Some process added firewall rules (iptables/ip6tables), not my rules

Hi. I have my firewall configured with the /etc/firewall.user file, where this file erases all previous rules created by the Lede firmware and then I write my own iptables and ip6tables rules in this file. My understanding is that the rules in this file are supposed to be applied after the Lede firmware has generated it's own rules. I also have the /etc/firewall.user file as executable, and, I have a file, /etc/hotplug.d/iface/99-myrules, that is supposed to ensure that this /etc/firewall.user file is run if the network resets:

cat /etc/hotplug.d/iface/99-myrules
#!/bin/sh

[ "$ACTION" = ifup ] || exit 0

/etc/init.d/firewall enabled || exit 0

/etc/firewall.user

So far this has been working, in that if I reboot the router, iptables-save and ip6tables-save show only the rules I have written. Also, when I execute /etc/init.d/network restart, and /etc/init.d/firewall restart, everything looks good.

So today I logged in to my router and when I ran iptables-save, I saw my own iptables rules, but then the following were at the end:

 -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
 -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
 -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
 -A FORWARD -s 10.157.180.0/24 -i br-lan -o eth1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -d 10.157.180.0/24 -i eth1 -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
 -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
 -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
 -A FORWARD -m comment --comment "!fw3" -j reject
 -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
 -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
 -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
 -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
 -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
 -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
 -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
 -A syn_flood -m comment --comment "!fw3" -j DROP
 -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
 -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
 -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
 -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
 -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
 -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
 -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
 -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
 -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
 -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
 -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
 -A zone_wan_forward -p esp -m comment --comment "!fw3: @rule[7]" -j zone_lan_dest_ACCEPT
 -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: @rule[8]" -j zone_lan_dest_ACCEPT
 -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
 -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
 -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
 -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
 -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
 -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
 -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
 -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
 -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
 COMMIT

ip6tables has a set of unexpected rules as well.

Any guesses how these rules were inserted?

I was wondering if these were the rules normally generated by the Lede firmware. If they are, and if they were then generated by some random network reset, it raises the question of why this did not trigger the execution of the /etc/firewall.user script, which, as I've already mentioned, erases all previous rules before writing the new ones.

Thanks in advance to everyone taking the time to read this post!

Those look like the normal firewall rules made by the default firewall (fw3)

LEDE applies the rules configured at "/etc/config/firewall" each time a network interface changes its state, and as @hnyman mentioned, those rules look like the rules created by LEDE.

Great, thank you.

So it seems that something triggered the firewall rules to be re-applied, except that it did not run the /etc/firewall.user file, which I have written to erase all firewall rules and then apply my own rules. I thought that the process of generating firewall rules was supposed to end with the rules specified in /etc/firewall.user?

Thanks for the input!

/etc/firewall.user gets loaded only at firewall "restart", but not at " reload" action, I think. There is forum discussion here or in Openwrt forum, if I remember correctly.

It does not make sense to use the builtin firewall framework just to have it load a script which flushes all rules and replaces them with something else.

Properly disable the builtin firewall using /etc/init.d/firewall stop; /etc/init.d/firewall disable and put your iptables commands into /etc/rc.local.

Thanks for the suggestions, I'll switch over to that approach.

Thanks everyone for your time and input!