Bridge firewall
Introduction
- This how-to describes the method for setting up bridge firewall on OpenWrt.
- Follow Splitting VLANs to be able to filter traffic between VLAN ports.
- Follow Wireless configuration to isolate wireless clients from each other.
Goals
- Filter and intercept transit traffic on bridged interfaces.
Command-line instructions
Assuming a setup with bridged LAN and WAN interfaces.
Install the required packages.
Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0
to eth1
.
# Install packages opkg update opkg install kmod-nft-bridge # Configure firewall cat << "EOF" > /etc/nftables.d/bridge.sh . /lib/functions/network.sh network_flush_cache network_find_wan NET_IF network_get_device NET_DEV "${NET_IF}" NET_MAC="$(ubus -S call network.device status \ "{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")" nft add table bridge filter nft flush table bridge filter nft add chain bridge filter prerouting \ { type filter hook prerouting priority dstnat\; } nft add rule bridge filter prerouting meta \ l4proto { tcp, udp } th dport 53 pkttype set host \ ether daddr set "${NET_MAC}" comment "Intercept-DNS" nft add chain bridge filter forward \ { type filter hook forward priority filter\; } nft add rule bridge filter forward iifname "eth0" \ oifname "eth1" drop comment "Deny-eth0-eth1" EOF uci -q delete firewall.bridge uci set firewall.bridge="include" uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" uci commit firewall service firewall restart
Set up DNS hijacking and DNS filtering.
Testing
Troubleshooting
Collect and analyze the following information.
# Log and status service firewall restart # Runtime configuration lsmod | grep -e bridge nft list ruleset # Persistent configuration uci show firewall