OpenWrt Forum Archive

Post #1

cyrus_mc

14 Dec 2009, 03:22

Now, I know I can simply add the FORWARD rules in the firewall.user file and make sure they appear before the reject but I want to set it up using the network and firewall config files.

I have the following:

config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0

config interface lan
option ifname eth1
option type bridge
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0

config interface wan
option ifname eth0
option proto dhcp

config interface vpn
option ifname tun0
option proto none

In /etc/config/firewall:

config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT

config zone
option name lan
option input ACCEPT
option output ACCEPT
option forward REJECT

config zone
option name wan
option input DROP
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config zone
option name vpn
option input ACCEPT
option output ACCEPT
option forward REJECT

config forwarding
option src lan
option dest wan

config forwarding
option src vpn
option dest lan

config forwarding
option src lan
option dest vpn

Output of iptables -L -v:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
485 25291 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
20 1440 ACCEPT all -- lo any anywhere anywhere
789 47324 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
181 16332 input_rule all -- any any anywhere anywhere
181 16332 input all -- any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
154 59711 zone_wan_MSSFIX all -- any any anywhere anywhere
144 58521 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
10 1190 forwarding_rule all -- any any anywhere anywhere
10 1190 forward all -- any any anywhere anywhere
0 0 reject all -- any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
453 73193 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
20 1440 ACCEPT all -- any lo anywhere anywhere
15 2473 output_rule all -- any any anywhere anywhere
15 2473 output all -- any any anywhere anywhere

Chain forward (1 references)
pkts bytes target prot opt in out source destination
7 1046 zone_lan_forward all -- br-lan any anywhere anywhere
3 144 zone_wan_forward all -- eth0 any anywhere anywhere

Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination

Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination

Chain forwarding_vpn (1 references)
pkts bytes target prot opt in out source destination

Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination

Chain input (1 references)
pkts bytes target prot opt in out source destination
20 5660 zone_lan all -- br-lan any anywhere anywhere
161 10672 zone_wan all -- eth0 any anywhere anywhere

Chain input_lan (1 references)
pkts bytes target prot opt in out source destination

Chain input_rule (1 references)
pkts bytes target prot opt in out source destination

Chain input_vpn (1 references)
pkts bytes target prot opt in out source destination

Chain input_wan (1 references)
pkts bytes target prot opt in out source destination

Chain output (1 references)
pkts bytes target prot opt in out source destination
15 2473 zone_lan_ACCEPT all -- any any anywhere anywhere
7 397 zone_wan_ACCEPT all -- any any anywhere anywhere
0 0 zone_vpn_ACCEPT all -- any any anywhere anywhere

Chain output_rule (1 references)
pkts bytes target prot opt in out source destination

Chain reject (5 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
154 9224 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
635 38100 DROP all -- any any anywhere anywhere

Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
20 5660 input_lan all -- any any anywhere anywhere
20 5660 zone_lan_ACCEPT all -- any any anywhere anywhere

Chain zone_lan_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
20 5660 ACCEPT all -- br-lan any anywhere anywhere
8 2076 ACCEPT all -- any br-lan anywhere anywhere

Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br-lan any anywhere anywhere
0 0 DROP all -- any br-lan anywhere anywhere

Chain zone_lan_MSSFIX (0 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any br-lan anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- br-lan any anywhere anywhere
0 0 reject all -- any br-lan anywhere anywhere

Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
7 1046 zone_vpn_ACCEPT all -- any any anywhere anywhere
7 1046 zone_wan_ACCEPT all -- any any anywhere anywhere
0 0 forwarding_lan all -- any any anywhere anywhere
0 0 zone_lan_REJECT all -- any any anywhere anywhere

Chain zone_vpn (0 references)
pkts bytes target prot opt in out source destination
0 0 input_vpn all -- any any anywhere anywhere
0 0 zone_vpn_ACCEPT all -- any any anywhere anywhere

Chain zone_vpn_ACCEPT (3 references)
pkts bytes target prot opt in out source destination

Chain zone_vpn_DROP (0 references)
pkts bytes target prot opt in out source destination

Chain zone_vpn_MSSFIX (0 references)
pkts bytes target prot opt in out source destination

Chain zone_vpn_REJECT (1 references)
pkts bytes target prot opt in out source destination

Chain zone_vpn_forward (0 references)
pkts bytes target prot opt in out source destination
0 0 zone_lan_ACCEPT all -- any any anywhere anywhere
0 0 forwarding_vpn all -- any any anywhere anywhere
0 0 zone_vpn_REJECT all -- any any anywhere anywhere

Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
161 10672 input_wan all -- any any anywhere anywhere
4 1372 ACCEPT udp -- any any anywhere anywhere udp dpt:68
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:1194
157 9300 zone_wan_DROP all -- any any anywhere anywhere

Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 any anywhere anywhere
14 1443 ACCEPT all -- any eth0 anywhere anywhere

Chain zone_wan_DROP (1 references)
pkts bytes target prot opt in out source destination
157 9300 DROP all -- eth0 any anywhere anywhere
0 0 DROP all -- any eth0 anywhere anywhere

Chain zone_wan_MSSFIX (1 references)
pkts bytes target prot opt in out source destination
1 60 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_wan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- eth0 any anywhere anywhere
0 0 reject all -- any eth0 anywhere anywhere

Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere 192.168.1.205 udp dpt:3074
0 0 ACCEPT tcp -- any any anywhere 192.168.1.205 tcp dpt:3074
0 0 ACCEPT udp -- any any anywhere 192.168.1.205 udp dpt:88
0 0 ACCEPT udp -- any any anywhere 192.168.1.166 udp dpts:10000:20000
3 144 ACCEPT tcp -- any any anywhere desktop.lan tcp dpts:6881:6889
0 0 forwarding_wan all -- any any anywhere anywhere
0 0 zone_wan_REJECT all -- any any anywhere anywhere

A couple of thing to note here, all the zone_vpn chains seemed to be orphaned (ie: 0 references). For instance the zone_vpn which should be referenced by the input chain, it isn't. Also, there is no reference to interface tun0 in any of the zone_vpn_ACCEPT/REJECT chains.

Reading the output of logread there are messages like:

Dec 31 16:00:23 router user.notice root: adding wan (eth0) to firewall zone wan
Dec 31 16:00:23 router user.notice root: adding lan (br-lan) to firewall zone lan

But I don't see a similar message for the VPN network.

Any help would be appreciated.

Thanks

Post #2

heinb

29 Dec 2009, 18:45

Hi,

I´m standing on the same problems - do you have solved this and could give me some hints?

Bye,
HeinB

Post #3

cyrus_mc

29 Dec 2009, 19:17

heinb wrote:

Hi,
I´m standing on the same problems - do you have solved this and could give me some hints?
Bye,
HeinB

Yep. You need to run ifup vpn to bring up the VPN network since it is set to proto none. I added this to my rc.local file. Once that is done it adds the necessary rules to the firewall, etc.

Post #4

Ritmo2k

29 Dec 2009, 22:19

Hey cyrus_mc,

Just to confirm what you have added,

/etc/config/network:

config 'interface'  'vpn'
        option 'ifname'  'tun0'
        option 'proto'  'none'

/etc/config/firewall:

config zone                     
        option name             vpn
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
                              
config forwarding                 
        option src              vpn
        option dest             lan
                                   
config forwarding                 
        option src              lan
        option dest             vpn

And finally, if there is no /etc/rc.local, create one with 'ifup vpn'?

Do we need to worry about these edits getting overwritten if changes in the gui are made for the /etc/config/network and /etc/config/firewall files?
Is there a better place to place the ifup command, or its thats till the best plan?

Thanks!

Post #5

cyrus_mc

30 Dec 2009, 00:25

Ya, just create the rc.local file if it doesn't already exist. It gets executed by /etc/init.d/done.

Here is what I put in:

# bring up the VPN interface
ps -ef | grep openvpn > /dev/null && ifup vpn

As for your other questions, that is the correct way to do it. The GUI shouldn't overwrite that stuff.