Topic: How do I reset iptables in openwrt as I cant access internet from lan?

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

wavesailor

17 May 2011, 18:17

The default set-up was working but somehow while editing /etc/config/firewall or via web interface I caused my router to stop allowing access to the internet from the lan side. I was trying to allow access to ssh and the web interface of the router from wan side.

What I can do:
I can access the internet from the router
I can ssh into router from wan and lan
But I cannot access the internet from the lan - I tried more than one PC.

I'm using openwrt backfire (rc24038), so is there a way I can reset the iptables to the default? Or can I do a general reset to reset everything to the default.

Thanks,
Jim

Disclaimer: I'm new to openwrt and have no clue about iptables

# cat /etc/config/firewall

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'

config 'forwarding'
        option 'mtu_fix' '0'
        option 'src' 'wan'
        option 'dest' 'lan'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'icmp'
        option 'icmp_type' 'echo-request'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ssh'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '22'

cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

Post #2

hnyman

17 May 2011, 20:58

wavesailor wrote:

But I cannot access the internet from the lan - I tried more than one PC.
...
Disclaimer: I'm new to openwrt and have no clue about iptables
config 'forwarding'
        option 'mtu_fix' '0'
        option 'src' 'wan'
        option 'dest' 'lan'

You seem to have turned the forwarding rule upside down: you are now forwarding everything from WAN to LAN, but there is no rule for passing traffic from LAN to outside...

The normal rule is vice versa:

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'

Post #3

wavesailor

17 May 2011, 23:06

Thank You hnyman!!! :-)

Everything seems to work fine again .... I don't quite know how that happened???

Now perhaps you could help solve my initial two problems?

Firstly I want to allow ssh access on port 2222 from the outside (wan) to the router but would like to keep the access from the lan side to 22 .... and I'm happy using a password for ssh.

And secondly I want to only allow HTTPS (443) access to the router from the wan side but allow both HTTP(80) and HTTPS (443) from the lan side.

Currently I have this rule defined and if I add a 'src_port' '2222' then it does not work any more???

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'ssh'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '22'

Post #4

wavesailor

18 May 2011, 01:04

Ok I figured out a solution ... not sure if it is the best way though but it works :-)

You need to set up SSL-protected access with uhttpd and the modify the firewall using the following steps (verified with 10.3)

Firstly install the cert generator and web server TLS plugin:

opkg install px5g uhttpd-mod-tls

Then restart the web server to trigger certificate generation:

/etc/init.d/uhttpd restart

Optionally remove the key generator:

opkg remove px5g

Then edit the firewall config file

vi /etc/config/firewall

Now append the following

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'luci'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '443'

config redirect
        option src    wan
        option src_dport    2222
        option dest    lan
        option dest_ip    192.168.1.1
        option dest_port    22
        option proto    tcp

config rule
        option src    wan
        option proto    tcp
        option dest_ip    192.168.1.1
        option dest_port    22
        option target    ACCEPT

Additionally I allow ssh access from the wan to the router on port 2222
And finally you need to stop and start your firewall to effect the changes:

/etc/init.d/firewall stop
/etc/init.d/firewall start

(Last edited by wavesailor on 18 May 2011, 01:33)

The discussion might have continued from here.

Page 1 of 1