(SOLVED) Firewall on the same Network

khllo · September 21, 2017, 7:45pm

Hi...
A box of Yamaha that supports web interface: I'd like to block its port (tcp 80), and it must stay on the same interface of home wireless, so it stays reachable over DLNA (or whatever) ... how can I do this? it seems that i doesn't work with Traffic Rules when that is configured on the same Interface.THEN: iptables??? I have tried it but it doesn't work too.
Interface name: eth0.6
Box ip address is: 192.168.8.9
what I wrote in Custom Firewall:
iptables -A INPUT -i eth0.6 -p tcp -s 192.168.9.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j DROP
but that hasn't worked, and the Box has remained reachable.
Any help please...
Thanks...

ulmwind · September 21, 2017, 9:38pm

Try to configure iptables in config file:
config rule
option proto tcp
option dest_port 80
option dest_ip 192.168.8.9
option target REJECT
Start with more simple example:
iptables -A INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

khllo · September 21, 2017, 9:57pm

as I tried to configure iptables in config file, I got the error "Parse error" and the Firewall cannot be reloaded
Second Chance: what you wrote for Custom Firewall, it hasn't work, and the Box has remained reachable in its Web Interface

ulmwind · September 22, 2017, 11:08am

Make indentation, see other sections of config.
iptables -I INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

khllo · September 22, 2017, 2:45pm

it doesn't work... I wrote as you described in Firewall Configuration:
config rule
option proto 'tcp'
option dest_ip '192.168.8.9'
option dest_port '80'
option target 'REJECT'

in Custom Firewall Section:
iptables -I INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

NO Chance, the Box has remained reachable.

It seems it is impossible to block anything when it is on the same Interface. (The rule will definitely work when it were on another Interface). I hope I'm wrong.

Thanks anyway for your help.

ulmwind · September 22, 2017, 5:46pm

Ok, it is my fault. INPUT chain is for packets for router itself. To control forwarded traffic you should use FORWARD chain. It works for IP from another zone, however, in the scope of one zone it doesn't work. To control traffic to/from the same local bridge interface you should turn on firewall on this interface: https://wiki.openwrt.org/doc/howto/netfilter However we get side effect with iptables+ipset, which you want to get, and now we are still exploring it: https://forum.openwrt.org/viewtopic.php?id=72112

khllo · September 22, 2017, 6:55pm

So, is there a Chance later? is it possible to create a command that solves this problem with traffic on the same Interface?. I wish you a good luck with your attempt. But, please, tell me later if you find a solution

ulmwind · September 22, 2017, 9:16pm

It works, I've checked it!
You should edit /etc/sysctl.conf:
net.bridge.bridge-nf-call-iptables=1
restart it:
sysctl -p
and after it the rule works for lan-lan traffic:
iptables -I FORWARD -d 192.168.1.10 -j REJECT

khllo · September 24, 2017, 7:42pm

Unfortunately it doesn't work. I have edited /etc/sysctl.conf as you described, and as I restarted the service, it showed me these Lines:
sysctl: error: 'net.bridge.bridge-nf-call-arptables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-ip6tables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

I have entered the Line in Custom Firewall as you wrote, but the Web Interface of this Device has remained reachable. I have edited this Command:
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
but no Chance, it hasn't helped.
Any advice please?
P.S. the Device is not on LAN interface but on another interface, I don't know if it is interesting for this command of iptables, because you wrote "lan lan traffic".

NeilHines · September 26, 2017, 8:36am

@khllo yes friend it didn't work. I'm also searching for it but didn't get any solution.

trismo · September 26, 2017, 10:32am

net.bridge.bridge-nf-call-iptables=1 needs
kmod-br-netfilter

ulmwind · September 26, 2017, 4:05pm

These IPs are in the same subnet, on one interface. It is lan, name of interface could differ from "lan". Does your config file contain commented line?

@trismo noted, that you should add package kmod-br-netfilter.

khllo · September 28, 2017, 8:10am

thank you all for your help, but it doesn‘t work...
I have installed the module Bridge (kmod-br-netfilter), it show me no fault anymore when I restart sysctl, everything should be good, but the box has remained reachable...
iptables -I FORWARD -d 192.168.8.9 -j REJECT
or
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
or
from luci: enter a new rule... no one works...
I have no idea if it is important to know, that this Interface is on a seperate VLAN, but all another rule work, just this command doesn't, when the trafic rules are configured on the same interface...
any chance later? am I the only one, or is there somebody who has such problem with?!.

trismo · September 28, 2017, 1:17pm

Please post "opkg list-installed | grep kmod"
I think you missing ebtables kmod-ebtables

khllo · September 28, 2017, 9:13pm

@trismo you're right... when you install the kmod-br-netfilter, will be the kmod-ebtables not installed.
Ok... then... i've installed the kmod-ebtables, what should I do now??? which command should I use?
I've tested with the command of ulmwind & it didn't work (he wrote an iptables command!!! & he tested it & it worked!!!!!!!!!!!!!).
I wrote a command of ebtable in the custom Firewall:
ebtables -A FORWARD --proto IPv4 --ip-dst 192.168.19.19 --ip-proto tcp --ip-dport 80 -j DROP
it didn't work too...
should be this interface as a bridge Interface configured? or should it be not?... I have no Idea...
I think it is one of the principle of a Firewall, such traffic to drop or to accept, even if that is on the same Interface...
Please any Advice?...

trismo · September 29, 2017, 4:39am

Ok i looked in to the default for firewall.user file is just read only file miss execute permissions
-rw-r--r-- 1 root root /etc/firewall.user
chmod +x /etc/firewall.user
-rwxr-xr-x 1 root root /etc/firewall.user
#/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT # all traffic REJECT
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT # just tcp 80 REJECT

khllo · September 29, 2017, 7:21am

Ok, I will do today when I come back home...
One question please: You wrote the command with iptables, it means I just need to install the kmod-br-netfilter & edit the line in sysctl.config
net.bridge.bridge-nf-call-iptables=1
but no need for kmod-ebtables more, when I write my command with iptables... is it right???
noted what you wrote in your reply about permission...
I hope it will work...

trismo · September 29, 2017, 8:10am

No netfilter need module ebtable_filter for the iptables command have no effect if you remove it.
You dont need the ebtables tool ifself only the kmod-ebtable.

just change the permission. on firewall.user

and add to firewall user & restart firewall
/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT
#or
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

khllo · September 29, 2017, 8:28am

thanks for your reply... again a question: why do I need the ebtables??? when the bridge netfilter is installed, & the command written with iptables???...

trismo · September 29, 2017, 8:37am

yes use iptables i forgot

clean firewall.user file should look like this

#!bin/sh
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

with #