firewall configuration forwards LAN traffic without masquerading

[zacherystoddard@…]

openwrt lacks a firewall rule to explicitly drop TCP traffic with an INVALID conntrack state. This causes LAN packets to be forwarded to the default route WAN interface without being properly masqueraded since they are not either ESTABLISHED, RELATED, or NEW.

This omission can manifest in dropped ppp-based ISP connections. Specifically cellular carriers including Verizon Wireless. The ISP is likely dropping the ppp session since the router is sending "martian packets" (e.g. RFC 1812 reserved addresses in the source field).

This issue also effects other Linux distributions and is best described in the following article:
Google search for: Ubuntu Linux iptables firewall rules to prevent package leakage

I have mitigated this issue by appending the following line to my /etc/firewall.user script:
iptables -I FORWARD -i br-lan -p tcp -m state --state INVALID -j DROP

[jow]

This facility is already there:

uci set firewall.@defaults[0].drop_invalid=1
uci commit firewall
fw reload

Documented in the wiki at:
​http://wiki.openwrt.org/doc/uci/firewall#defaults

[jow]

Milestone Backfire 10.03.2 deleted

[big.smile@…]

Same problem with OpenWRT 14.07, but drop_invalid is enabled and I've found this in IPTables:

Chain delegate_forward (1 references)
target     prot opt source               destination         
[…]
DROP       all  --  anywhere             anywhere             ctstate INVALID
[…]

More information here: ​/ticket/19050.html

[jow]

Different problem.