(SOLVED) Firewall on the same Network

Hi...
A box of Yamaha that supports web interface: I'd like to block its port (tcp 80), and it must stay on the same interface of home wireless, so it stays reachable over DLNA (or whatever) ... how can I do this? it seems that i doesn't work with Traffic Rules when that is configured on the same Interface.THEN: iptables??? I have tried it but it doesn't work too.
Interface name: eth0.6
Box ip address is: 192.168.8.9
what I wrote in Custom Firewall:
iptables -A INPUT -i eth0.6 -p tcp -s 192.168.9.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j DROP
but that hasn't worked, and the Box has remained reachable.
Any help please...
Thanks...

Try to configure iptables in config file:
config rule
option proto tcp
option dest_port 80
option dest_ip 192.168.8.9
option target REJECT
Start with more simple example:
iptables -A INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

as I tried to configure iptables in config file, I got the error "Parse error" and the Firewall cannot be reloaded
Second Chance: what you wrote for Custom Firewall, it hasn't work, and the Box has remained reachable in its Web Interface :frowning:

  1. Make indentation, see other sections of config.
  2. iptables -I INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

it doesn't work... I wrote as you described in Firewall Configuration:
config rule
option proto 'tcp'
option dest_ip '192.168.8.9'
option dest_port '80'
option target 'REJECT'

in Custom Firewall Section:
iptables -I INPUT -p tcp -d 192.168.8.9 --dport 80 -j REJECT

NO Chance, the Box has remained reachable.

It seems it is impossible to block anything when it is on the same Interface. (The rule will definitely work when it were on another Interface). I hope I'm wrong.

Thanks anyway for your help.

Ok, it is my fault. INPUT chain is for packets for router itself. To control forwarded traffic you should use FORWARD chain. It works for IP from another zone, however, in the scope of one zone it doesn't work. To control traffic to/from the same local bridge interface you should turn on firewall on this interface: https://wiki.openwrt.org/doc/howto/netfilter However we get side effect with iptables+ipset, which you want to get, and now we are still exploring it: https://forum.openwrt.org/viewtopic.php?id=72112

So, is there a Chance later? is it possible to create a command that solves this problem with traffic on the same Interface?. I wish you a good luck with your attempt. But, please, tell me later if you find a solution :wink::blush:

It works, I've checked it!
You should edit /etc/sysctl.conf:
net.bridge.bridge-nf-call-iptables=1
restart it:
sysctl -p
and after it the rule works for lan-lan traffic:
iptables -I FORWARD -d 192.168.1.10 -j REJECT

1 Like

Unfortunately it doesn't work. I have edited /etc/sysctl.conf as you described, and as I restarted the service, it showed me these Lines:
sysctl: error: 'net.bridge.bridge-nf-call-arptables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-ip6tables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

I have entered the Line in Custom Firewall as you wrote, but the Web Interface of this Device has remained reachable. I have edited this Command:
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
but no Chance, it hasn't helped.
Any advice please?
P.S. the Device is not on LAN interface but on another interface, I don't know if it is interesting for this command of iptables, because you wrote "lan lan traffic".

@khllo yes friend it didn't work. I'm also searching for it but didn't get any solution. :disappointed_relieved:

net.bridge.bridge-nf-call-iptables=1 needs
kmod-br-netfilter

1 Like

These IPs are in the same subnet, on one interface. It is lan, name of interface could differ from "lan". Does your config file contain commented line?

@trismo noted, that you should add package kmod-br-netfilter.

1 Like

thank you all for your help, but it doesn‘t work...
I have installed the module Bridge (kmod-br-netfilter), it show me no fault anymore when I restart sysctl, everything should be good, but the box has remained reachable...
iptables -I FORWARD -d 192.168.8.9 -j REJECT
or
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
or
from luci: enter a new rule... no one works...
I have no idea if it is important to know, that this Interface is on a seperate VLAN, but all another rule work, just this command doesn't, when the trafic rules are configured on the same interface...
any chance later? am I the only one, or is there somebody who has such problem with?!.

Please post "opkg list-installed | grep kmod"
I think you missing ebtables kmod-ebtables

@trismo you're right... when you install the kmod-br-netfilter, will be the kmod-ebtables not installed.
Ok... then... i've installed the kmod-ebtables, what should I do now??? which command should I use?
I've tested with the command of ulmwind & it didn't work (he wrote an iptables command!!! & he tested it & it worked!!!!!!!!!!!!!).
I wrote a command of ebtable in the custom Firewall:
ebtables -A FORWARD --proto IPv4 --ip-dst 192.168.19.19 --ip-proto tcp --ip-dport 80 -j DROP
it didn't work too...
should be this interface as a bridge Interface configured? or should it be not?... I have no Idea...
I think it is one of the principle of a Firewall, such traffic to drop or to accept, even if that is on the same Interface...
Please any Advice?...

Ok i looked in to the default for firewall.user file is just read only file miss execute permissions
-rw-r--r-- 1 root root /etc/firewall.user
chmod +x /etc/firewall.user
-rwxr-xr-x 1 root root /etc/firewall.user
#/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT # all traffic REJECT
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT # just tcp 80 REJECT

Ok, I will do today when I come back home...
One question please: You wrote the command with iptables, it means I just need to install the kmod-br-netfilter & edit the line in sysctl.config
net.bridge.bridge-nf-call-iptables=1
but no need for kmod-ebtables more, when I write my command with iptables... is it right???
noted what you wrote in your reply about permission...
I hope it will work...

No netfilter need module ebtable_filter for the iptables command have no effect if you remove it.
You dont need the ebtables tool ifself only the kmod-ebtable.

just change the permission. on firewall.user

and add to firewall user & restart firewall
/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT
#or
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

thanks for your reply... again a question: why do I need the ebtables??? when the bridge netfilter is installed, & the command written with iptables???...

yes use iptables i forgot

clean firewall.user file should look like this

#!bin/sh
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

with #