OpenWrt Forum Archive

Topic: Firewall Config Kamikaze - Does not seem to generate correct rules?

The content of this topic has been archived on 16 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mxc
17 Aug 2009, 15:06

Hi all,

I have installed openwrt on my buffalo ruter using the bcm driver with the 2.4 kernel. I plan to use the router to do least cost routing for data over two different ADSL accounts. For this purpose I have setup to pppoe connection in /etc/config/network . 

-------------------------------------------------------------------------------------------------
#### VLAN configuration 
config switch eth0
    option vlan0    "1 2 3 4 5*"
    option vlan1    "0 5"

#### Loopback configuration
config interface loopback
    option ifname    "lo"
    option proto    static
    option ipaddr    127.0.0.1
    option netmask    255.0.0.0


#### LAN configuration
config interface lan
    option type bridge
    option ifname    "eth0.0"
    option proto    static
    option ipaddr    192.168.1.1
    option netmask    255.255.255.0
    option dns 208.67.222.222
    
#### WAN configuration

config interface int_adsl 
    option ifname "eth0.1" 
    option proto pppoe
    option username user1@cyberconnect.co.za
    option password xxxxxxxx
    option defaultroute 1
    
config interface local_adsl 
    option ifname "eth0.1" 
    option proto pppoe
    option username user2@cyberconnect.co.za
    option password xxxxxx


-------------------------------------------------------------------------------------------------

I then wanted to setup some basic forwarding through these accounts and so set up the following under /etc/config/firewall. Basically I used the same syntax as for the wan settings that come as default in this file.

----------------------------------------------------------------------------------------------------------------------------

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT 
    option forward        REJECT

config zone
    option name        lan
    option input    ACCEPT 
    option output    ACCEPT 
    option forward    REJECT


config zone
    option name    local_adsl    
    option input    REJECT
    option output    ACCEPT 
    option forward    REJECT
    option masq        1
        
config zone
    option name    int_adsl    
    option input    REJECT
    option output    ACCEPT 
    option forward    REJECT
    option masq        1

            
config forwarding
    option src lan 
    option dest local_adsl
    option mtu_fix 1
    
config forwarding
    option src lan
    option dest int_adsl
    option mtu_fix 1
    
# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

----------------------------------------------------------------------------------------------------------------------------

Restarting the firewall produces the following iptables rules on the filter table. Although I am no expert in iptables I looks like the rules allow the router to accept all INPUT  as the third rule says "ACCEPT     all  --  anywhere             anywhere   ".   Doesn't this make the following 3 lines unreachable? Also it means that all trafic is just accepted, even new connection requests coming from the outside and not initiated from the inside first?

The same goes for the OUTPUT chain.  The third rul accepts all output, making the last two unreachable? Once again it appears that there is no requirement for the

The FORWARD rule chian seem to have no interface or ip restrictions. It just seems to allow all forwarding. (FORWARD->forwarding_rule->zone_lan_forward->zone_int_adsl_ACCEPT)?

Am I doing something wrong in the config file? I have had  a look at the uci_firewall.sh script and there is an add_if() function which looks like it should setup the interface restrictions but it doesn't get called. In particular in the function that initialises the firewall fw_start(), i think its called, there is a line which goes something like "foreach config fw_addif interface", but there are no "interface" stanzas in the /etc/config/firewall file. (Sorry for sounding vague on the function names, I do not have access to the router at the moment to confirm the correct names).

Here is the results of "iptables -L"

--------------------------------------------------------------------------------------------------      
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all  --  anywhere             anywhere            
input      all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
forwarding_rule  all  --  anywhere             anywhere            
forward    all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere            
output     all  --  anywhere             anywhere            

Chain forward (1 references)
target     prot opt source               destination         
zone_lan_forward  all  --  anywhere             anywhere            
zone_int_adsl_forward  all  --  anywhere             anywhere            
zone_int_adsl_forward  all  --  anywhere             anywhere            

Chain forwarding_int_adsl (1 references)
target     prot opt source               destination         

Chain forwarding_lan (1 references)
target     prot opt source               destination         

Chain forwarding_local_adsl (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain input (1 references)
target     prot opt source               destination         
zone_lan   all  --  anywhere             anywhere            
zone_int_adsl  all  --  anywhere             anywhere            
zone_int_adsl  all  --  anywhere             anywhere            

Chain input_int_adsl (1 references)
target     prot opt source               destination         

Chain input_lan (1 references)
target     prot opt source               destination         

Chain input_local_adsl (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain output (1 references)
target     prot opt source               destination         
zone_lan_ACCEPT  all  --  anywhere             anywhere            
zone_local_adsl_ACCEPT  all  --  anywhere             anywhere            
zone_int_adsl_ACCEPT  all  --  anywhere             anywhere            

Chain output_rule (1 references)
target     prot opt source               destination         

Chain reject (7 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
DROP       all  --  anywhere             anywhere            

Chain zone_int_adsl (2 references)
target     prot opt source               destination         
input_int_adsl  all  --  anywhere             anywhere            
zone_int_adsl_REJECT  all  --  anywhere             anywhere            

Chain zone_int_adsl_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_int_adsl_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_int_adsl_MSSFIX (1 references)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_int_adsl_REJECT (2 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_int_adsl_forward (2 references)
target     prot opt source               destination         
forwarding_int_adsl  all  --  anywhere             anywhere            
zone_int_adsl_REJECT  all  --  anywhere             anywhere            

Chain zone_lan (1 references)
target     prot opt source               destination         
input_lan  all  --  anywhere             anywhere            
zone_lan_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_lan_MSSFIX (0 references)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
zone_int_adsl_MSSFIX  all  --  anywhere             anywhere            
zone_int_adsl_ACCEPT  all  --  anywhere             anywhere            
zone_local_adsl_MSSFIX  all  --  anywhere             anywhere            
zone_local_adsl_ACCEPT  all  --  anywhere             anywhere            
forwarding_lan  all  --  anywhere             anywhere            
zone_lan_REJECT  all  --  anywhere             anywhere            

Chain zone_local_adsl (0 references)
target     prot opt source               destination         
input_local_adsl  all  --  anywhere             anywhere            
zone_local_adsl_REJECT  all  --  anywhere             anywhere            

Chain zone_local_adsl_ACCEPT (2 references)
target     prot opt source               destination         

Chain zone_local_adsl_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain zone_local_adsl_MSSFIX (1 references)
target     prot opt source               destination         

Chain zone_local_adsl_REJECT (2 references)
target     prot opt source               destination         

Chain zone_local_adsl_forward (0 references)
target     prot opt source               destination         
forwarding_local_adsl  all  --  anywhere             anywhere            
zone_local_adsl_REJECT  all  --  anywhere             anywhere

thanks for any help.

Post #2
Helidude73
17 Aug 2009, 15:09

Glad I'm not the only one with firewall/iptables problem wink

//Ivar

Post #3
ctbfalcon
23 Aug 2009, 00:11

Nope your not the only one.

and the thing is I cant seem to find any howTos on setting up the firewall with some basic settings.

Can find plenty on VPN and firewall,  which I will need but I am not ready for that yet if I cant setup the firewall with basic settings.

Post #4
cch
23 Aug 2009, 08:54

Regarding your question about "ACCEPT     all  --  anywhere             anywhere   " and the following unreachable firewall rules:

Try viewing your firewall rules with "iptables -L -v". It will show input /output interface and other additional restrictions about each firewall rule and things will make more sense, hopefully.

The discussion might have continued from here.