[Solved] Drop http traffic

What is the best way to avoid http traffic out of an openwrt router ? Firewall ? iptables ? How ?

Do you mean "traffic that uses the HTTP protocol" or do you mean "TCP traffic related to ports 80 and 443"?

Do you mean with content supplied by remote servers, by the device, or by internal servers?

Firewall in Openwrt uses iptables, it is just a front end.
Explain better what do you want to achieve.

HTTP protocol

Remote

Want to be sure no traffic goes in/out as HTTP instead of HTTPS

I assume you are referring to forwarded traffic, otherwise is meaningless.

uci add firewall rule
uci set firewall.@rule[-1].name="Reject-HTTP-Forward"
uci set firewall.@rule[-1].src="*"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].dest_port="80"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
service firewall restart

And nonstandard HTTP port is another story.

Can I block a range of ports instead of just one ?

uci set firewall.@rule[-1].dest_port="80"

Thinking about from 0-1 to 442 and 444 to the end (I don’t know the Max )

Usually easier to write and manage logical rules to skip a "drop all" rather than the other way around. Makes it a lot easier to understand what is being permitted as well as to add another one to the permitted list.

Using pseudocode:

100 skip to 200 dest port 22
101 skip to 200 dest port 80
102 skip to 200 dest port 443
199 drop all

1 Like

Of course there are some sites that don't offer an https alternative, including some sub content of some sites like JavaScript libraries and downloadable fonts and etc.

This will break lots of stuff including potentially DNS, SIP phones, updates to software, games, and websites using explicit ports, basically everything you might want to do except browse the internet over entirely https on standard port.

You might prefer a VPN set up depending on your real goal, blocking all but https is a means rather than an end and I'm not sure what your end goal is.

If you really want to try it, you can put an allow rule for the 443 port, and then a drop rule for all ports...

config rule
   option name 'Allow-HTTPS-Outbound'
   option enabled '1'
   option target 'ACCEPT'
   option src 'lan'
   option dest 'wan' 
   option proto 'tcp'
   option dest_port '443'

config rule
   option name 'Reject-All-TCP-Forward-Out'
   option enabled '1'
   option target 'REJECT'
   option src 'lan'
   option dest 'wan'
   option proto 'tcp'

1 Like
uci delete firewall.@forwarding[0]
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-HTTPS-Forward"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].dest_port="443"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
service firewall restart

However don't forget about NTP and other UDP-streaming/gaming services.

1 Like

Thanks to everybody

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.