Hi all,
I have realized some tome ago that some nat rules are not showing in Luci status firewall, for example every custom prerouting rules(prerouting_lan_rule) added with the firewall.user file.
The table is there, but it shows no rules.
Cheking the rules from console shows them all asigned to prerouting_lan_rule_table fortunately.
Someone else noticed this?
Maybe I misread...but are you trying to force custom rules into an FW3 chain?
I do not recall the Wiki page; but the custom rules file is for adding rules that don't/can't go into FW3.
- I can't provide a more clearer response to your exact problem...because I'm unclear if you're saying you see the rules via the console, just not on the web GUI.
- Also, some versions of LuCI had a bug where certain rules did not display on the web GUI (i.e. rules that had does-not-equal conditions), you don't provide the details needed to determine if that's the issue.
1 Like
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board; \
uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c
2 Likes
{
"kernel": "4.14.171",
"hostname": "hostname1",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "ZBT-WE1326",
"board_name": "zbt-we1326",
"release": {
"distribution": "OpenWrt",
"version": "19.07.2",
"revision": "r10947-65030d81f3",
"target": "ramips/mt7621",
"description": "OpenWrt 19.07.2 r10947-65030d81f3"
}
}
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option drop_invalid '1'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'DROP'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'movil wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option src_port '67'
list src_ip '10.207.239.26'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
option dest 'lan'
config include
option path '/etc/firewall.user'
config zone
option name 'radius'
option forward 'DROP'
option output 'ACCEPT'
option network 'RADIUS'
option input 'DROP'
config zone
option name 'invitados'
option output 'ACCEPT'
option network 'invitados'
option input 'DROP'
option forward 'DROP'
config forwarding
option dest 'wan'
option src 'invitados'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '2552'
option name 'SSH'
option family 'ipv4'
option enabled '0'
config rule
option target 'ACCEPT'
option dest_port '53'
option name 'DNS-invitados'
option src 'invitados'
option proto 'udp'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67'
option src 'invitados'
option family 'ipv4'
option name 'DHCP-Invitados'
config redirect
option src 'wan'
option name 'torrent'
option target 'DNAT'
option dest 'transmision'
option dest_port '13505'
list proto 'tcp'
list proto 'udp'
option src_dport '13505'
option dest_ip '192.168.3.3'
option reflection '0'
config zone
option network 'tun0'
option input 'ACCEPT'
option forward 'DROP'
option name 'vpn'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config redirect
option dest_port '80'
option src 'wan'
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '192.168.150.203'
option enabled '0'
config redirect
option dest_port '443'
option src 'wan'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '192.168.150.203'
option enabled '0'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'invitados'
option src 'lan'
config zone
option network 'transmission'
option output 'ACCEPT'
option name 'transmision'
option input 'DROP'
option forward 'DROP'
config forwarding
option dest 'wan'
option src 'transmision'
config rule
option dest_port '53'
option src 'transmision'
option name 'DNS-transmision'
option target 'ACCEPT'
list proto 'udp'
list src_ip '192.168.3.2'
list src_ip '192.168.3.3'
option enabled '0'
config rule
option target 'ACCEPT'
list proto 'udp'
option name 'DHCP-transmision'
option src 'transmision'
option dest_port '67'
option enabled '0'
config forwarding
option dest 'transmision'
option src 'lan'
config rule
option dest_port '25826'
option src 'transmision'
option name 'collectd'
list src_ip '192.168.3.2'
option target 'ACCEPT'
option enabled '0'
config rule
option dest_port '123'
option src 'transmision'
option name 'ntp'
option family 'ipv4'
option target 'ACCEPT'
list proto 'udp'
list src_ip '192.168.3.2'
list src_ip '192.168.3.3'
option enabled '0'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
# This file is interpreted as shell script.
#DNS FORWARD LAN Y VPN
iptables -t nat -A prerouting_lan_rule ! -d 192.168.150.1 -p udp --dport 53 -j DNAT --to 192.168.150.1:53
iptables -t nat -A prerouting_lan_rule ! -d 192.168.150.1 -p udp --dport 123 -j DNAT --to 192.168.150.1:123
iptables -t nat -A prerouting_lan_rule ! -d 192.168.150.1 -p tcp --dport 53 -j DNAT --to 192.168.150.1:53
iptables -t nat -A prerouting_invitados_rule ! -d 192.168.50.1 -p udp --dport 53 -j DNAT --to-destination 192.168.50.1:53
iptables -t nat -A prerouting_invitados_rule ! -d 192.168.50.1 -p tcp --dport 53 -j DNAT --to-destination 192.168.50.1:53
iptables -t nat -A prerouting_vpn_rule ! -d 10.8.0.1 -p udp --dport 53 -j DNAT --to-destination 10.8.0.1:53
iptables -t nat -A prerouting_vpn_rule ! -d 10.8.0.1 -p tcp --dport 53 -j DNAT --to-destination 10.8.0.1:53
iptables -t nat -A prerouting_transmision_rule ! -d 192.168.3.1 -p udp --dport 53 -j DNAT --to 192.168.3.1:53
iptables -t nat -A prerouting_transmision_rule ! -d 192.168.3.1 -p tcp --dport 53 -j DNAT --to 192.168.3.1:53
iptables -A input_wan_rule -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -A input_wan_rule -p tcp -m tcp -m multiport --dports 21,80,8080,22,23,2222,5060,443,25,53 -m comment --comment "DROPS-WAN" -j DROP
iptables -A input_wan_rule -p udp -m udp --dport 3399 -j LOG --log-prefix "***OPEN***VPN***"
iptables -A input_wan_rule -p udp -m udp --dport 3399 -j ACCEPT
# reglas red vlan transmission
iptables -A input_transmision_rule -s 192.168.3.2/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS-transmision" -j ACCEPT
iptables -A input_transmision_rule -s 192.168.3.3/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS-transmision" -j ACCEPT
iptables -A input_transmision_rule -p udp -m udp --dport 67 -m comment --comment "!fw3: DHCP-transmision" -j ACCEPT
iptables -A input_transmision_rule -s 192.168.3.2/32 -p udp -m udp --dport 123 -m comment --comment "!fw3: ntp" -j ACCEPT
iptables -A input_transmision_rule -s 192.168.3.3/32 -p udp -m udp --dport 123 -m comment --comment "!fw3: ntp" -j ACCEPT
iptables -A input_transmision_rule -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -A input_transmision_rule -j LOG --log-prefix "+_+_+_+_TRANSMISSION_DROP_+_+_+_+"
#set de ipset de ips individuales
iptables -D input_wan_rule -m set --match-set myset-ip src -j DROP
iptables -D forwarding_wan_rule -m set --match-set myset-ip src -j DROP
ipset destroy myset-ip;
ipset create myset-ip hash:ip
for ip in `cat /usb/logs/block-dns.txt|awk '{print $4}'|awk -F. '{print $1"."$2"."$3"."$4}'`
do ipset add myset-ip $ip
done
iptables -I input_wan_rule 1 -m set --match-set myset-ip src -j DROP
iptables -I forwarding_wan_rule 1 -m set --match-set myset-ip src -j DROP
# Generated by iptables-save v1.8.3 on Thu Jul 16 18:44:23 2020
*nat
:PREROUTING ACCEPT [34560:3452105]
:INPUT ACCEPT [10436:773035]
:OUTPUT ACCEPT [9014:658988]
:POSTROUTING ACCEPT [9690:696188]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_invitados_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_radius_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_transmision_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_invitados_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_radius_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_transmision_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_invitados_postrouting - [0:0]
:zone_invitados_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_radius_postrouting - [0:0]
:zone_radius_prerouting - [0:0]
:zone_transmision_postrouting - [0:0]
:zone_transmision_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[97797:9340893] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[67488:7548985] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[26278:1469625] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.99 -m comment --comment "!fw3" -j zone_radius_prerouting
[0:0] -A PREROUTING -i br-invitados -m comment --comment "!fw3" -j zone_invitados_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[4031:322283] -A PREROUTING -i br-transmission -m comment --comment "!fw3" -j zone_transmision_prerouting
[67742:7032048] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[255:83237] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[42388:5264411] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.99 -m comment --comment "!fw3" -j zone_radius_postrouting
[0:0] -A POSTROUTING -o br-invitados -m comment --comment "!fw3" -j zone_invitados_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[3799:216967] -A POSTROUTING -o br-transmission -m comment --comment "!fw3" -j zone_transmision_postrouting
[0:0] -A prerouting_invitados_rule ! -d 192.168.50.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:53
[0:0] -A prerouting_invitados_rule ! -d 192.168.50.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.50.1:53
[70:4644] -A prerouting_lan_rule ! -d 192.168.150.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.150.1:53
[66:5016] -A prerouting_lan_rule ! -d 192.168.150.1/32 -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.150.1:123
[0:0] -A prerouting_lan_rule ! -d 192.168.150.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.150.1:53
[6:360] -A prerouting_transmision_rule ! -d 192.168.3.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.3.1:53
[0:0] -A prerouting_transmision_rule ! -d 192.168.3.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.3.1:53
[0:0] -A prerouting_vpn_rule ! -d 10.8.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.8.0.1:53
[0:0] -A prerouting_vpn_rule ! -d 10.8.0.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.8.0.1:53
[0:0] -A zone_invitados_postrouting -m comment --comment "!fw3: Custom invitados postrouting rule chain" -j postrouting_invitados_rule
[0:0] -A zone_invitados_prerouting -m comment --comment "!fw3: Custom invitados prerouting rule chain" -j prerouting_invitados_rule
[255:83237] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[67488:7548985] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_radius_postrouting -m comment --comment "!fw3: Custom radius postrouting rule chain" -j postrouting_radius_rule
[0:0] -A zone_radius_prerouting -m comment --comment "!fw3: Custom radius prerouting rule chain" -j prerouting_radius_rule
[3799:216967] -A zone_transmision_postrouting -m comment --comment "!fw3: Custom transmision postrouting rule chain" -j postrouting_transmision_rule
[4031:322283] -A zone_transmision_prerouting -m comment --comment "!fw3: Custom transmision prerouting rule chain" -j prerouting_transmision_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[42388:5264411] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[42388:5264411] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[42388:5264411] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[26278:1469625] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2878:159540] -A zone_wan_prerouting -p tcp -m tcp --dport 13505 -m comment --comment "!fw3: torrent" -j DNAT --to-destination 192.168.3.3:13505
[920:57081] -A zone_wan_prerouting -p udp -m udp --dport 13505 -m comment --comment "!fw3: torrent" -j DNAT --to-destination 192.168.3.3:13505
[22480:1253004] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Thu Jul 16 18:44:23 2020
# Generated by iptables-save v1.8.3 on Thu Jul 16 18:44:23 2020
*raw
:PREROUTING ACCEPT [16598929:11336058376]
:OUTPUT ACCEPT [165684:50788992]
:zone_invitados_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_radius_helper - [0:0]
:zone_transmision_helper - [0:0]
:zone_vpn_helper - [0:0]
[5787374:559814211] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i eth0.99 -m comment --comment "!fw3: radius CT helper assignment" -j zone_radius_helper
[0:0] -A PREROUTING -i br-invitados -m comment --comment "!fw3: invitados CT helper assignment" -j zone_invitados_helper
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3: vpn CT helper assignment" -j zone_vpn_helper
[810948:867640377] -A PREROUTING -i br-transmission -m comment --comment "!fw3: transmision CT helper assignment" -j zone_transmision_helper
COMMIT
# Completed on Thu Jul 16 18:44:23 2020
# Generated by iptables-save v1.8.3 on Thu Jul 16 18:44:23 2020
*mangle
:PREROUTING ACCEPT [16598933:11336058584]
:INPUT ACCEPT [200369:84906499]
:FORWARD ACCEPT [16393642:11250262211]
:OUTPUT ACCEPT [165686:50789864]
:POSTROUTING ACCEPT [16558089:11300983745]
[33288:1831176] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Jul 16 18:44:23 2020
# Generated by iptables-save v1.8.3 on Thu Jul 16 18:44:23 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_invitados_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_radius_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_transmision_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_invitados_rule - [0:0]
:input_lan_rule - [0:0]
:input_radius_rule - [0:0]
:input_rule - [0:0]
:input_transmision_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_invitados_rule - [0:0]
:output_lan_rule - [0:0]
:output_radius_rule - [0:0]
:output_rule - [0:0]
:output_transmision_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_invitados_dest_ACCEPT - [0:0]
:zone_invitados_dest_DROP - [0:0]
:zone_invitados_forward - [0:0]
:zone_invitados_input - [0:0]
:zone_invitados_output - [0:0]
:zone_invitados_src_DROP - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_radius_dest_ACCEPT - [0:0]
:zone_radius_dest_DROP - [0:0]
:zone_radius_forward - [0:0]
:zone_radius_input - [0:0]
:zone_radius_output - [0:0]
:zone_radius_src_DROP - [0:0]
:zone_transmision_dest_ACCEPT - [0:0]
:zone_transmision_dest_DROP - [0:0]
:zone_transmision_forward - [0:0]
:zone_transmision_input - [0:0]
:zone_transmision_output - [0:0]
:zone_transmision_src_DROP - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_DROP - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[44648:5681348] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[155726:79225411] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[105657:76030564] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[788:43419] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[19835:848500] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[25811:1827950] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[22400:1249530] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.99 -m comment --comment "!fw3" -j zone_radius_input
[0:0] -A INPUT -i br-invitados -m comment --comment "!fw3" -j zone_invitados_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[1012:71400] -A INPUT -i br-transmission -m comment --comment "!fw3" -j zone_transmision_input
[16393643:11250262361] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[16340224:11243416868] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1245:70412] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[44179:6214547] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[3831:220271] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.99 -m comment --comment "!fw3" -j zone_radius_forward
[0:0] -A FORWARD -i br-invitados -m comment --comment "!fw3" -j zone_invitados_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[4164:340263] -A FORWARD -i br-transmission -m comment --comment "!fw3" -j zone_transmision_forward
[44648:5681348] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[121042:45109684] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[120477:44941406] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[268:87005] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[295:80581] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.99 -m comment --comment "!fw3" -j zone_radius_output
[0:0] -A OUTPUT -o br-invitados -m comment --comment "!fw3" -j zone_invitados_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[2:692] -A OUTPUT -o br-transmission -m comment --comment "!fw3" -j zone_transmision_output
[0:0] -A forwarding_wan_rule -m set --match-set myset-ip src -j DROP
[0:0] -A input_transmision_rule -s 192.168.3.2/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS-transmision" -j ACCEPT
[974:66748] -A input_transmision_rule -s 192.168.3.3/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS-transmision" -j ACCEPT
[7:2296] -A input_transmision_rule -p udp -m udp --dport 67 -m comment --comment "!fw3: DHCP-transmision" -j ACCEPT
[0:0] -A input_transmision_rule -s 192.168.3.2/32 -p udp -m udp --dport 123 -m comment --comment "!fw3: ntp" -j ACCEPT
[31:2356] -A input_transmision_rule -s 192.168.3.3/32 -p udp -m udp --dport 123 -m comment --comment "!fw3: ntp" -j ACCEPT
[0:0] -A input_transmision_rule -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A input_transmision_rule -j LOG --log-prefix "+_+_+_+_TRANSMISSION_DROP_+_+"
[96:5892] -A input_wan_rule -m set --match-set myset-ip src -j DROP
[0:0] -A input_wan_rule -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[713:32416] -A input_wan_rule -p tcp -m tcp -m multiport --dports 21,80,8080,22,23,2222,5060,443,25,53 -m comment --comment DROPS-WAN -j DROP
[0:0] -A input_wan_rule -p udp -m udp --dport 3399 -j LOG --log-prefix "***OPEN***VPN***"
[0:0] -A input_wan_rule -p udp -m udp --dport 3399 -j ACCEPT
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[19777:845952] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[58:2548] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_invitados_dest_ACCEPT -o br-invitados -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_invitados_dest_DROP -o br-invitados -m comment --comment "!fw3" -j DROP
[0:0] -A zone_invitados_forward -m comment --comment "!fw3: Custom invitados forwarding rule chain" -j forwarding_invitados_rule
[0:0] -A zone_invitados_forward -m comment --comment "!fw3: Zone invitados to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_invitados_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_invitados_forward -m comment --comment "!fw3" -j zone_invitados_dest_DROP
[0:0] -A zone_invitados_input -m comment --comment "!fw3: Custom invitados input rule chain" -j input_invitados_rule
[0:0] -A zone_invitados_input -p udp -m udp --dport 53 -m comment --comment "!fw3: DNS-invitados" -j ACCEPT
[0:0] -A zone_invitados_input -p udp -m udp --dport 67 -m comment --comment "!fw3: DHCP-Invitados" -j ACCEPT
[0:0] -A zone_invitados_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_invitados_input -m comment --comment "!fw3" -j zone_invitados_src_DROP
[0:0] -A zone_invitados_output -m comment --comment "!fw3: Custom invitados output rule chain" -j output_invitados_rule
[0:0] -A zone_invitados_output -m comment --comment "!fw3" -j zone_invitados_dest_ACCEPT
[0:0] -A zone_invitados_src_DROP -i br-invitados -m comment --comment "!fw3" -j DROP
[268:87005] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[44179:6214547] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[44179:6214547] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to invitados forwarding policy" -j zone_invitados_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to transmision forwarding policy" -j zone_transmision_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_DROP
[25811:1827950] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[291:20628] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[25520:1807322] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[268:87005] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[268:87005] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[25520:1807322] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_radius_dest_ACCEPT -o eth0.99 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_radius_dest_DROP -o eth0.99 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_radius_forward -m comment --comment "!fw3: Custom radius forwarding rule chain" -j forwarding_radius_rule
[0:0] -A zone_radius_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_radius_forward -m comment --comment "!fw3" -j zone_radius_dest_DROP
[0:0] -A zone_radius_input -m comment --comment "!fw3: Custom radius input rule chain" -j input_radius_rule
[0:0] -A zone_radius_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_radius_input -m comment --comment "!fw3" -j zone_radius_src_DROP
[0:0] -A zone_radius_output -m comment --comment "!fw3: Custom radius output rule chain" -j output_radius_rule
[0:0] -A zone_radius_output -m comment --comment "!fw3" -j zone_radius_dest_ACCEPT
[0:0] -A zone_radius_src_DROP -i eth0.99 -m comment --comment "!fw3" -j DROP
[2:692] -A zone_transmision_dest_ACCEPT -o br-transmission -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_transmision_dest_DROP -o br-transmission -m comment --comment "!fw3" -j DROP
[4164:340263] -A zone_transmision_forward -m comment --comment "!fw3: Custom transmision forwarding rule chain" -j forwarding_transmision_rule
[4164:340263] -A zone_transmision_forward -m comment --comment "!fw3: Zone transmision to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_transmision_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_transmision_forward -m comment --comment "!fw3" -j zone_transmision_dest_DROP
[1012:71400] -A zone_transmision_input -m comment --comment "!fw3: Custom transmision input rule chain" -j input_transmision_rule
[0:0] -A zone_transmision_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_transmision_input -m comment --comment "!fw3" -j zone_transmision_src_DROP
[2:692] -A zone_transmision_output -m comment --comment "!fw3: Custom transmision output rule chain" -j output_transmision_rule
[2:692] -A zone_transmision_output -m comment --comment "!fw3" -j zone_transmision_dest_ACCEPT
[0:0] -A zone_transmision_src_DROP -i br-transmission -m comment --comment "!fw3" -j DROP
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_DROP -o tun0 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_DROP
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[48638:6635391] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
[3831:220271] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[3831:220271] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[22400:1249530] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s 10.207.239.26/32 -p udp -m udp --sport 67 --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[21591:1211222] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[295:80581] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[295:80581] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[21591:1211222] -A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Thu Jul 16 18:44:23 2020
All the rules from the firewall.user are present.
2 Likes
Could be a LuCI frontend bug. Which LuCI version do you use?
2 Likes
Thank you for your answers
I agree it has to be a Luci bug because according to @trendy all the rules from firewall.user are shown in the logs I have posted above.
My Luci version is git-20.057.55219-13dd17f-1
I dont know how to add LOG rules to FW3(I dont even know if thats possible) so I add them to firewall.user file