Opened 6 years ago

Closed 3 years ago

#11009 closed defect (invalid)

firewall configuration forwards LAN traffic without masquerading

Reported by: zacherystoddard@… Owned by: developers
Priority: high Milestone: Chaos Calmer 15.05
Component: base system Version: Trunk
Keywords: masquerade, martian packets, firewall Cc:


openwrt lacks a firewall rule to explicitly drop TCP traffic with an INVALID conntrack state. This causes LAN packets to be forwarded to the default route WAN interface without being properly masqueraded since they are not either ESTABLISHED, RELATED, or NEW.

This omission can manifest in dropped ppp-based ISP connections. Specifically cellular carriers including Verizon Wireless. The ISP is likely dropping the ppp session since the router is sending "martian packets" (e.g. RFC 1812 reserved addresses in the source field).

This issue also effects other Linux distributions and is best described in the following article:
Google search for: Ubuntu Linux iptables firewall rules to prevent package leakage

I have mitigated this issue by appending the following line to my /etc/firewall.user script:
iptables -I FORWARD -i br-lan -p tcp -m state --state INVALID -j DROP

Attachments (0)

Change History (4)

comment:1 Changed 6 years ago by jow

  • Resolution set to obsolete
  • Status changed from new to closed

This facility is already there:

uci set firewall.@defaults[0].drop_invalid=1
uci commit firewall
fw reload

Documented in the wiki at:

comment:2 Changed 4 years ago by jow

  • Milestone changed from Backfire 10.03.2 to Chaos Calmer (trunk)

Milestone Backfire 10.03.2 deleted

comment:3 Changed 3 years ago by…

  • Resolution obsolete deleted
  • Status changed from closed to reopened

Same problem with OpenWRT 14.07, but drop_invalid is enabled and I've found this in IPTables:

Chain delegate_forward (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID

More information here: /ticket/19050.html

comment:4 Changed 3 years ago by jow

  • Resolution set to invalid
  • Status changed from reopened to closed

Different problem.

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.