OpenWrt Forum Archive

Topic: Firewall WAN to LAN permanent open

The content of this topic has been archived on 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
helldunkel
3 Sep 2017, 17:54

Hi,

I want to create a DMZ with a 3 Port Router.
From LAN to DMZ and WAN to DMZ everything work.
But from WAN to LAN and DMZ to LAN all ports are open.
I set everything to Drop
Delete SNAT

Why I can access the LAN from WAN and DMZ

config defaults
        option syn_flood '1'
        option forward 'DROP'
        option input 'DROP'
        option output 'DROP'

config include
        option path '/etc/firewall.user'

config zone
        option name 'lan'
        option network 'lan'
        option forward 'DROP'
        option output 'ACCEPT'
        option input 'ACCEPT'

config zone                             
        option name 'wan'    
        option network 'WAN' 
        option input 'DROP'             
        option output 'DROP' 
        option family 'ipv4' 
        option forward 'DROP'           
                             
config zone                             
        option name 'dmz'     
        option network 'DMZ' 
        option input 'DROP'  
        option output 'DROP'  
        option forward 'DROP'

onfig redirect                         
        option target 'SNAT'            
        option src 'lan'                
        option dest 'dmz'               
        option proto 'all'              
        option src_dip '192.168.170.190'
        option name 'DMZ'               
        option dest_ip '10.168.170.25'
        option dest_port '443'        
                                        
config rule                           
        option target 'ACCEPT'        
        option src 'lan'                
        option dest 'dmz'             
        option family 'ipv4'          
        option dest_ip '10.168.170.25'  
        option dest_port '443'        
        option name 'LAN->DMZ '  
        option enabled '0' 

config rule                                                                                                                                   
        option target 'ACCEPT'                                                                                                                
        option src 'lan'                                                                                                                      
        option dest 'dmz'                                                                                                                     
        option family 'ipv4'                                                                                                                  
        option dest_ip '10.168.170.25'                                                                                                        
        option dest_port '22'                                                                                                                 
        option name 'LAN->DMZ ssh'                                                                                                            
        option enabled '0'                                                                                                                    
                                                                                                                                              
config rule                                                                                                                                   
        option target 'ACCEPT'                                                                                                                
        option src 'lan'                                                                                                                      
        option name 'LAN->DMZ webmin'                                                                                                         
        option dest 'dmz'                                                                                                                     
        option dest_ip '10.168.170.25'                                                                                                        
        option dest_port '10000'                                                                                                              
        option enabled '0'                                                                                                                    
                                                                                                                                              
config rule                                                                                                                                   
        option target 'ACCEPT'                                                                                                                
        option src 'wan'                                                                                                                      
        option dest 'dmz'                                                                                                                     
        option name 'WAN->DMZ '                                                                                                          
        option dest_ip '10.168.170.25'                                                                                                        
        option dest_port '443'                                                                                                                
        option enabled '0'                                                                                                                    
                                                                                                                                              
config forwarding                                                                                                                             
        option dest 'wan'                                                                                                                     
        option src 'lan'                                                                                                                      
                                                                                                                                              
config forwarding                                                                                                                             
        option dest 'wan'                                                                                                                     
        option src 'dmz'

Where is my mistake?

Regards

(Last edited by helldunkel on 3 Sep 2017, 17:55)

Post #2
eduperez
3 Sep 2017, 21:45

Your LAN zone is configured as "option input 'ACCEPT'", isn't it?

Post #3
helldunkel
4 Sep 2017, 19:09

yes
But I thought chain INPUT and OUTPUT is only for communication with the Firewall (ssh, LuCi, ...)?

When I set input to DROP I lose the connection to the router.

Post #4
helldunkel
4 Sep 2017, 19:41

Is this a bug ?

Post #5
eduperez
4 Sep 2017, 21:21
helldunkel wrote:

But I thought chain INPUT and OUTPUT is only for communication with the Firewall (ssh, LuCi, ...)?

INPUT and OUTPUT here refer to traffic that enters or leaves that zone, resp. Thus, "option input 'ACCEPT'" in the LAN config means that all interfaces in the LAN zone are open to incoming traffic by default.

helldunkel wrote:

When I set input to DROP I lose the connection to the router.

Well, "option input 'DROP'" in the LAN config means that all interfaces in the LAN zone are closed to incoming traffic by default. Now you should add rules to allow the kind of access you need.

Post #6
Antek
5 Sep 2017, 16:29

Maybe you should also post /etc/config/network for reference?

The discussion might have continued from here.