Hi!
I'm not an expert about openwrt firewall. Also, iptables seems a bit complicated, so i'm trying to use only /etc/config/network. As i'm not an expert, i prefer to block everything and then open what i know i need.
So i have created the attached /etc/config/firewall, not completed yet, to make what i do in the lan side. So, i'll put only the related to lan. So, there is not internet access...
#defaults to DROP
config defaults
option input DROP
option output DROP
option forward DROP
#defaults to DROP in lan
config zone
option name lan
option input DROP
option output DROP
option forward DROP
# lan devices can get ip via DHCP server in the router
config rule
option src lan
option dest lan #is necessary?
option dest_ip 192.168.2.1
option dest_port '67 68'
option proto udp
option target ACCEPT
# lan devices can use DNS server in the router. Not necessary if there is not "internet"
config rule
option src lan
option dest lan #is necessary?
option dest_ip 192.168.2.1
option dest_port '53'
option proto 'tcp udp'
option target ACCEPT
#ssh to openwrt router. Only from lan and one device
config rule
option src lan
option src_mac xx:xx:xx:xx:xx
option dest lan #is necessary?
option dest_ip 192.168.2.1
option dest_port 22
option proto tcp
option target ACCEPT
#ssh to server. Only from lan and two devices
config rule
option src lan
option src_mac 'xx:xx:xx:xx:xx yy:yy:yy:yy:yy'
option dest lan
option dest_ip 192.168.2.100
option dest_port 22
option proto tcp
option target ACCEPT
What do you think?
With the above configuration (only opened the neccesary services), how could i get internet access for the lan devices? I've thought this:
#open output to ask for a ip to the cable modem
config zone
option name wan
option input DROP
option output ACCEPT
option forward DROP
#get access to internet for the lan devices
config forwarding
option src lan
option dest wan
The above lines would preserve the lan restrictions? i think so. What do you think?
Thanks!