OpenWrt Forum Archive

Topic: Using /etc/config/firewall as a restricted firewall config

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi!

I'm not an expert about openwrt firewall. Also, iptables seems a bit complicated, so i'm trying to use only /etc/config/network. As i'm not an expert, i prefer to block everything and then open what i know i need.

So i have created the attached /etc/config/firewall, not completed yet, to make what i do in the lan side. So, i'll put only the related to lan. So, there is not internet access...

#defaults to DROP
config defaults
    option input    DROP
    option output    DROP 
    option forward    DROP

#defaults to DROP in lan
config zone
    option name    lan
    option input    DROP 
    option output    DROP 
    option forward    DROP


# lan devices can get ip via DHCP server in the router
config rule
    option src    lan
    option dest    lan #is necessary?
    option dest_ip    192.168.2.1
    option dest_port '67 68'
    option proto    udp
    option target    ACCEPT

# lan devices can use DNS server in the router. Not necessary if there is not "internet"
config rule
    option src    lan
    option dest    lan #is necessary?
    option dest_ip    192.168.2.1
    option dest_port '53'
    option proto    'tcp udp'
    option target    ACCEPT

#ssh to openwrt router. Only from lan and one device
config rule
    option src    lan
    option src_mac    xx:xx:xx:xx:xx
    option dest    lan #is necessary?
    option dest_ip    192.168.2.1 
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

#ssh to server. Only from lan and two devices
config rule
    option src    lan
    option src_mac    'xx:xx:xx:xx:xx yy:yy:yy:yy:yy'
    option dest    lan
    option dest_ip    192.168.2.100
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

What do you think?

With the above configuration (only opened the neccesary services), how could i get internet access for the lan devices? I've thought this:

#open output to ask for a ip to the cable modem
config zone
    option name    wan
    option input    DROP
    option output    ACCEPT 
    option forward    DROP

#get access to internet for the lan devices
config forwarding 
    option src      lan
    option dest     wan

The above lines would preserve the lan restrictions? i think so. What do you think?

Thanks!

With the above configuration i lost router access from the laptop. At least, it was and old router that i have to make probes. Reinstalled openwrt and test the following (PC static adress and DHCP disabled):

#defaults to DROP
config defaults
    option input    DROP
    option output    DROP 
    option forward    DROP

#defaults to DROP in lan
config zone
    option name    lan
    option input    DROP 
    option output    DROP 
    option forward    DROP

#ssh to openwrt router. Only from lan and one device
config rule
    option src    lan
    option src_ip    192.168.2.2
    option dest_ip    192.168.2.1 
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

Nothing. Lost access. Reinstalled openwrt and probed:

config defaults
    option input    DROP
    option output    DROP 
    option forward    DROP

config zone
    option name    lan
    option input    DROP 
    option output    DROP 
    option forward    DROP

#communication from PC to router
config rule
    option src    lan
    option src_ip    192.168.2.2
    option dest_ip    192.168.2.1 
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

#communication from router to PC
config rule
    option src_ip    192.168.2.1
    option dest    lan
    option dest_ip    192.168.2.2 
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

No access :-(

What am i making wrong?

PS: i have the router attached to one PC. There isn't other devices.

exclusivos wrote:
#communication from router to PC
config rule
    option src_ip    192.168.2.1
    option dest    lan
    option dest_ip    192.168.2.2 
    option dest_port 22
    option proto    tcp
    option target    ACCEPT

No access :-(

What am i making wrong?

You are assuming that the ssh client is using port 22 on the PC side. It isn't. Typically it uses a random "high" port (like 51923) to initiate the connection to the ssh server at router's port 22. See example of two ssh sessions below:

root@OpenWrt:/etc/config# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    132 OpenWrt.lan:ssh         Z97I-LAN.lan:51923      ESTABLISHED
tcp        0      0 OpenWrt.lan:ssh         Z97I-LAN.lan:52097      ESTABLISHED

You are making things really complicated by rejecting all the defaults and trying to do things manually, "reinventing the wheel".

At least allow connections from the router to lan by default.

config zone
        option name 'lan'
...
        option output 'ACCEPT'

(Last edited by hnyman on 14 Oct 2015, 09:13)

hnyman wrote:

You are assuming that the ssh client is using port 22 on the PC side. It isn't. Typically it uses a random "high" port (like 51923) to initiate the connection to the ssh server at router's port 22. ....

Oh thanks! i dindn't know that! Now a lot of things make sense!!



hnyman wrote:

You are making things really complicated by rejecting all the defaults and trying to do things manually, "reinventing the wheel".

At least allow connections from the router to lan by default.

config zone
        option name 'lan'
...
        option output 'ACCEPT'

Thanks again! i'll try it!

The discussion might have continued from here.