OpenWrt Forum Archive

Topic: How to disable forwarding from LAN to WAN by default

The content of this topic has been archived on 4 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Mirek
14 Jan 2016, 12:48

I have set up forwarding to REJECT for zone LAN to WAN in Luci (http://openwrt.kreteni.eu/firewall.gif), but the traffic still passes thru the router
When I look at iptables rules (http://openwrt.kreteni.eu/iptables.gif), I can see my rule enabling http traffic followed by automatically generated rule enabling all traffic. Where and why this rule number four (see the picture) is created?

my /etc/config/firewall file

config rule
    option src 'lan'
    option dest 'wan'
    option name 'http'
    option family 'ipv4'
    option proto 'tcp'
    option src_ip '172.21.163.80/28'
    option dest_port '80'
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option forward 'REJECT'
    option input 'REJECT'
    option output 'REJECT'

config zone
    option name 'lan'
    option forward 'REJECT'
    option output 'ACCEPT'
    option input 'REJECT'
    option family 'ipv4'
    option network 'lan'

config zone
    option name 'wan'
    option masq '1'
    option mtu_fix '1'
    option input 'DROP'
    option forward 'DROP'
    option family 'ipv4'
    option network 'wan'
    option output 'ACCEPT'

config forwarding
    option dest 'wan'
    option src 'lan'
Post #2
eduperez
14 Jan 2016, 22:11

Delete the last three lines.

Post #3
Mirek
15 Jan 2016, 17:59

When I deleted the section forwarding, so it banned all traffic from LAN to WAN. Even the http protocol allowed through the router in my rule has not passed. How does it configured to only my the rules defined traffic was forwarded to the router from the LAN to the WAN?

Post #4
Mirek
18 Jan 2016, 15:49

That's really nobody can advise how to configure the firewall to forward only in the rules defined traffic?

Post #5
Pixus
19 Jan 2016, 03:55

Not sure how the UCI configuration translates into iptables rules, but you can try to add rule like this:

config rule
    option src 'lan'
    option dest 'wan'
    option target 'REJECT'

right after your whitelist rules.
This should reject packets that did not match your whitelist rule(s).

Post #6
Mirek
21 Jan 2016, 09:04

When I add rule blocking all traffic at the end of my own rules (rule 6), it blocks also traffic which should be enabled by rule 8 generated for port forwarding (http://openwrt.kreteni.eu/iptables2.gif). I still have a feeling, that the wrong rule is number 7, which I cannot change, enabling forwarding from LAN to WAN however I have set the default forwarding rule from LAN to WAN to REJECT (http://openwrt.kreteni.eu/firewall.gif).

(Last edited by Mirek on 21 Jan 2016, 09:08)

Post #7
Pixus
21 Jan 2016, 20:29

The rule #6 (your REJECT) is the end of chain, no packet will reach any rule below it, including 7 and 8.
The only traffic that will be allowed is that which was ACCEPTed by rules above (before) #6.
So, for configuration on your screenshot, only HTTP/HTTPS and ICMP traffic from hosts 172.21.163.80/28 (range of 172.21.163.81-172.21.163.94) and all traffic from 172.21.163.96/28 (range of 172.21.163.97-172.21.163.110) will be allowed.
Any traffic from other hosts will not be accepted by rules 2-5 and will be rejected by #6.

Post #8
Mirek
22 Jan 2016, 11:12

I understand, but I need to work Rule 8 for DNAT port forwarding (it is automatically generated)

The discussion might have continued from here.