OpenWrt Forum Archive

Topic: Iptables -i option issue

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
flight
14 Sep 2011, 11:22

First of all I am new to openwrt so hello everyone.
I have following configuration of my wrt160nl - backfire openwrt configuration:



############################################
/etc/config/network
############################################
config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'ifname' 'eth0'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.10.1'

config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.101'
        option 'netmask' '255.255.255.0'
        option 'gateway' '192.168.1.1'
        option 'dns' '192.168.1.1'

config 'switch'
        option 'name' 'eth0'
        option 'reset' '1'
        option 'enable_vlan' '1'

config 'switch_vlan'
        option 'device' 'eth0'
        option 'vlan' '1'
        option 'ports' '0 1 2 3 4 5'


############################################
/etc/config/firewall
############################################

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user




############################################
/etc/firewall.user
############################################

iptables -F
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter

echo 1 > /proc/sys/net/ipv4/ip_forward

####
FPORTS_TCP=20,21,22,23,25,80,8080,110,443,465
FPORTS_UDP=123


# default
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#
iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state RELATED


####

#ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

# dns
iptables -A OUTPUT -d 192.168.1.1 -p udp --dport 53 -m state --state NEW -j ACCEPT

####

#dhcp
iptables -A INPUT -p udp --dport 67 --sport 68 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 68 -m state --state NEW -j ACCEPT

# odblokowanie dns
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.1 -p udp --dport 53 -m state --state NEW -j ACCEPT

#http
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.1 -p TCP --dport 80 -m state --state NEW -j ACCEPT

#ssh
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.1 -p TCP --dport 22 -m state --state NEW -j ACCEPT


####
iptables -A FORWARD -s 192.168.10.0/24 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 192.168.10.0/24 -p TCP -m multiport --dport $FPORTS_TCP -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 192.168.10.0/24 -p udp -m multiport --dport $FPORTS_UDP -m state --state NEW -j ACCEPT


####
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

########





Everything seams to work fine for me right now. (but i must to tell I am no system sec. expert and iptables rules are not finished yet)


But as i motioned before i have strange issue with this configuration.

Right now I allow to any local connection from my lan on ssh port:
   
     iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.1 -p TCP --dport 22 -m state --state NEW -j ACCEPT


If i change this rule to something like this:
     
     iptables -A INPUT -i eth0 -p TCP --dport 22 -m state --state NEW -j ACCEPT

or this
     iptables -A INPUT -i eth0 -d 192.168.10.1 -p TCP --dport 22 -m state --state NEW -j ACCEPT

or this
     iptables -A INPUT -i eth0 -s 192.168.10.0/24 -d 192.168.10.1 -p TCP --dport 22 -m state --state NEW -j ACCEPT

then i can't connect to my ssh any more.
Please can anyone can help me?
Why the -i option don't work?
Is there any possibility to reference to source "in interface"?

Post #2
doddel
28 Sep 2011, 18:58

check 'ifconfig' and see what the bridge interface is called; probably not eth0 which would explain the problem you see.

Post #3
flight
29 Sep 2011, 21:28

Yep that was the case. Thank you!

The discussion might have continued from here.