OpenWrt Forum Archive

Topic: packet filtering with bridged interfaces

The content of this topic has been archived on 2 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I use a bridge interface br-lan to unite eth0.2 and wlan0 to one domain.We also have a dmz on eth0.3. Now I'd like to only grant ssh-access from wired connections.

What is the most adept way to achieve this?

iptables -A INPUT -i wlan0 -p tcp -dport 22 -j DROP ?

or rather something with

iptables -A FORWARD -m physdev --physdev-in eth0.2 --physdev-out eth0.3 --dport 22 -d 192.168.0.16 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m physdev --physdev-is-bridged -m state --state ESTABLISHED,RELATED -j ACCEPT

In which opkg-package is physdev located?
Would I bring advantages to use a table other then filter?

(Last edited by kirschwasser on 5 Jun 2013, 12:51)

The physdev match is part of iptables-mod-extra. Using normal -i and -o matching will not work for ifaces beneath a bridge.

Opkg info iptables-mod-extra says:

- physdev (if ebtables is enabled)

http://wiki.openwrt.org/doc/howto/netfilter says:
ebtables is no longer available in official versions due to performance implications

So I guess physdev won't work a downloaded image (r36817). Any way without compiling myself?
It would be a nice to have.

That wiki notice is outdated, physdev is available for 12.09 and any snapshot builds since then.

Hmkay, I gave it a
iptables -A INPUT -j DROP -m physdev --physdev-in wlan0 -p tcp --dport 22

Waiting for a laptopn to see if it works....

I got a laptop with win7 and putty on it. Just tried to ssh to the openwrt-router via wireless and it works.

Any ideas?

Use -I INPUT.

Flush everything
POLICY is ACCEPT

$IPT -A INPUT -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1
$IPT -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
$IPT -A INPUT -j DROP   -m conntrack --ctstate INVALID
$IPT -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68
$IPT -A INPUT -j ACCEPT -i $IF_WAN -p udp --sport 53
$IPT -A INPUT -j ACCEPT -i $IF_LAN -p udp --sport 53

$IPT -I INPUT -j DROP -m physdev --physdev-in wlan0 -p tcp --dport 22

$IPT -A INPUT -j LOG       --log-prefix "IPT_Rej "
$IPT -A INPUT -j ACCEPT

Curiously I get LOGs:

Jun  5 20:06:28 OpenWrt kern.warn kernel: [31378.590000] IPT_Rej IN=br-lan OUT= MAC=00:x:x:x:x:x:00:x:x:x:x:x:x:x SRC=192.168.1.106 DST=192.168.1.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=47618 DF PROTO=UDP SPT=41093 DPT=53 LEN=43

I use downloaded r36817-Image on ar71xx. The ipv6-rules are unchanged, just flushed the ipv4-tables.
Sysctl says:  net.ipv6.conf.wlan0.disable_ipv6 = 1 and net.ipv6.conf.wlan0.forwarding = 2 (amongst other things)

Hmm, I just tried the following:

$IPT -A INPUT -j ACCEPT -i lo -s 127.0.0.1 -d 127.0.0.1 #---------- loopback
$IPT -A INPUT -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
$IPT -A INPUT -j DROP   -m conntrack --ctstate INVALID
$IPT -A INPUT -j ACCEPT -p udp --dport 67:68 --sport 67:68 #------- DHCP, Anfragen von 255.255.255.255
$IPT -A INPUT -j ACCEPT -i $IF_WAN -p udp --sport 53
$IPT -A INPUT -j ACCEPT -i $IF_LAN -p udp --sport 53
  
$IPT -I INPUT -m physdev --physdev-in wlan0 -p tcp --dport 22 -j LOG --log-prefix "IPT-Physdev"
$IPT -I INPUT -j DROP -m physdev --physdev-in wlan0 -p tcp --dport 22

$IPT -A INPUT -j ACCEPT

I apply and try ssh from laptop and I succeed. I get no Log-messages.

I installed ebtables with opkg (just in case). Still no effect.

brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        xxxx.xxxxxxxxxxx    no        eth0.2
                                            wlan0

In /etc/sysctl.conf bridge firewaling is disabled by default... :-(

I changed
net.bridge.bridge-nf-call from 0 to 1
and reloaded with
sysctl -p

The discussion might have continued from here.