(SOLVED) Firewall on the same Network

Unfortunately it doesn't work. I have edited /etc/sysctl.conf as you described, and as I restarted the service, it showed me these Lines:
sysctl: error: 'net.bridge.bridge-nf-call-arptables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-ip6tables' is an unknown key
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

I have entered the Line in Custom Firewall as you wrote, but the Web Interface of this Device has remained reachable. I have edited this Command:
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
but no Chance, it hasn't helped.
Any advice please?
P.S. the Device is not on LAN interface but on another interface, I don't know if it is interesting for this command of iptables, because you wrote "lan lan traffic".

@khllo yes friend it didn't work. I'm also searching for it but didn't get any solution. :disappointed_relieved:

net.bridge.bridge-nf-call-iptables=1 needs
kmod-br-netfilter

2 Likes

These IPs are in the same subnet, on one interface. It is lan, name of interface could differ from "lan". Does your config file contain commented line?

@trismo noted, that you should add package kmod-br-netfilter.

1 Like

thank you all for your help, but it doesn‘t work...
I have installed the module Bridge (kmod-br-netfilter), it show me no fault anymore when I restart sysctl, everything should be good, but the box has remained reachable...
iptables -I FORWARD -d 192.168.8.9 -j REJECT
or
iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT
or
from luci: enter a new rule... no one works...
I have no idea if it is important to know, that this Interface is on a seperate VLAN, but all another rule work, just this command doesn't, when the trafic rules are configured on the same interface...
any chance later? am I the only one, or is there somebody who has such problem with?!.

Please post "opkg list-installed | grep kmod"
I think you missing ebtables kmod-ebtables

@trismo you're right... when you install the kmod-br-netfilter, will be the kmod-ebtables not installed.
Ok... then... i've installed the kmod-ebtables, what should I do now??? which command should I use?
I've tested with the command of ulmwind & it didn't work (he wrote an iptables command!!! & he tested it & it worked!!!!!!!!!!!!!).
I wrote a command of ebtable in the custom Firewall:
ebtables -A FORWARD --proto IPv4 --ip-dst 192.168.19.19 --ip-proto tcp --ip-dport 80 -j DROP
it didn't work too...
should be this interface as a bridge Interface configured? or should it be not?... I have no Idea...
I think it is one of the principle of a Firewall, such traffic to drop or to accept, even if that is on the same Interface...
Please any Advice?...

Ok i looked in to the default for firewall.user file is just read only file miss execute permissions
-rw-r--r-- 1 root root /etc/firewall.user
chmod +x /etc/firewall.user
-rwxr-xr-x 1 root root /etc/firewall.user
#/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT # all traffic REJECT
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT # just tcp 80 REJECT

Ok, I will do today when I come back home...
One question please: You wrote the command with iptables, it means I just need to install the kmod-br-netfilter & edit the line in sysctl.config
net.bridge.bridge-nf-call-iptables=1
but no need for kmod-ebtables more, when I write my command with iptables... is it right???
noted what you wrote in your reply about permission...
I hope it will work...

No netfilter need module ebtable_filter for the iptables command have no effect if you remove it.
You dont need the ebtables tool ifself only the kmod-ebtable.

just change the permission. on firewall.user

and add to firewall user & restart firewall
/usr/sbin/iptables -I FORWARD -d 192.168.8.9 -j REJECT
#or
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

thanks for your reply... again a question: why do I need the ebtables??? when the bridge netfilter is installed, & the command written with iptables???...

yes use iptables i forgot

clean firewall.user file should look like this

#!bin/sh
/usr/sbin/iptables -I FORWARD -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j

with #

Ok... understand... but my question is: no need to install kmod-ebtables??? or what do you mean?
as I read in a forum of linux: module bridge must be installed (kmod-br-netfilter), in openwrt Documentation: enable netfilter bridge though sysctl.config -as you described-
net.bridge.bridge-nf-call-iptables=1
((there is the option to enable this function on ipv6:
net.bridge.bridge-nf-call-ip6tables=1
I don't know if I need it??? your Advice please))
then, edit the permission of the firewall.user -as you described- & write the command.
I agree with all of these, but do I need to install kmod-ebtables or not??? I mean, ebtables will work when the command is written as ebtables -like as I wrote bevor- & it will be enabled when I install kmod-ipv4-ebtables or kmod-ipv6-ebtables & ebtables-utils...
what do you mean now: install ebtables module??? or not???...
I think I've bothered you enough with my questions, but thank you for helping me...

Thank you all again for your help... IT DOESN'T WORK...
I've tested everything what you wrote, but it didn't work...
@trismo no need to change the permission of firewall.user, when I wrote anything in luci-custom Firewall, it will be executed when I restart the firewall, without changing the permission (it works with the default settings definitely). I installed the kmod-br-netfilter, it hasn't helped... I installed the kmod-ebtables, it hasn't helped too... (it is no need for ebtables when you write the command with iptables, it should be worked with default firewall settings but the netfilter bridge must be firstly enabled in sysctl.conf)...
I don't know what I can do more... but thank you anyway for helping me & spending from your time for this problem... I don't think it is a bug in the firewall, or what do you think???...
It is an open case... when a member (or maybe a developer) find a solution for, please tell us...

Maybe...
iptables -t mangle -I PREROUTING -p tcp -s 192.168.8.0/255.255.255.0 -d 192.168.8.9 --dport 80 -j REJECT

tables_traverse

nf-packet-flow

These photos may help you....

@Knomax thanks... but it doesn't work too... :worried:
Noted that mangle table take as command "DROP" & not "REJECT"
then the Mangle Table contains 3 types of rules: Types of Service, Time to Live & Mark Settings.
I don't know if this table does help in our case!!!...

I think that I maked a big mistake with the configuration of my Network, especially with the Bridge Network. The configuration of Firewall rules is provided, that works between 2 Interfaces (2 Zones) & not under the same Interface, for that the kmod-br-netfilter should be installed & the option "net.bridge.bridge-nf-call-iptables=1" (optional "net.bridge.bridge-nf-call-ip6tables=1" should be enabled in sysctl.config .
Then create 2 Interfaces & configure them with unmanaged or no ip address Interface, & attach them to 2 separate VLAN: for example:
WLAN Network to VLAN 115 (Interface Name WLAN) & Yamaha Box to VLAN 116 (Interface Name Yamaha), the both without configured firewall zone (non or unspecified)!!!!!!!!!!!!....
then the Bridge Interface: as static address & bridge over WLAN & Yamaha, ip address 192.168.8.1/24 & name of Bridge_01 (for example), & firewall zone Bridge_01.
Now everything should perfectly work, the entire Devices have an ip address from Bridge Interface, all services work with open ports from any device to any.
The firewall rule is simple now: in LUCI add new rule: ipv4 or alle traffic with tcp/udp, source zone: Bridge_01 , any ip address , TO , destination zone Bridge_01, destination IP: ip address of yamaha Box 192.168.8.9, port 80 , REJECT!!!
& ............... it works...
it means, Firewall on Bridge Interface should work when the Bridge will be configured over 2 or more Interfaces with separate VLAN; Over the same VLAN won't work...
Thanks @trismo for your trick with kmod-br-netfilter & enable the option in sysctl.config
The only Problem what I have with, that the port forwarding won't work with the Bridge Interface, any advice please?

Update:
the Bridge Network should configure in Firewall Zone as:
INPUT : ACCEPT , OUTPUT : ACCPET , FORWARD : ACCEPT !!! (it is very important to set the FORWARD as ACCEPT, because the communication between the devices from separate VLANs won't work when FORWARD on the Bridge Interface is rejected).

Hi again...
Port Forwarding over WAN works as expected, but over the internal Network not (nat loopback function). I have read that ebtables is responsible for filtering over Bridge Network (-Interface). Any experience with???...

I am trying to do something similar, openwrt is new to me, so help is appreciated.
My WAN is on another router in same subnet.
I want a openwrt device being used as a dumb AP to simply deny all local subnet access to all WLAN clients, but they should get DHCP from a router on local network,and be able to access gateway IP on local network (both are same IP)
I have installed necessary packages, and am stuck at creating and bridging Vlans, no matter what I do, once I assign the WLAN a different VLAN id, I am unable to ping anything in or out even without implementation of firewalls.

Edit : understood & got it working!

Regards.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.