Topic: firewall doenst seems to work

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

sleepsleep

29 Jul 2013, 13:09

hi guys,
my openwrt firewall doesnt seems to function,

Chain zone_lan_input (0 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* user chain for input */
reject     all  --  anywhere             192.168.1.109        /* @rule[0] */
reject     all  --  192.168.1.109        anywhere             /* @rule[1] */

config rule
        option src 'lan'
        option proto 'all'
        option dest_ip '192.168.1.109'
        option target 'REJECT'

config rule
        option src 'lan'
        option proto 'all'
        option src_ip '192.168.1.109'
        option target 'REJECT'

i believe the above is the method to block all connection from and to 192.168.1.109
but i could still ping and access its wiindows shares drive

am using TL-WA901ND v2 here,

bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.a0f3c15fe8d6       no              eth0
                                                        wlan0

config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '8.8.8.8'

and i dont get it, i want to disable access from wlan to 192.168.1.109

Post #2

jow

29 Jul 2013, 13:27

This does not work as lan and wlan are bridged, so traffic flows a layer below the firewall. You can try to block the traffic by using manual iptables commands using physdev rules.

Post #3

sleepsleep

29 Jul 2013, 13:36

thanks jow,
this helps a lot,
i just figure out i need to,
net.bridge.bridge-nf-call-iptables=1

would you please give me an example 1 entry to block a particular ip address?

thanks and much appreciate,

Post #4

phuque99

29 Jul 2013, 14:04

You sure you wanna mess with ebtables? You can create another zone for "wifi" like in the following recipe and you can have iptables rules for traffic flow between lan and wlan

http://wiki.openwrt.org/doc/recipes/guest-wlan

Post #5

sleepsleep

29 Jul 2013, 14:12

hi phuque99,
my device doesnt support vlan, TP-LINK TL-WA901ND v2,

i dont know if this is required for guest-wlan recipe, i tried routedap before, fail because no vlan and no idea how to connect different subnet (eg, 192.168.1.0 and 192.168.2.0) to gateway,

i just opkg install ebtables, please let me know if i got easier choice,

much appreciate,

Post #6

sleepsleep

29 Jul 2013, 14:53

hi,
after i opkg install iptables-mod-extra, i use the following in /etc/firewall.user

doesnt seems to work

iptables -A FORWARD -p udp --dport 135:139 -m physdev --physdev-in eth0 -j REJECT
iptables -A FORWARD -p udp --dport 135:139 -m physdev --physdev-in wlan0 -j REJECT

bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.a0f3c15fe8d6       no              eth0
                                                        wlan0

root@OpenWrt:~# iptables -L | grep 135
REJECT     udp  --  anywhere             anywhere             udp dpts:135:netbios-ssn PHYSDEV match --physdev-in eth0 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpts:135:netbios-ssn PHYSDEV match --physdev-in wlan0 reject-with icmp-port-unreachable

why?
why i still could access windows share

(Last edited by sleepsleep on 29 Jul 2013, 14:55)

Post #7

phuque99

29 Jul 2013, 15:17

Are there default rules above your own custom ones? OpenWRT has a "delegate_forward" chain in the default rules and -A will insert your rules below it:

# iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         
delegate_forward  all  --  anywhere             anywhere

Post #8

sleepsleep

29 Jul 2013, 15:29

hi guys,
i guess i figure out how to operate this thing,
this is what i put inside /etc/firewall.user and they hit my goal, i just block the ip that contained shares,
no ping, no shares, from wlan, (since this device got only 1 lan port), the trick is to use the bridge name instead of device name, cost my 4 days to hit objectives,

iptables -A FORWARD -p all -d 192.168.1.100 -o br-lan -j REJECT

and i opkg ebtables too, i not sure if that is necessary or not, but i will deploy another such AP in another location, will report later, finally i could get my dinner, and it is 10:30PM here.

The discussion might have continued from here.

Page 1 of 1