The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hello!
I have LinkSys 54gl with OpenWrt Kamikaze - With X-Wrt Extensions 8.09
I need to block one lan ip from accessing wan ip. I made user rule in /etc/system/firewall
config rule
option src lan
option src_ip 192.168.0.161
option dest wan
option dest_ip 195.68.160.7
option proto tcp
option forward REJECT
but not working, what im doing wrong?
ps last string i tryed to change to option target REJECT and option targe DROP still not warking
Hi.
This:
option forward REJECT
... has no effect in config rule sections. You need to use "option target REJECT" here.
~ JoW
Hi.
This:
MaTpocoB wrote:option forward REJECT
... has no effect in config rule sections. You need to use "option target REJECT" here.
~ JoW
probably you didnt see my ps 
Do you have another rule which accepts that traffic first?
Try running "iptables -L -v" to look at all of your rules and see if anything doesn't make sense.
my full /etc/config/firewall:
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
option 'mtu_fix' '1'
config rule
option src lan
option src_ip 192.168.0.161
option dest wan
option dest_ip 195.68.160.7
option proto tcp
option forward REJECT
by the way, if i make such rule:
config rule
option src lan
option dest wan
option dest_ip 195.68.160.7
option proto tcp
option target REJECT
i dont have internet at all
iptables ii wil show tomorrow cose device is at work
(Last edited by MaTpocoB on 29 Sep 2009, 19:20)
ok! my final not working config is
onfig rule
option src lan
option src_ip 192.168.0.161
option dest wan
option dest_ip 195.68.160.7
option proto tcp
option target REJECT
root@OpenWrt:~# iptables -L -v
Chain INPUT (policy ACCEPT 12 packets, 16416 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
1180 83014 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo any anywhere anywhere
71 3680 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
3197 3786K input_rule all -- any any anywhere anywhere
3197 3786K input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
65477 57M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
621 52490 forwarding_rule all -- any any anywhere anywhere
621 52490 forward all -- any any anywhere anywhere
0 0 reject all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 3 packets, 200 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
2181 691K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any lo anywhere anywhere
390 94702 output_rule all -- any any anywhere anywhere
390 94702 output all -- any any anywhere anywhere
Chain forward (1 references)
pkts bytes target prot opt in out source destination
621 52490 zone_lan_forward all -- br-lan any anywhere anywhere
0 0 zone_wan_forward all -- eth0.1 any anywhere anywhere
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
386 60896 zone_lan all -- br-lan any anywhere anywhere
2799 3708K zone_wan all -- eth0.1 any anywhere anywhere
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
390 94702 zone_lan_ACCEPT all -- any any anywhere anywhere
151 10272 zone_wan_ACCEPT all -- any any anywhere anywhere
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
62 3062 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
2737 3705K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
71 3680 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
386 60896 input_lan all -- any any anywhere anywhere
386 60896 zone_lan_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
386 60896 ACCEPT all -- br-lan any anywhere anywhere
239 84430 ACCEPT all -- any br-lan anywhere anywhere
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br-lan any anywhere anywhere
0 0 DROP all -- any br-lan anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any br-lan anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- br-lan any anywhere anywhere
0 0 reject all -- any br-lan anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
621 52490 zone_wan_MSSFIX all -- any any anywhere anywhere
621 52490 zone_wan_ACCEPT all -- any any anywhere anywhere
0 0 zone_wan_REJECT tcp -- any any MacBook.lan fishki.net
0 0 forwarding_lan all -- any any anywhere anywhere
0 0 zone_lan_REJECT all -- any any anywhere anywhere
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
2799 3708K input_wan all -- any any anywhere anywhere
2799 3708K zone_wan_REJECT all -- any any anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0.1 any anywhere anywhere
769 62562 ACCEPT all -- any eth0.1 anywhere anywhere
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0.1 any anywhere anywhere
0 0 DROP all -- any eth0.1 anywhere anywhere
Chain zone_wan_MSSFIX (1 references)
pkts bytes target prot opt in out source destination
319 19776 TCPMSS tcp -- any eth0.1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (3 references)
pkts bytes target prot opt in out source destination
2799 3708K reject all -- eth0.1 any anywhere anywhere
0 0 reject all -- any eth0.1 anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- any any anywhere anywhere
0 0 zone_wan_REJECT all -- any any anywhere anywhere
Hi.
I've read you use 8.09 . The reason why your reject rule does not work is that the following changeset is missing in 8.09: https://dev.openwrt.org/changeset/15278 … irewall.sh . Edit /lib/firewall/uci_firewall.sh and reorder the lines as in the changelog - then it should work,
~ JoW
Hi.
I've read you use 8.09 . The reason why your reject rule does not work is that the following changeset is missing in 8.09: https://dev.openwrt.org/changeset/15278 … irewall.sh . Edit /lib/firewall/uci_firewall.sh and reorder the lines as in the changelog - then it should work,
~ JoW
THANK U!!! ITS WORKING!!!!
And one more question! how set oerder of rules, as i understand from ferst to last? so if i wan to block all internet for one lan host and permit only one site i need to this?
config rule
option src lan
option src_ip 192.168.0.161
option dest wan
option dest_ip 195.68.160.7
option proto tcp
option target ACCEPT
config rule
option src lan
option src_ip 192.168.0.161
option dest wan
option proto tcp
option target REJECT
?
The discussion might have continued from here.