Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2013/10/29 10:32]
zorun DNAT example: make it compatible with NAT reflection
doc:uci:firewall [2014/10/31 13:17] (current)
por corrected link to #notes.on.connection.tracking
Line 56: Line 56:
| ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_src'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
| ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. | | ''masq_dest'' | list of subnets | no | ''0.0.0.0/0'' | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''!''; multiple subnets are allowed. |
-| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#note.on.connection.tracking.notrack|Note on connection tracking]]) |+| ''conntrack'' | boolean | no | ''1'' if masquerading is used, ''0'' otherwise | Force connection tracking for this zone (see [[#notes.on.connection.tracking|Note on connection tracking]]) |
| ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic | | ''mtu_fix'' | boolean | no | ''0'' | Enable MSS clamping for //outgoing// zone traffic |
| ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic | | ''input'' | string | no | ''DROP'' | Default policy (''ACCEPT'', ''REJECT'', ''DROP'') for //incoming// zone traffic |
Line 90: Line 90:
//Redirects are also commonly known as "port forwarding", and "virtual servers".// //Redirects are also commonly known as "port forwarding", and "virtual servers".//
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
The options below are valid for //redirects//: The options below are valid for //redirects//:
Line 117: Line 119:
| ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. | | ''reflection'' | boolean | no | ''1'' | Activate NAT reflection for this redirect - applicable to ''DNAT'' targets. |
| ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. | | ''reflection_src'' | string | no | ''internal'' | The source address to use for NAT-reflected packets if ''reflection'' is ''1''. This can be ''internal'' or ''external'', specifying which interface’s address to use. Applicable to ''DNAT'' targets. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/second'', ''3/sec'' or ''3/s''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 134: Line 136:
  * If only ''dest'' is given, the rule matches //outgoing// traffic   * If only ''dest'' is given, the rule matches //outgoing// traffic
  * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule   * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
Valid options for this section are: Valid options for this section are:
Line 159: Line 163:
| ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | ''set_xmark'' | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
| ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. | | ''family'' | string | no | ''any'' | Protocol family (''ipv4'', ''ipv6'' or ''any'') to generate iptables rules for. |
-| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Example: ''3/hour''. |+| ''limit'' | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/second'', ''/minute'', ''/hour'' or ''/day'' suffix. Examples: ''3/minute'', ''3/min'' or ''3/m''. |
| ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' | | ''limit_burst'' | integer | no | ''5'' | Maximum initial number of packets to match, allowing a short-term average above ''limit'' |
| ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. | | ''extra'' | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''-m policy %%--%%dir in'' for IPsec. |
Line 261: Line 265:
This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10: This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:
Line 277: Line 281:
<code> <code>
-config 'redirect' +config redirect 
-        option 'name' 'ssh' +        option src      wan 
-        option 'src' 'wan' +        option src_dport 5555 
-        option 'proto' 'tcpudp' +        option proto     tcp 
-        option 'src_dport' '5555' +        option dest      lan 
-        option 'dest_ip' '192.168.1.100' +        option dest_ip   192.168.1.100 
-        option 'dest_port' '22+        option dest_port 22 
-        option 'target' 'DNAT' +</code> 
-        option 'dest' 'lan'+ 
 +==== Port forwarding for IPv6 ==== 
 + 
 +To open port 80 so that a local webserver at ''2001:db8:42::1337'' can be reached from the Internet: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest      lan 
 +        option dest_ip  2001:db8:42::1337 
 +        option dest_port 80 
 +        option family    ipv6 
 +        option target   ACCEPT 
 +</code> 
 + 
 +To open SSH access to all IPv6 hosts in the local network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest     lan 
 +        option dest_port 22 
 +        option family    ipv6 
 +        option target    ACCEPT 
 +</code> 
 + 
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcpudp 
 +        option dest      lan 
 +        option dest_port 1024:65535 
 +        option family    ipv6 
 +        option target    ACCEPT
</code> </code>
Line 478: Line 519:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 492: Line 534:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 508: Line 551:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 546: Line 590:
option dest lan option dest lan
option src wan6 option src wan6
 +#you don't need the below as you can a firewall rule to open the port that you need
config forwarding config forwarding
option dest wan6 option dest wan6
Line 603: Line 647:
When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue. When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
 +
 +Also there is an interesting article which that claims dropping connections doesnt make you any safer - [[http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject|Drop versus Reject]].
**DROP** **DROP**
Line 616: Line 662:
-===== Note on connection tracking (NOTRACK) =====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ====
By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''iptables -t raw -vnL'', it will list all rules, check for //NOTRACK// target.
Line 624: Line 672:
If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''. If connection tracking is required, for example by custom rules in ''/etc/firewall.user'', the ''conntrack'' option must be enabled in the corresponding zone to disable //NOTRACK//. It should appear as ''option 'conntrack' '1' '' in the right zone in ''/etc/config/firewall''.
For further information see http://security.maruhn.com/iptables-tutorial/x4772.html . For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +Since [[https://dev.openwrt.org/changeset/42048/trunk/package|r42048]], there is a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://dev.openwrt.org/ticket/17690#comment:6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections, you should leave it active.
 +
 +This behavior can be disabled by editing /etc/sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
===== How to delete a rule ===== ===== How to delete a rule =====

Back to top

doc/uci/firewall.1383039171.txt.bz2 · Last modified: 2013/10/29 10:32 by zorun