[LEDE-DEV] firewall question

Mathias Kresin dev at kresin.me
Sat Dec 16 02:19:02 PST 2017 

15.12.2017 09:24, e9hack:
> Hi,
> 
> I did set-up a openvpn server on my router. /etc/config/network contains the interface definition:
> 
> config interface 'vpn'
> 	option proto 'none'
> 	option ifname 'tun1'
> 
> In /etc/config/firewall, I've the following definitions related to vpn, lan and wan:
> 
> config zone
> 	option name 'lan'
> 	list network 'lan'
> 	option input 'ACCEPT'
> 	option output 'ACCEPT'
> 	option forward 'ACCEPT'
> 
> config zone
> 	option name 'wan'
> 	list network 'wan'
> 	list network 'wan_6'
> 	option input 'DROP'
> 	option output 'ACCEPT'
> 	option forward 'DROP'
> 	option masq '1'
> 	option mtu_fix '1'
> 	option conntrack '1'
> 
> config zone
> 	option name 'vpn'
> 	option network 'vpn'
> 	option input 'ACCEPT'
> 	option forward 'REJECT'
> 	option output 'ACCEPT'

You vpn zone configuration has to be read as:

   - allow traffic from vpn zone to firewall (INPUT)
   - allow traffic from firewall to vpn zone (OUTPUT)

> 
> config forwarding
> 	option src 'lan'
> 	option dest 'wan'
> 
> config rule
> 	option name 'Allow OpenVPN Inbound on wan'
> 	option src 'wan'
> 	option proto 'tcpudp'
> 	option dest_port '1194'
> 	option extra '-m conntrack --ctstate NEW'
> 	option target 'ACCEPT'
> 
> config forwarding
> 	option src 'vpn'
> 	option dest 'wan'
> 
> config rule
> 	option name 'Block NetBios from vpn to wan'
> 	option src 'vpn'
> 	option dest 'wan'
> 	list dest_port '135'
> 	list dest_port '137-139'
> 	list dest_port '445'
> 	list dest_port '3389'
> 	option proto 'tcpudp'
> 	option target 'DROP'
> 
> This are not the complete firewall definitions, but it doesn't exist any other rule with the zone or network vpn.
> 
> I did not define any forwarding rule between vpn and lan. The lan ip range is 192.168.x.x. and a client, which is
> connected to the openvpn server, gets an ip address from the range 10.8.y.y. From an openvpn client, I can access the
> web interface of the router via 192.168.x.1. Why is this possible?

It is possible because your traffic targets the firewall (INPUT) and not 
the lan zone (FORWARD). The destination ip address doesn't really mater 
as long as it is an interface of the fireall. Consider the firewall as 
something like a special zone.

Following an excerpt of the firewall configuration I'm using to restrict 
IoT devices. My complete configuration is more complex, since ipset is 
involved to limit forwarding of IoT traffic to WAN based on the 
destination fqdn/domain. But it should give you are start.

config zone
         option name             iot
         list   network          'iot'
         option input            REJECT
         option output           ACCEPT
         option forward          REJECT

config forwarding
         option src              lan
         option dest             iot

config rule
         option name             Allow-iot-DHCPv4-Input
         option src              iot
         option proto            udp
         option dest_port        67
         option target           ACCEPT
         option family           ipv4

config rule
         option name             Allow-iot-DHCPv6-Input
         option src              iot
         option proto            udp
         option dest_port        547
         option target           ACCEPT
         option family           ipv6

config rule
         option name             Allow-iot-DNS-Input
         option src              iot
         option dest_port        53
         option proto            'udp tcp'
         option target           ACCEPT

Mathias

More information about the Lede-dev mailing list