The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
i'm trying to understand the table structure in chaos calmer.
i'm looking for something like a packet flow diagram or anything that would explain
why there are so many tables and what is the purpose of each,
what rules goes into which table, also in which table/s are the rules that are entered in LUCI UI saved?
thanks
i'm trying to understand the table structure in chaos calmer.
i'm looking for something like a packet flow diagram or anything that would explain
why there are so many tables and what is the purpose of each,
what rules goes into which table, also in which table/s are the rules that are entered in LUCI UI saved?thanks
basically OWRT is linux; any man iptables will do
there are 3 chains.. pretty self explained..
input, output and forward
http://wiki.openwrt.org/doc/howto/vpn.ipsec.firewall
http://wiki.openwrt.org/doc/howto/vpn.i … all.racoon
http://wiki.openwrt.org/doc/uci/firewall
http://wiki.openwrt.org/inbox/doc/iptables_and_firewall
(Last edited by makarel on 28 Aug 2015, 02:45)
well thanks, i know there are 3 tables by default in iptables,
however Chaos Calmer has 28 chains, that's what i want to understand,
for example, what happens in this chain?
Chain delegate_output (1 references)
target prot opt source destination
1.ACCEPT all -- anywhere anywhere
2.output_rule all -- anywhere anywhere /* user chain for output */
3.ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
4.DROP all -- anywhere anywhere ctstate INVALID
5.zone_lan_output all -- anywhere anywhere
6.zone_wan_output all -- anywhere anywhere
my understanding:
1. accept all packets
2. send all to output_rule chain (no rules defined here so why use this chain?)
i'm guessing all packets come right back to this chain?,
3. accept related or established (didn't we already accept those with the first rule?)
4. drop invalid state
5. send all to zone_lan_output chain
6. whatever comes back send to zone_wan_output chain
feel free to correct me if you know better
(Last edited by winbond on 28 Aug 2015, 04:02)
so many linux experts , bump
First your example says nothing.
Use verbose output or look what happen on iptables-save command.
"iptables -vnL -t filter"
Chain delegate_output (1 references)
pkts bytes target prot opt in out source destination
318 40229 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
401K 94M output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
264K 35M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
126K 58M zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0
11654 790K zone_wan_output all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 -A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_outputOpenwrt FW3 use many chains by design make the handling of many interfaces more easy but looks confusing for simple standard Stateless firewall setup.
Understand that SVG.
https://en.wikipedia.org/wiki/Iptables# … t-flow.svg
Than read openwrt flow again.
http://wiki.openwrt.org/doc/uci/firewall#packet_flow
my understanding:
1. accept all packets
Wrong only lo traffic.
2. send all to output_rule chain (no rules defined here so why use this chain?)
Yes, you can add it a rule to output_rule chain with "firewall.user"
3. accept related or established (didn't we already accept those with the first rule?)
Look on verbose output.
(Last edited by trismo on 30 Aug 2015, 13:10)
thank you, i picked up a book on iptables cause obviously i don't know much,
but i have 2 more questions,
is there a way to save default chain structure to a file so i can see how the default openwrt firewall is setup?
or is there already a file that has that structure saved in it?
also is there a command to translate the rule from:
264K 35M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
to:
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
(Last edited by winbond on 31 Aug 2015, 14:37)
Yes this rule is useless but if you change default OUTPUT from Accept to DROP you need this rule to allow IN/OUT traffic
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
need this output rule
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
or just for every input rule this
iptables -A OUTPUT -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
= openwrt -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Default config on Openwrt FW3 firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see [url]https://dev.openwrt.org/ticket/4108[/url]
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see [url]https://dev.openwrt.org/ticket/10381[/url]
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.userBasic Firewall with NAT, open a port for ping ipv4/6 ping/traceroute/etc on LAN with ipv6 and DHCP ipv4/6 on WAN
Save this on your router under /etc/config/firewall.bak if you need it 
Look what FW3 does use iptables-save & ip6tables-save
or better this
root@openwrt#fw3 -4 print > /tmp/ipv4.rules
root@openwrt#fw3 -6 print > /tmp/ipv6.rulesThe discussion might have continued from here.