firewall4 question
e9hack
e9hack at gmail.com
Sat Nov 26 02:47:54 PST 2022
Hi,
I do redirect https traffic from wan to a specific ip address in lan with a different port:
config redirect
option enabled '1'
option name 'wan: Redirect HTTPS for xxxx.net:443 to my-box.yyyy.lan:8443'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option family 'ipv4'
option src_dport '443'
option dest_ip '192.168.101.92'
option dest_port '8443'
option reflection '1'
I would like to block some ip ranges and following the example from the firewall documentation.
config ipset
option enabled '1'
option name 'dropcidr'
option match 'src_net'
option loadfile '/var/dropcidr.txt'
config rule
option enabled '1'
option src 'wan'
option proto 'tcp'
option ipset 'dropcidr'
option dest_port '443'
option target 'DROP'
option name 'DROP-HTTPS-WAN-LAN'
It doesn't block redirected traffic from wan at 443 to the internal lan at 8443. I did try it with port 8443 in the blocking rule too, but it doesn't block anything. How must I define such a blocking rule?
With firewall3 (iptables), I did add the the following to firewall.user:
ipset restore -file /tmp/https_blacklist.conf
iptables -n --list https_scan >/dev/null 2>&1
[ $? -eq 0 ] && iptables -X https_scan
iptables -N https_scan
iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --update --seconds 1800 --reap -j DROP
iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --set -j LOG --log-level info --log-prefix "HTTPS blocked: "
iptables -A https_scan -j DROP
iptables -A forwarding_wan_rule -p tcp --dport 8443 -m conntrack --ctstate DNAT -m set --match-set HTTPS_BLACKLIST src -j https_scan
How can I define a similar rule set for firewall4 (nftables)?
Regards,
Hartmut
More information about the openwrt-devel
mailing list