[Solved] Firewall: block selected VLAN access to OpenWrt router SSH

Hekarath · June 17, 2019, 4:26pm

Hello there. I'm trying to block the access to SSH (and some other services) on the OpenWrt router (dst: lan, IP: 10.0.0.1) from a specific VLAN where all the IoT stuff I don't trust is (src: iot).

What I'm adding to the /etc/config/firewall file is:

config rule
        option name             Reject-Router-IoT-SSH-TCP
        option src              iot
        option dest             lan
        option dest_ip          10.0.0.1
        option dest_port        22
        option proto            tcp
        option family           ipv4
        option target           REJECT

Afterwards I do restart iptables by executing:

/etc/init.d/firewall restart

Still I'm able to login to the router over SSH.

What am I doing wrong?

eduperez · June 17, 2019, 8:24pm

The order of rules at "/etc/config/firewall" is important: if there is a rule that ACCEPTs those conections higher on the file than this one, the first one will prevail.

lleachii · June 17, 2019, 8:39pm

It seems you must have configured an ACCEPT FORWARD rule from IoT to LAN zones.

Remove that, then manually add your ACCEPT FORWARD Traffic Rules for all ports, protocols and IPs you want to have access.

Hekarath · June 17, 2019, 8:44pm

Thank you Guys for your reply. "REJECT" rule is before the "ALLOW" ones in my config. Also forwarding appears to be fine - at least to me I might have missed something as I'm struggling with it for many hours now...

Perhaps it will be easier to troubleshoot if I'll post the config:

config defaults
	option drop_invalid	1
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		prod
	list   network		'prod'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		iot
	list   network		'iot'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	list   network		'openvpntun'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config forwarding
	option src		prod
	option dest		wan

config forwarding
	option src		iot
	option dest		wan

config forwarding
	option src		prod
	option dest		lan

config forwarding
	option src		prod
	option dest		iot

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

###################
### Custom part ###
###################

## REJECT ##

# Drop SSH access from IoT
config rule
        option name             Reject-Router-IoT-SSH-TCP
        option src              iot
        option dest             lan
        option dest_ip          10.0.0.1
        option dest_port        22
        option proto            tcp
        option family           ipv4
        option target           REJECT

## ALLOW ##

# Allow Router management from selected hosts
config rule
	option name		Allow-MGMT-Router
	option src		prod
	option src_ip		'10.0.1.2'
	option dest		lan
	option dest_ip		10.0.0.1
	option dest_port	'22'
	option proto		tcp
	option family		ipv4
	option target		ACCEPT


# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

lleachii · June 17, 2019, 8:57pm

You still ACCEPT INPUT [to the route] from IoT.

Change to REJECT.

mpa · June 17, 2019, 8:59pm

Permission to access the router itself is managed in the INPUT chain.
Remove option dest lan to turn your FORWARD rules into INPUT rules.

mk24 · June 17, 2019, 9:22pm

What is the 'prod' network and why is it being forwarded all over the place?

IoTs should be trusted only to go to their servers on the Internet. An IoT zone should reject all input to the router OS by default (input = REJECT in the zone definition) except for DHCP and maybe DNS requests of the router.

Hekarath · June 17, 2019, 10:59pm

Thank you @lleachii, @mpa and @mk24, your advices were spot-on! Not only everything works now - I also finally do understand how INPUT actually works, at least I hope so

So, just to summarize what I had to do:

INPUT for source VLAN (in this case IoT) had to be set to REJECT, by default we want to block IoT from accessing everything that OpenWrt router has to offer:

config zone
	option name		iot
	list   network		'iot'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT

Only the access to DHCP and DNS should be allowed:

config rule
	option name		Allow-IoT-DHCP-Broadcast
	option src		iot
	option src_ip		0.0.0.0
	option src_port		68
	option dest_ip		255.255.255.255
	option dest_port	67
	option proto		udp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IoT-DHCP-Router
	option src		iot
	option src_ip		0.0.0.0
	option src_port		68
	option dest_ip		10.0.4.1
	option dest_port	67
	option proto		udp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-Router-IoT-TCP
	option src		iot
	option dest_ip		10.0.4.1
	option dest_port	53
	option proto		tcp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-Router-IoT-UDP
	option src		iot
	option dest_ip		10.0.4.1
	option dest_port	'53 67'
	option proto		udp
	option family		ipv4
	option target		ACCEPT

Restart iptables:

/etc/init.d/firewall restart

system · June 27, 2019, 10:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.