues such as yours: "I want to do my own firewall and ran iptables -F..."

You sound like you want to remove fw3, that's definitely not a supported config. To test, I would suggest compiling a build that doesn't include it.

• There's a file for this: /etc/firewall.user - this could be the problem, as your personal rules could be loading in the improper order (from what you desire) in relation to fw3
• You have a SSH allow rule twice
• Since this is all allowed by default, I'm not sure how wiping the firewall and making a new one is faster; but OK
• The loopback rule seems unnecessary, to accept traffic from its own interface...
• You made the default global INPUT and OUTPUT rules ACCEPT anyways
• You made the default global FORWARD rule REJECT; which leads me to a major point
• You allowed ESTABLISHED,RELATED traffic from WAN to LAN; but do not have a rule allowing LAN traffic to WAN; which is the needed rule - this is likely why you lost connection - BTW this rule is dangerous to declare the WAN Interface - let the FORWARD rule dictate that state and make the rule general.

I want to avoid compiling because I do not have the knowledge and there is little documentation aside from official OpenWRT documentation, and that requires that you 'interpret' what the requirements are and then you can do your thing considering I know what I am doing and I am far from configuring a firewall from LuCI let alone compiling CLI.

Also this would involve possibly compiling from snapshots or base source code and to put it quite simply; This could take me months.

Precisely! calling fw3 print shows these rules I am are included! There are some that are not that I would like to be to open up the network for traffic - and it could be done without any danger I am sure. I have some latency issues and looking to find the optimal TCP setup. I need the firewall to function without interferring with itself, limiting the wrong traffic.

These 4 points I do not know which shows my limitations of networking. I can write iptables but building the network from scratch is really difficult.

• The loopback will be taken out.
• Global rules I do not understand
• This was the default for OpenWRT, INPUT, OUTPUT ACCEPT, FORWARD REJECT. I just figured this part was needed for the firewall to function concurrently with OpenWRT network config. As I understand OpenWRT network calls certain firewall protocols and the iptables in /etc/rc.local if ran must be ran identical to /etc/config/firewall/

# forward from LAN to WAN

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Should this be added onto?

# Allow traffic on lan

iptables -A INPUT -i eth0 -j ACCEPT

ADD

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

I can't seem to distinguish LAN-WAN, INPUT-OUTPUT, because I can't figure which one is up and which one is down. The way I understand it is PC>LAN>WAN>INTERNET but when writing the iptables I do not know how they connect or interconnect when FORWARD/PREROUTING/POSTROUTING so the routing table throws me. I can understand egress and ingress because that is out and in.

Possibly you mean this rule?

# User initiated and related traffic

iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT

I do not know excatly how this rule is written in iptables format~ iptables -A FORWARD -j ACCEPT

Or if I should take a rule out

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Really I just need these

iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

To open ports and allow free traffic flow.

Next I want to make sure that the traffic lanes are open and stay free from interferrence which is what I hoped to accomplish with basically the rest of the script.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD REJECT
iptables -t nat -A PREROUTING ACCEPT
iptables -t nat -A INPUT ACCEPT
iptables -t nat -A OUTPUT ACCEPT
iptables -t nat -A POSTROUTING ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A -m conntrack --ctstate DNAT -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate NEW -j ACCEPT

Now if I do not need any of these or they will not accomplish what I want I will take them out. and just put the necessary rules into /etc/firewall.user I just wanted to reach out to the community to determine what is functional in this and what is not to optimize TCP states, connections, and traffic flow. I am sure my issue is TCP inbound so the plan is to open up those pipes between interfaces and remove the restrictions.

Just a quick thought - maybe describe your desired firewall functionality in plain English instead of a bunch of firewall rules. What is it that is not acceptable about the default firewall configuration and the options that you have using the standard openwrt firewall features?

No problem @psherman, thank you for joining the discussion. It is a simple-fix issue but it requires expertise I do not have. I have what I assume is a TCP inbound issue. After fine tuning cake, my physical network, and my physical PC, I came to the conclusion it is a firewall issue.

So I figured there was 2 things to do: Port Forward and DMZ.

I did not want to accomplish what those two things do from LuCI web interface so I wanted to do them through iptables, simple right? After drawing fw3 print and seeing what is there basically OpenWRT already does the port-forwarding or establishing free device-to-device connections with:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The "DMZ" part or just having a device able to communicate through the wan, lan, routing table, just everything is possibly also in fw3 with:

iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward

iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject

And taking a page from @trendy's book, without looking into it took much one can determine the LAN is open to the WAN, the WAN is open to the internet and the LAN but cannot be forwarded to(I assume because there is no reason to forward to it because it doesn't have any devices operating needed forwarded to)

Now add:

iptables -A FORWARD -s 192.1.2.3 -j ACCEPT
iptables -A FORWARD -d 192.1.2.3 -j ACCEPT

Putting your desired device into that rule determines that all egress and ingress traffic will go through without impedence regardless of LAN or WAN config. Essentially that is the objective.

@warchief,

I agree with @psherman. You're now asking about iptables rules, not how to add fw3 rules in UCI/OpenWrt syntax. So now I'm wondering how this isn't more so a need to learn iptables.

I'm scared you know just enough to be dangerous and invite an actor with state resources to your door, for a basic training mission...

I'm scared to ask why you think that...

WTF!?!?

• The WAN is an interface that faces your ISP or Internet Service Provider...of course it's...nevermind...
• Unless I misunderstand, you're saying you don't have devices on LAN...but then you post a 192.1.2.3 rule (which BTW, that IP is a Public IP address)
• Anyways, it is forwarded...I'm not going to trouble myself to show the iptables syntax - I'll post it in UCI:

config forwarding                          
        option dest 'wan'             
        option src 'lan'

No, that's the needed LAN to WAN forward rule I mentioned. You're just doing it per LAN host.

In any case, what does this have to do with OpenWrt?

I want to use OpenWRT and LuCI and Cake without compiling something from github or using Debian. The reason why I said that will take months is because I will have to get it operational the first month, face it toward the internet, then start over with the firewall. I'd rather it take 15 minutes and "insert script" into /etc/firewall.user for unimpeded traffic flow i.e

# Connections

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# Forwards

iptables -A FORWARD -s 192.1.2.3 -j ACCEPT
iptables -A FORWARD -d 192.1.2.3 -j ACCEPT


# DSCP

iptables -t mangle -A PREROUTING -s 192.1.2.3 -j DSCP --set-dscp-class CS6
iptables -t mangle -A PREROUTING -d 192.1.2.3 -j DSCP --set-dscp-class CS6

So the connections I can assume are open, again, without determining what each and every UCI command in /etc/config/network and /etc/config/firewall write in fw3

I just need to make sure the other 300 lines of syntax in fw3 are not interferring with the above ruleset and just allows them to function properly. I thought it would be easier to build it with iptables but since you cannot remove fw3 and replace it there is no need for further deliberation. It is easier compile my own OpenWRT or build from Debian.

I figure it is solved and the line between my device other devices' traffic is unrestricted.

I cannot rest without telling you this:

PLEASE CLOSE THE INPUT RULE YOU MADE THAT ALLOWS TRAFFIC ON WAN!

Huh?

You don't have to, just install the OpenWrt QoS app.

# set default policies

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD REJECT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j REJECT

That is fw3 default. Disable UCI firewall>insert script into /etc/rc.local

Again, I am assuming you mean remove this script:

# User initiated and related traffic

iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT

Apologies, some of these are copied and pasted without the same interfaces and I agree it is scary .

NO I'M NOT!!!

I'm talking about you totally not getting iptables. Please follow this mistake about your WAN being open...

(The statement you responded to was actually my discussing OpenWrt-default LAN rules, though.)

• So you failed to make a drop rule for eth1
• At this point, I don't think it's prudent to keep assisting you any problem that causes you to decide to draft raw iptables syntax

@lleachii thanks for your help, added

# Service rules
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

Lost connection, have to rewrite x86 It is still not functional but cheers mate~

I'm scared to respond, I sincerely wish you the best, I agree that drafting raw iptables syntax for a firewall is difficult - and not the OpenWrt-supported method.

• I just hope you truly understand what that means
• I hope your choice to use DROP over REJECT wasn't my word choice
• I hope you know the difference between the two

Damn...TOO LATE, YOU LEARNED WHAT IT MEANT!

Cheers...

EDIT: I'm scared to do all this semi-helping...but you probably need to know the order of rules also matter.

For anyone who reads - this it outright false. The OP proved it by loosing connection (on what I assume was LAN; but wouldn't matter because at that point - the router was accessible from both interfaces).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.