Yikes! - fw3 defaults to allowing NAT forwards

I recently noticed incoming ssh traffic to one of my servers. The source was known dangerous port scanners. I was surprised as I thought I had blocked incoming access to ssh except from certain IPs.

Running iptables -L -v on my openwrt router I was horrified to see the line
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT /* !fw3: Accept port redirections */
in input_wan_rule

I don't want this! I want to only explicitly accept connections. I've fixed this for now by adding an explicit REJECT default earlier in the chain, but what's the official way to stop fw3 acting in this crazy way? I haven't told fw3 to accept forwards in the config files.

1 Like

Why? I mean, other than the fact no traffic has hit that rule so it's not the cause of your issue, it's part of the overall system to allow port forwards to operate. If you don't have any port forwarding rules then you won't have any DNAT traffic and the rule won't do anything.

1 Like

Sorry - my first post was misleading. The iptables -L -v I showed was what it looks like now, after I added the explicit REJECT. When I saw it originally, those two first numbers were very large showing that a LOT of traffic hit this rule. Indeed, I was seeing a lot of ssh traffic probing my server.

This is a dangerous rule as it stands. Why should a default rule be to accept??

Because it only accepts traffic with a ctstate of DNAT, and that traffic only exists if you have set up a port forwarding rule. I assume you have set up a port forward rule to your SSH server?

1 Like

I have a long and complicated /etc/firewall.user that indeed has various port forwards and then explicit accepts for all manner of conditions. It just didn't occur to me that someone would hide a dangerous accept like this at the end of the chain.

I realize that if I stuck to using the the luci web interface then I wouldn't have had a problem. But if I just wanted to stick to using web interfaces I wouldn't be using openwrt in the first place.

Right now, the default iptables is not safe if people modify it with custom rules.

Ok, let's assume the rule is 'dangerous' because of your setup. I'd be interested to see what it is you added that allowed that rule to operate. Would you mind posting the output of cat /etc/firewall.user, iptables -L -v and iptables -L -v -t nat?

And that's the real problem that you need to fix.

Find a way to simplify it.
Long configs are problematic to maintain, analyze and audit.

Moreover, it is typically not wise to use custom configs which bypass zone-based model.


OK - I get it. If I were a perfect person then there wouldn't be an issue here. But there's an issue of security philosophy here.
Right now there is default accept rule that is undocumented and, so far as I know, cannot be turned off by the configuration files. Surely the person who put this accept rule in knew it was lazy programming. They were thinking "well, so long as the user doesn't do anything unexpected before this, this should be fine".
I guess at least by posting this to the form I might make some readers out there more aware of this trap that caught me out.


Actually no.

The rule allows only traffic to redirected ports.
There are no port redirects enabled by default.
Thus, there is no problem.


It'd be a lot more helpful if you posted the information I asked for earlier ( output of cat /etc/firewall.user , iptables -L -v and iptables -L -v -t nat) so we could see if there is an actual issue with fw3 or it's a misconfiguration on your part.

1 Like

I think we've exhausted this conversation. I've fixed my problem by overriding this accept rule. I just wanted to make other people aware of this issue.

You may disagree with the current defaults, but this is not an OpenWrt-specific approach.
There are other firewall implementations that also allow DNAT by default.
Nowadays, this can be considered common sense, similar to RELATED and ESTABLISHED.

Your refusal to actually assist with any real troubleshooting makes it look like the issue here is nothing to do with fw3 or OpenWRT but is entirely user error/misunderstanding.


OK. Since you say I'm not being public spirited I'll continue to try to convince you. No, I'm not making my firewall.user file public but I'll give an example.
Suppose I want to forward a port in my router so I'll google how to do it. Out of curiosity just now I tried it and the first hit I got was this one. It tells me to do

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to
iptables -A FORWARD -p tcp -d --dport 8080 -j ACCEPT

Note the second line. So suppose I don't want anyone to use my web server. I only want people from ip address to do so. Well, the solution is obvious, I should change the second line to

iptables -A FORWARD -p tcp -d --dport 8080 -s -j ACCEPT

So I put this in my firewall.user file. Logically from what I just read on this web site, all should be well. But it isn't because anyone accessing the port from outside just drops through this rule until they hit the default accept.

vgaetera thinks I'm an idiot for doing this. Well, OK, you are entitled to your opinion...

Why? If it contains any public IP details they're easy enough to redact. It's not exactly a security risk outside of that.

Not sure I'd go quite as far as calling you an idiot, but maybe naïve if you want to add a firewall rule to a router but don't bother including the router software name in your search...

Why would you just not use the tools/configs available within OpenWRT to set up firewall rules?


You'd best be clear about whether you are using OpenWrt firewall or raw iptables.
Mixed setups are possible, but discouraged due to extra issues.

It's normal to stick to your principles and critically evaluate other ways.
However, it's not okay to ignore the recommended method and blindly trust some random site which is unrelated to OpenWrt.

1 Like

Yes - people who are make mistakes like this deserve to be hacked. You could choose to make it safer by not having well-hidden and completely undocumented default ACCEPT rules at the end of the iptables chain but people who don't follow our rules precisely should expect no mercy.

(Sorry - I don't want to come off as too angry. All I really wanted to do was make people aware of this issue.)

I get it, firewalls are complicated, but the issue isn't with OpenWRT or fw3. The approach you've taken to set up your firewall isn't recommended for exactly this type of reason, it can causes unforeseen issues. And the rule isn't exactly well hidden is it? You found it by running one simple command. It can also be seen quite easily through LuCI.

As I asked before:


Black and white thinking... you'd prefer they catered to your ( 1 in 100 000 ) use cases than integrating rules that will operate with the most clarity, manageability and scope... given what structure exists in front of them...

as mentioned, based on your definition 'right', explain in detail ( with examples ) how you would structure a zone based iptables ruleset, in which 25+ applications will seamlessly modify rules for... ?

context my friend... without it, you might wonder why a tennis ball is not square.


Why does the OP keep saying the rule is undocumented???

I guess the OP really is having a hard time understanding a zone based firewall...I also wonder why they're using custom iptables entries instead of OpenWrt syntax.


What issue?

For future readers, refrain from placing such rules in the custom area. That area is best used used for rules that can't reduce to UCI syntax.

1 Like