User Tools

Site Tools


doc:uci:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:firewall [2013/10/29 10:32]
zorun DNAT example: make it compatible with NAT reflection
doc:uci:firewall [2015/08/23 03:06] (current)
TimMillerDyck Add maximum working length for zone name
Line 44: Line 44:
 A ''​zone''​ section groups one or more //​interfaces//​ and serves as a //source// or //​destination//​ for //​forwardings//,​ //rules// and //​redirects//​. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis. Note that masquerading is defined on the //​outgoing//​ interface. A ''​zone''​ section groups one or more //​interfaces//​ and serves as a //source// or //​destination//​ for //​forwardings//,​ //rules// and //​redirects//​. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis. Note that masquerading is defined on the //​outgoing//​ interface.
  
-  * INPUT rules for a zone describe what happens to traffic trying to reach the router itself through ​that interface. +  * INPUT rules for a zone describe what happens to traffic trying to reach the router itself through ​an interface ​in that zone
-  * OUTPUT rules for a zone describe what happens to traffic originating from the router itself. +  * OUTPUT rules for a zone describe what happens to traffic originating from the router itself ​going through an interface in that zone
-  * FORWARD rules for a zone describe what happens to traffic ​coming from that zone and passing to another ​zone.+  * FORWARD rules for a zone describe what happens to traffic ​passing between different interfaces in that zone.
  
 The options below are defined within ''​zone''​ sections: The options below are defined within ''​zone''​ sections:
  
 ^ Name ^ Type ^ Required ^ Default ^ Description ^ ^ Name ^ Type ^ Required ^ Default ^ Description ^
-| ''​name''​ | zone name | yes | //(none)// | Unique zone name | +| ''​name''​ | zone name | yes | //(none)// | Unique zone name. 11 characters is the maximum working firewall zone name length (tested with OpenWrt 14.07 BB). 
-| ''​network''​ | list | no | //(none)// | List of //​[[doc:​uci:​network#​interfaces|interfaces]]//​ attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of ''​name''​ is used by default |+| ''​network''​ | list | no | //(none)// | List of //​[[doc:​uci:​network#​interfaces|interfaces]]//​ attached to this zone. If omitted and neither extra* options, subnets or devices are given, the value of ''​name''​ is used by default. Alias interfaces defined in the network config cannot be used as valid '​standalone'​ networks. Use list syntax as explained in [[doc:​uci]]. ​|
 | ''​masq''​ | boolean | no | ''​0''​ | Specifies whether //​outgoing//​ zone traffic should be masqueraded - this is typically enabled on the //wan// zone | | ''​masq''​ | boolean | no | ''​0''​ | Specifies whether //​outgoing//​ zone traffic should be masqueraded - this is typically enabled on the //wan// zone |
 | ''​masq_src''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. | | ''​masq_src''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. |
 | ''​masq_dest''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. | | ''​masq_dest''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with ''​!'';​ multiple subnets are allowed. |
-| ''​conntrack''​ | boolean | no | ''​1''​ if masquerading is used, ''​0''​ otherwise | Force connection tracking for this zone (see [[#note.on.connection.tracking.notrack|Note on connection tracking]]) |+| ''​conntrack''​ | boolean | no | ''​1''​ if masquerading is used, ''​0''​ otherwise | Force connection tracking for this zone (see [[#notes_on_connection_tracking|Note on connection tracking]]) |
 | ''​mtu_fix''​ | boolean | no | ''​0''​ | Enable MSS clamping for //​outgoing//​ zone traffic | | ''​mtu_fix''​ | boolean | no | ''​0''​ | Enable MSS clamping for //​outgoing//​ zone traffic |
 | ''​input''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​incoming//​ zone traffic | | ''​input''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​incoming//​ zone traffic |
Line 64: Line 64:
 | ''​log''​ | boolean | no | ''​0''​ | Create log rules for rejected and dropped traffic in this zone. | | ''​log''​ | boolean | no | ''​0''​ | Create log rules for rejected and dropped traffic in this zone. |
 | ''​log_limit''​ | string | no | ''​10/​minute''​ | Limits the amount of log messages per interval. | | ''​log_limit''​ | string | no | ''​10/​minute''​ | Limits the amount of log messages per interval. |
-| ''​device''​ | list | no | //(none)// | List of raw network device names attached to this zone, e.g. ''​ppp+''​ to match any PPP interface. \\ :!: Only supported by the Firewall v2, version 58 and above | +| ''​device''​ | list | no | //(none)// | List of raw network device names attached to this zone, e.g. ''​ppp+''​ to match any PPP interface. \\ :!: Only supported by the Firewall v2, version 58 and above ; not supported by 12.09 default installation ​
-| ''​subnet''​ | list | no | //(none)// | List of IP subnets attached to this zone. \\ :!: Only supported by the Firewall v2, version 58 and above | +| ''​subnet''​ | list | no | //(none)// | List of IP subnets attached to this zone. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation ​
-| ''​extra''​ | string | no | //(none)// | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like ''​--dport''​ should not be used here - in this case the ''​extra_src''​ and ''​extra_dest''​ options should be used instead. \\ :!: Only supported by the Firewall v2, version 58 and above | +| ''​extra''​ | string | no | //(none)// | Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therfore direction-specific options like ''​--dport''​ should not be used here - in this case the ''​extra_src''​ and ''​extra_dest''​ options should be used instead. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation ​
-| ''​extra_src''​ | string | no | //Value of ''​extra''//​ | Extra arguments passed directly to iptables for source classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above | +| ''​extra_src''​ | string | no | //Value of ''​extra''//​ | Extra arguments passed directly to iptables for source classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation ​
-| ''​extra_dest''​ | string | no | //Value of ''​extra''//​ | Extra arguments passed directly to iptables for destination classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above |+| ''​extra_dest''​ | string | no | //Value of ''​extra''//​ | Extra arguments passed directly to iptables for destination classification rules. \\ :!: Only supported by the Firewall v2, version 58 and above, not supported by 12.09 default installation ​|
  
 ==== Forwardings ==== ==== Forwardings ====
Line 90: Line 90:
  
 //Redirects are also commonly known as "port forwarding",​ and "​virtual servers"​.//​ //Redirects are also commonly known as "port forwarding",​ and "​virtual servers"​.//​
 +
 +Port ranges are specified as ''​start:​stop'',​ for instance ''​6666:​6670''​. ​ This is similar to the iptables syntax.
  
 The options below are valid for //​redirects//:​ The options below are valid for //​redirects//:​
Line 117: Line 119:
 | ''​reflection''​ | boolean | no | ''​1''​ | Activate NAT reflection for this redirect - applicable to ''​DNAT''​ targets. | | ''​reflection''​ | boolean | no | ''​1''​ | Activate NAT reflection for this redirect - applicable to ''​DNAT''​ targets. |
 | ''​reflection_src''​ | string | no | ''​internal''​ | The source address to use for NAT-reflected packets if ''​reflection''​ is ''​1''​. This can be ''​internal''​ or ''​external'',​ specifying which interface’s address to use. Applicable to ''​DNAT''​ targets. | | ''​reflection_src''​ | string | no | ''​internal''​ | The source address to use for NAT-reflected packets if ''​reflection''​ is ''​1''​. This can be ''​internal''​ or ''​external'',​ specifying which interface’s address to use. Applicable to ''​DNAT''​ targets. |
-| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Example: ''​3/​hour''​. |+| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Examples: ''​3/​second'',​ ''​3/​sec''​ or ''​3/​s''​. |
 | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ | | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ |
 | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. | | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. |
 +| ''​enabled''​ | string | no | ''​1''​ or ''​yes''​ | Enable the redirect rule or not. |
  
 :!: On Attitude Adjustment, for NAT reflection to work, you **must** specify ''​option dest lan''​ in the ''​redirect''​ section (even though we're using a ''​DNAT''​ target). :!: On Attitude Adjustment, for NAT reflection to work, you **must** specify ''​option dest lan''​ in the ''​redirect''​ section (even though we're using a ''​DNAT''​ target).
Line 134: Line 137:
   * If only ''​dest''​ is given, the rule matches //​outgoing//​ traffic   * If only ''​dest''​ is given, the rule matches //​outgoing//​ traffic
   * If neither ''​src''​ nor ''​dest''​ are given, the rule defaults to an //​outgoing//​ traffic rule   * If neither ''​src''​ nor ''​dest''​ are given, the rule defaults to an //​outgoing//​ traffic rule
 +
 +Port ranges are specified as ''​start:​stop'',​ for instance ''​6666:​6670''​. This is similar to the iptables syntax.
  
 Valid options for this section are: Valid options for this section are:
Line 141: Line 146:
 | ''​src_ip''​ | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// | | ''​src_ip''​ | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
 | ''​src_mac''​ | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// | | ''​src_mac''​ | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
-| ''​src_port''​ | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''​proto''​ is specified. |+| ''​src_port''​ | port or range | no | //(none)// | Match incoming traffic from the specified //source port// or //port range//, if relevant ''​proto''​ is specified. Multiple ports can be specified like '80 443 465' [[https://​forum.openwrt.org/​viewtopic.php?​pid=287271|1]]. |
 | ''​proto''​ | protocol name or number | no | ''​tcpudp''​ | Match incoming traffic using the given //​protocol//​. Can be one of ''​tcp'',​ ''​udp'',​ ''​tcpudp'',​ ''​udplite'',​ ''​icmp'',​ ''​esp'',​ ''​ah'',​ ''​sctp'',​ or ''​all''​ or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/​etc/​protocols''​ is also allowed. The number 0 is equivalent to ''​all''​. | | ''​proto''​ | protocol name or number | no | ''​tcpudp''​ | Match incoming traffic using the given //​protocol//​. Can be one of ''​tcp'',​ ''​udp'',​ ''​tcpudp'',​ ''​udplite'',​ ''​icmp'',​ ''​esp'',​ ''​ah'',​ ''​sctp'',​ or ''​all''​ or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/​etc/​protocols''​ is also allowed. The number 0 is equivalent to ''​all''​. |
 +| ''​icmp_type''​ | list of type names or numbers | no | any | For //​protocol//​ ''​icmp''​ select specific icmp types to match. Values can be either exact icmp type numbers or type names (see below). |
 | ''​dest''​ | zone name | no | //(none)// | Specifies the traffic //​destination zone//. Must refer to one of the defined //zone names//, or * for any zone. If specified, the rule applies to //​forwarded//​ traffic; otherwise, it is treated as //input// rule. | | ''​dest''​ | zone name | no | //(none)// | Specifies the traffic //​destination zone//. Must refer to one of the defined //zone names//, or * for any zone. If specified, the rule applies to //​forwarded//​ traffic; otherwise, it is treated as //input// rule. |
 | ''​dest_ip''​ | ip address | no | //(none)// | Match incoming traffic directed to the specified //​destination ip address//. With no dest zone, this is treated as an input rule! | | ''​dest_ip''​ | ip address | no | //(none)// | Match incoming traffic directed to the specified //​destination ip address//. With no dest zone, this is treated as an input rule! |
-| ''​dest_port''​ | port or range | no | //(none)// | Match incoming traffic directed at the given //​destination port or port range//, if relevant ''​proto''​ is specified. |+| ''​dest_port''​ | port or range | no | //(none)// | Match incoming traffic directed at the given //​destination port or port range//, if relevant ''​proto''​ is specified. Multiple ports can be specified like '80 443 465' [[https://​forum.openwrt.org/​viewtopic.php?​pid=287271|1]]. |
 | ''​ipset''​ | string | no | //(none)// | If specified, match traffic against the given //​[[#​ip.sets|ipset]]//​. The match can be inverted by prefixing the value with an exclamation mark | | ''​ipset''​ | string | no | //(none)// | If specified, match traffic against the given //​[[#​ip.sets|ipset]]//​. The match can be inverted by prefixing the value with an exclamation mark |
 | ''​mark''​ | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''​0xFF''​ to match mark 255 or ''​0x0/​0x1''​ to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''​!0x10''​ to match all but mark #16. | | ''​mark''​ | mark/mask | no | //(none)// | If specified, match traffic against the given firewall mark, e.g. ''​0xFF''​ to match mark 255 or ''​0x0/​0x1''​ to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. ''​!0x10''​ to match all but mark #16. |
Line 159: Line 165:
 | ''​set_xmark''​ | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed | | ''​set_xmark''​ | ::: | ::: | ::: | Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed |
 | ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for. | | ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for. |
-| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Example: ''​3/​hour''​. |+| ''​limit''​ | string | no | //(none)// | Maximum average matching rate; specified as a number, with an optional ''/​second'',​ ''/​minute'',​ ''/​hour''​ or ''/​day''​ suffix. ​Examples: ''​3/​minute'',​ ''​3/​min''​ or ''​3/​m''​. |
 | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ | | ''​limit_burst''​ | integer | no | ''​5''​ | Maximum initial number of packets to match, allowing a short-term average above ''​limit''​ |
 | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. | | ''​extra''​ | string | no | //(none)// | Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as ''​-m policy %%--%%dir in''​ for IPsec. |
 +| ''​enabled''​ | boolean | no | yes | Enable or disable rule. |
  
 +Available icmp type names for //​icmp_type//:​
 +
 +| ''​address-mask-reply''​ | ''​host-redirect''​ | ''​pong''​ | ''​time-exceeded''​ |
 +| ''​address-mask-request''​ | ''​host-unknown''​ | ''​port-unreachable''​ | ''​timestamp-reply''​ |
 +| ''​any''​ | ''​host-unreachable''​ | ''​precedence-cutoff''​ | ''​timestamp-request''​ |
 +| ''​communication-prohibited''​ | ''​ip-header-bad''​ | ''​protocol-unreachable''​ | ''​TOS-host-redirect''​ |
 +| ''​destination-unreachable''​ | ''​network-prohibited''​ | ''​redirect''​ | ''​TOS-host-unreachable''​ |
 +| ''​echo-reply''​ | ''​network-redirect''​ | ''​required-option-missing''​ | ''​TOS-network-redirect''​ |
 +| ''​echo-request''​ | ''​network-unknown''​ | ''​router-advertisement''​ | ''​TOS-network-unreachable''​ |
 +| ''​fragmentation-needed''​ | ''​network-unreachable''​ | ''​router-solicitation''​ | ''​ttl-exceeded''​ |
 +| ''​host-precedence-violation''​ | ''​parameter-problem''​ | ''​source-quench''​ | ''​ttl-zero-during-reassembly''​ |
 +| ''​host-prohibited''​ | ''​ping''​ | ''​source-route-failed''​ | ''​ttl-zero-during-transit''​ |
 ==== Includes ==== ==== Includes ====
  
Line 261: Line 280:
  
 This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
  
 This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:​ This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:​
Line 277: Line 296:
  
 <​code>​ <​code>​
-config ​'redirect'​ +config redirect 
-        option 'name' 'ssh+        option src       wan 
-        option '​src'​ 'wan+        option src_dport 5555 
-        option '​proto'​ 'tcpudp+        option proto     tcp 
-        option 'src_dport' '5555+        option dest      lan 
-        option 'dest_ip' '​192.168.1.100+        option dest_ip ​  ​192.168.1.100 
-        option ​'dest_port'​ '​22'​ +        option dest_port 22 
-        option 'target' 'DNAT+</​code>​ 
-        option 'dest' '​lan'​+ 
 +==== DNAT/SNAT redirects and forwarding combination ==== 
 +Given a couple of redirect (DNAT and SNAT, like to redirect 
 +the traffic from an host to and from a specific ip address) such as: 
 +<​file>​ 
 +config redirect 
 +        option name     '​icmp DNAT
 +        option ​src      ​'wan' 
 +        option src_dip ​  '1.2.3.4
 +        option ​proto    ​'icmp'​ 
 +        option dest     '​dmz'​ 
 +        option dest_ip ​ '​192.168.1.79'​ 
 +        option target ​  '​DNAT'​ 
 + 
 +config redirect 
 +        option name     '​icmp SNAT'​ 
 +        option ​src      'dmz' 
 +        option src_ip ​  '​192.168.1.79
 +        option ​src_dip  ​'1.2.3.4'​ 
 +        option ​proto    'icmp' 
 +        option dest     '​wan
 +        option ​target ​  'SNAT' 
 +</​file>​ 
 + 
 +Someone could ask "//Ok, the packet source or destination is changed, 
 +but still has to be forwarded towards the right network interface to reach the 
 +endpoint//"​. So the administrator of openwrt could wonder of adding 
 +additional forwarding rules but no, it is not needed. The forwarding 
 +rules are added by the firewall appliance itself. 
 + 
 +The same applies to the masquerading,​ the rules are applied //​before//​ 
 +the global masquerading (if a masquerading is set), therefore they will 
 +not be overridden (at least the SNAT) by the masquerading mechanism. 
 +==== Masquerading on lan ==== 
 +Suppose that you have two routers, connected each other through the  
 +lan zone (both have static ip and dhcp disabled),  
 +and only one of them is connected to the internet through the wan zone.  
 +In other words the situation is: 
 +<​code>​ 
 +internet <​---->​ wan (172.22.13.228) | router 1 | lan (192.168.1.254) <​---->​ lan (192.168.1.1) | router 2 | wan (no connection) 
 +</​code>​ 
 + 
 +If both routers have the default openwrt configuration  
 +(with the exceptions mentioned above), then a device on the lan side of the 
 +router 1 can communicate through the internet if it has the router 1 as 
 +gateway, this because the packet flow between devices is managed by routing. 
 +In our case the router 2 has no proper setup in terms of gateway, 
 +as the default openwrt configuration expects that a wan connection 
 +on the router 2 is provided. 
 + 
 +Anyway suppose that on the router 1 we have the following rule: 
 +<​code>​ 
 +config redirect 
 +        option target ​'DNAT
 +        option ​src 'wan' 
 +        option dest '​lan'​ 
 +        option proto '​tcp'​ 
 +        option src_dip '​172.22.13.228'​ 
 +        option src_dport '​2023'​ 
 +        option dest_ip ​'​192.168.1.1
 +        option dest_port '23' 
 +        option name '​Telnet to new Router'​  
 +</​code>​ 
 +This rule is redirecting the tcp packets on the port 2023 with destination the wan ip of the router 1  
 +(172.22.13.228) towards the lan ip of the router 2.  
 +The router 2 cannot reply to those packets because we didn't adjust its routing table, 
 +that is we didn't specify that the gateway to reply to "​wan"​ sources is the router 1. 
 +Indeed those redirected packets will have an source ip external from the (default) "​lan"​ zone 192.168.1.0/​24. 
 + 
 +We can solve this activating the masquerading on the "​lan"​ zone on the router 1, in this way. 
 +<​code>​ 
 +config zone 
 +        option ​name 'lan' 
 +        option network ​'lan
 +        option ​input 'ACCEPT' 
 +        option output ​'ACCEPT'​ 
 +        option forward '​REJECT'​ 
 +        option masq '​1'​ 
 +</​code>​ 
 +This setup will provide the following effect (that is the effect intended by the masquerading):​ if a packet, belonging to a certain [[wp>​Virtual_circuit|connection]],​ is coming into the lan zone with a source ip belonging to another zone, keep track of the connection, taking note of the source ip of that connection, and modify the source ip with the ip of the router in the lan zone (that is: source_ip from a.b.c.d to 192.168.1.254). \\  
 +Then deliver the packet to the intended destination (that is, 192.168.1.1,​ the router2). Afterwards, if a packet from 192.168.1.1 is coming back towards 192.168.1.254,​ belonging to the connection tracked before, changed back the destination ip (here is the second effect of the masquerading) with the source ip memorized before (that is, dest_ip from 192.168.1.254 to a.b.c.d ). In this way, for the point of view of the router 2, the router 2 just communicate with a device with an ip belonging to its "​lan"​ zone , and therefore the default routing is working without problem. 
 + 
 +At least one side effect of this setup is that every device in the lan zone of the router 1 cannot see any "​wan"​ ip, and this could be not wanted for several reasons (one of which: if you setup a proper gateway, there is no need for this masquerading). But this was just a "​special case" to expose in brief how the masquerading works and how it could be applied to zones that usually don't use it. An improvement of "​masquerading only for a specific device in the zone" could be the following:​ 
 +<​code>​ 
 +config zone 
 +        option name '​lan'​ 
 +        option network '​lan'​ 
 +        option input '​ACCEPT'​ 
 +        option output '​ACCEPT'​ 
 +        option forward '​REJECT'​ 
 +        option masq '​1'​ 
 +        option masq_dest '​192.168.1.1/​32'​ 
 +</​code>​ 
 +This provide the masquerading feature only if the packets are send towards the destination 192.168.1.1/​32 (this subnet should belong to the lan zone). 
 +==== Port accept for IPv6 ==== 
 + 
 +To open port 80 so that a local webserver at ''​2001:​db8:​42::​1337''​ can be reached from the Internet: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     tcp 
 +        option dest      lan 
 +        option dest_ip ​  ​2001:​db8:​42::​1337 
 +        option dest_port 80 
 +        option family ​   ipv6 
 +        option target ​   ACCEPT 
 +</​code>​ 
 + 
 +To open SSH access to all IPv6 hosts in the local network: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     tcp 
 +        option dest      lan 
 +        option dest_port 22 
 +        option family ​   ipv6 
 +        option target ​   ACCEPT 
 +</​code>​ 
 + 
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network: 
 + 
 +<​code>​ 
 +config rule 
 +        option src       wan 
 +        option proto     ​tcpudp 
 +        option dest      lan 
 +        option dest_port 1024:​65535 
 +        option family ​   ipv6 
 +        option target ​   ACCEPT
 </​code>​ </​code>​
  
Line 347: Line 496:
 ==== Block access to the Internet for specific IP on certain times  ==== ==== Block access to the Internet for specific IP on certain times  ====
  
-The following rule blocks all connection attempts to the internet from 192.168.1.27 on weekdays between 21:00pm and 09:00am.\\+The following rule blocks all connection attempts to the internet from 192.168.1.27 on weekdays between 21:00pm and 09:​00am ​(times are specified in UTC unless the --kerneltz switch is used).\\
 :!: The package ''​iptables-mod-ipopt''​ must be installed to provide ''​xt_time''​. :!: The package ''​iptables-mod-ipopt''​ must be installed to provide ''​xt_time''​.
  
Line 470: Line 619:
 </​code>​ </​code>​
  
 +==== Zone declaration for semi non-UCI interfaces, manually listed in the network config, and forwardings ====
 +Scenario: having one or more vpn tunnels using openvpn,
 +with the need of defining a zone to forward the traffic between the
 +vpn interfaces and the lan.
 +
 +First list the interfaces in **/​etc/​config/​network**, ​
 +for example in the following way: (be careful on the limits of interface naming in terms of name length, [[doc/​uci/​network|read more]])
 +<​code>​
 +config interface '​tun0'​
 + option ifname '​tun0'​
 + option proto '​none'​
 +
 +config interface '​tun1'​
 +        option ifname '​tun1'​
 +        option proto '​none'​
 +</​code>​
 +
 +Then create the zone in **/​etc/​config/​firewall**,​ for example one zone for all the vpn interfaces.
 +<​code>​
 +config zone
 +        option name             ​vpn_tunnel
 +        list   ​network ​         '​tun0'​
 + list   ​network ​         '​tun1'​
 +        option input            ACCEPT
 +          #the traffic towards the router from the interface will be accepted
 +          #(as for the lan communications)
 +        option output ​          ​ACCEPT
 +          #the traffic from the router to the interface will be accepted
 +        option forward ​         REJECT
 +          #traffic from this zone to other zones is normally rejected
 +</​code>​
 +
 +Then we want to communicate with the "​lan"​ zone, therefore we need forwardings in both ways
 +(from lan to wan and viceversa)
 +<​code>​
 +config forwarding
 +        option src              lan
 +        option dest             ​vpn_tunnel
 +        #if a packet from lan wants to go to the vpn_tunnel zone
 +        #let it pass
 +
 +config forwarding
 +        option src              vpn_tunnel
 +        option dest             lan
 +        #if a packet from vpn_tunnel wants to go to the lan zone
 +        #let it pass
 +</​code>​
 +This will create a lot of "​automatic"​ iptables rules (because automatic scripting is not
 +as efficient as raw iptable commands in /​etc/​firewall.user) ​
 +but those rules will be more clear in the luci webinterface and also more readable for
 +less expert users.
 +
 +In general remember that forwardings are relying how routing rules are defined, and afterwards which zones are
 +defined on which interfaces.
 ==== Zone declaration for non-UCI interfaces ==== ==== Zone declaration for non-UCI interfaces ====
  
Line 478: Line 681:
 <​code>​ <​code>​
 config zone config zone
 +        option name             ​example
         option input            ACCEPT         option input            ACCEPT
         option output ​          ​ACCEPT         option output ​          ​ACCEPT
Line 492: Line 696:
 <​code>​ <​code>​
 config zone config zone
 +        option name             ​example
         option input            ACCEPT         option input            ACCEPT
         option output ​          ​ACCEPT         option output ​          ​ACCEPT
Line 508: Line 713:
 <​code>​ <​code>​
 config zone config zone
 +        option name             ​example
         option input            ACCEPT         option input            ACCEPT
         option output ​          ​ACCEPT         option output ​          ​ACCEPT
Line 546: Line 752:
  option dest lan  option dest lan
  option src wan6  option src wan6
 +#you don't need the below as you can a firewall rule to open the port that you need
 config forwarding config forwarding
  option dest wan6  option dest wan6
Line 603: Line 809:
  
 When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented,​ this could result in frozen or hanging programs that need to wait until a timeout occurs before they'​re able to continue. When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented,​ this could result in frozen or hanging programs that need to wait until a timeout occurs before they'​re able to continue.
 +
 +Also there is an interesting article which that claims dropping connections doesnt make you any safer - [[http://​www.chiark.greenend.org.uk/​~peterb/​network/​drop-vs-reject|Drop versus Reject]].
  
 **DROP** **DROP**
Line 616: Line 824:
  
  
-===== Note on connection tracking ​(NOTRACK) ​=====+===== Notes on connection tracking ===== 
 + 
 +==== NOTRACK ​====
  
 By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''​iptables -t raw -vnL'',​ it will list all rules, check for //NOTRACK// target. By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''​iptables -t raw -vnL'',​ it will list all rules, check for //NOTRACK// target.
Line 624: Line 834:
 If connection tracking is required, for example by custom rules in ''/​etc/​firewall.user'',​ the ''​conntrack''​ option must be enabled in the corresponding zone to disable //​NOTRACK//​. It should appear as ''​option '​conntrack'​ '​1'​ ''​ in the right zone in ''/​etc/​config/​firewall''​. If connection tracking is required, for example by custom rules in ''/​etc/​firewall.user'',​ the ''​conntrack''​ option must be enabled in the corresponding zone to disable //​NOTRACK//​. It should appear as ''​option '​conntrack'​ '​1'​ ''​ in the right zone in ''/​etc/​config/​firewall''​.
 For further information see http://​security.maruhn.com/​iptables-tutorial/​x4772.html . For further information see http://​security.maruhn.com/​iptables-tutorial/​x4772.html .
 +
 +==== nf_conntrack_skip_filter ====
 +
 +:!: Only available in Barrier Breaker. **''​Revoked in Chaos Calmer RC1 and onwards''​** due to various problems.
 +
 +From [[https://​dev.openwrt.org/​changeset/​42048/​trunk/​package|r42048]] to [[https://​dev.openwrt.org/​changeset/​44873|r44873]],​ there was a new setting activated by default which causes the packets with the established state, completely bypass iptables filter table. This is to [[https://​dev.openwrt.org/​ticket/​17690#​comment:​6|help with network performance]] and unless you need all packets to be counted by iptables filter or have some specific rules which would apply to already established connections,​ you should leave it active. ​
 +
 +This behavior can be disabled by editing /​etc/​sysctl.conf :
 +  net.netfilter.nf_conntrack_skip_filter=0
 +and then activating the new setting:
 +  sysctl -p
 +
 +or be temporarily turned off untill the next reboot by issuing :
 +  sysctl -w net.netfilter.nf_conntrack_skip_filter=0
  
 ===== How to delete a rule ===== ===== How to delete a rule =====
Line 737: Line 961:
 | :::    | ''​postrouting_//​name//​_rule''​ | user     | Per-zone container chains for custom user postrouting rules (firewall.user) | | :::    | ''​postrouting_//​name//​_rule''​ | user     | Per-zone container chains for custom user postrouting rules (firewall.user) |
  
 +===== Open questions =====
 +==== '​enabled'​ option ====
 +Could it be that the enable option is available for every section
 +of the firewall file?
doc/uci/firewall.1383039171.txt.bz2 · Last modified: 2013/10/29 10:32 by zorun