OpenWrt Forum Archive

Topic: Firewall rules to block SSH and Web UI access for a specific ip

The content of this topic has been archived on 11 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
savickas.kristupas
27 Jul 2017, 06:26

Hello, I'm trying to limit SSH and Web UI access for a specific ip, but it doesn't seem to work. Here are my rules:

config rule                              
        option name 'Block Web UI access'
        option dest '*'               
        option dest_ip '192.168.1.1'
        option src_ip '192.168.1.51'  
        option dest_port '80' 
config rule                           
        option name 'Block SSH access'
        option dest '*'               
        option dest_ip '192.168.1.1'
        option src_ip '192.168.1.51'  
        option dest_port '22'

(Last edited by savickas.kristupas on 27 Jul 2017, 06:37)

Post #2
Antek
27 Jul 2017, 07:06

Both rules are missing the "target" option (i.e. "reject", "accept", "drop") which specifies what the firewall should do when a match is found. The action that the firewall should take depends on how your firewall is configured otherwise (i.e. if you firewall is configured to accept everything, then you need to block specific. If it is vice-versa and your firewall blocks everything, then you need specific rules which accept traffic).

Also, if you want to prevent a specific IP completely from accessing SSH and Web UI, then "src_ip" together with "dest_port" are enough. No need for "dest_ip" or "dest" options.

You might also need to specify the source zone using "src" option. There are some notes in the firewall configuration page (https://wiki.openwrt.org/doc/uci/firewall#rules) regarding how the options work in different versions.

(Last edited by Antek on 27 Jul 2017, 07:10)

Post #3
savickas.kristupas
27 Jul 2017, 07:18
Antek wrote:

Both rules are missing the "target" option (i.e. "reject", "accept", "drop")

I left it out because the OpenWrt wiki says if target is not specified it defaults to 'DROP'.

Anyway, I implemented the changes you recommended and it seems to be working fine. Here's my config in case someone stumbles on this thread with a similar problem:

config rule               
        option name 'Block SSH access'
        option src_ip '192.168.1.51'
        option dest_port '22' 
        option src '*'        
        option target 'DROP'          
        option enabled '0'
Post #4
Antek
27 Jul 2017, 07:43
savickas.kristupas wrote:

I left it out because the OpenWrt wiki says if target is not specified it defaults to 'DROP'.

Experience has taught me never to trust on "documented defaults", since they often change over time without anyone updating the Wiki pages smile

But glad you got it solved.

The discussion might have continued from here.