Modify

Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#11515 closed defect (obsolete)

Cannot add firewall rules to filter firewall redirections to block particular IPs.

Reported by: CBWhiz@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: base system Version: 10.03.1
Keywords: Cc:

Description

Using LuCI, one can add a 'redirection' that forwards a WAN port to a particular internal computer.

This created NAT reflection rules, PREROUTING nat rules, and default 'ACCEPT' rules in the filter 'zone_wan_forward' chain.

If I would then like to filter this redirection (say, block 8.8.8.8 from using it) one would assume a 'rule' created under 'rules' would allow one to do that. This, however, fails.

The rules in the 'zone_wan_forward' chain are the core of the issue. The forward ACCEPT rules are placed before the forward DROP rules added in the second step.

Concretely, the problem is this:

config 'redirect'
        option '_name' 'allow any rdp to .50'
        option 'proto' 'tcpudp'
        option 'src_dport' '3389'
        option 'dest_ip' '192.168.1.50'
        option 'target' 'DNAT'
        option 'dest' 'lan'
        option 'src' 'wan'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'dest_port' '3389'
        option 'dest' 'lan'
        option 'target' 'DROP'
        option '_name' 'block spammer from rdp'
        option 'src_ip' '2.2.2.2'

becoming:

root@wrt:~# iptables -L forward
Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere

root@wrt:~# iptables -L zone_wan_forward
Chain zone_wan_forward (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.50        tcp dpt:3389
ACCEPT     udp  --  anywhere             192.168.1.50        udp dpt:3389
zone_lan_DROP  tcp  --  2.2.2.2   anywhere            tcp dpt:3389
zone_lan_DROP  udp  --  2.2.2.2   anywhere            udp dpt:3389
zone_drop_ACCEPT  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

BTW, this is using Backfire (10.03.1, r29592).

One can get around this by using custom firewall rules, or by editing the deny rule to have "option 'src' '*'" rather than "option 'src' 'wan'", as that change puts the rule in the 'forward' chain:

Chain forward (1 references)
target     prot opt source               destination
zone_lan_DROP  tcp  --  2.2.2.2   anywhere            tcp dpt:3389
zone_lan_DROP  udp  --  2.2.2.2   anywhere            udp dpt:3389
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere

However, once cannot do this from LuCI, because you cannot select "*" as an interface when editing rules.

I'm far from an iptables expert, so i'm not sure of the best way to solve this.

Attachments (0)

Change History (2)

comment:1 Changed 6 years ago by jow

  • Resolution set to obsolete
  • Status changed from new to closed

Already fixed with r31014, trunk luci also supports src *

comment:2 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.