[SOLVED] Rule with IPs on port

4lexO · July 1, 2019, 9:41am

Hello community,
I would like to know if the syntax and the behavior I want to achieve is correct.

Behavior : block a list of IPs (using IPSET) on the 443 PORT.
Syntax :

config rule
	option name 'rejectIPlist'
	option ipset 'listIps'
	option src '*'
	option dest_port '443'
	option proto 'tcp'
	option dest '*'
	option target 'REJECT'
	option family 'ipv4'
	option enabled '1'

The rule option dest_port '443' is a bit unclear to me. My device make a request from the LAN to the WAN with destination 443 as port and also to one of these ip from the ip list.
When the answer to the query "come back", it becomes the rule which can block it should use src_port '443'?
Rather than making two rules "just in case" I to get a better understanding, first

lleachii · July 1, 2019, 2:38pm

Are you trying to block WAN access to a HTTPS server on your LAN; or
Are you trying to block LAN access to a list of HTTPS servers on WAN?

vgaetera · July 1, 2019, 4:01pm

There will be no response when you block the request properly.
Also specify src and dest options.

4lexO · July 2, 2019, 8:27am

This one. I guess I should specify dest 'wan' and src 'lan' ?

How can I authorize only one address MAC to communicate with my router through SSH using the same syntax

I think I found something :

config rule  
    option  name        'ACCEPT SSH'                               
    option  src         'wan'                    
    option  dest        'lan'                   
    option  proto       'tcp'                  
    option  dest_port   '22'               
    option  src_mac     '70:4d:7b:ba:e1:7e'       
    option  target      'ACCEPT'              
    option  enabled     '1'

config rule  
    option  name        'ACCEPT SSH 2'                               
    option  src         'lan'                    
    option  dest        'wan'                   
    option  proto       'tcp'                  
    option  dest_port   '22'               
    option  src_mac     '26:f5:a2:c0:e7:38 '       
    option  target      'ACCEPT'              
    option  enabled     '1'

vgaetera · July 2, 2019, 3:30pm

MAC address is a link layer, while communication outside of your broadcast domain requires network layer address aka IP address.
In general you can't use MAC address filter on WAN interface.
If you need external management and want to provide appropriate level of security, consider set up a VPN.

4lexO · July 3, 2019, 8:49am

I found an example on the Open WRT wiki where they use a mac address for filtering SSH connection and REJECT them but I think it's because the link of the mac address is done with an IP while applying the configuration. By the way, the example I put is working

lleachii · July 3, 2019, 2:10pm

It would work; but be mindful you cannot use MACs for WAN IPs that are not the ISP's far end equipment - since only that machine is physically connected to your router.

Since the MAC you blocked is on LAN (and connected physically to the router via Layer 2), it worked.

vgaetera · July 3, 2019, 3:26pm

If you can access the service from the internet then anyone can do the same.
If your ISP changes the upper level router the rule will not work.
So, relying on MAC address in case of WAN interface is not wise.

system · July 13, 2019, 3:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.