Bridge firewall

This article relies on the following:

Introduction

  • This how-to describes the method for setting up bridge firewall on OpenWrt.
  • Follow Splitting VLANs to be able to filter traffic between VLAN ports.
  • Follow Wireless configuration to isolate wireless clients from each other.

Goals

  • Filter and intercept transit traffic on bridged interfaces.

Command-line instructions

Assuming a setup with bridged LAN and WAN interfaces. Install the required packages. Enable bridge firewall intercepting DNS queries and filtering transit traffic from eth0 to eth1. 

# Install packages
opkg update
opkg install kmod-nft-bridge
 
# Configure firewall
cat << "EOF" > /etc/nftables.d/bridge.sh
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_device NET_DEV "${NET_IF}"
NET_MAC="$(ubus -S call network.device status \
"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")"
nft add table bridge filter
nft flush table bridge filter
nft add chain bridge filter prerouting \
{ type filter hook prerouting priority dstnat\; }
nft add rule bridge filter prerouting meta \
l4proto { tcp, udp } th dport 53 pkttype set host \
ether daddr set "${NET_MAC}" comment "Intercept-DNS"
nft add chain bridge filter forward \
{ type filter hook forward priority filter\; }
nft add rule bridge filter forward iifname "eth0" \
oifname "eth1" drop comment "Deny-eth0-eth1"
EOF
uci -q delete firewall.bridge
uci set firewall.bridge="include"
uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
uci commit firewall
service firewall restart

Set up DNS hijacking and DNS filtering.

Example: DSCP Classification on Dumb AP

If you have your firewall disabled and have kmod-nft-bridge installed, then you can do this easily. This will classify HTTP(S) traffic as AF23. Not practical, but a start.

Save the following to /etc/nftables.conf 

flush ruleset
 
table bridge dscp {
    chain dscp_set_af23 {
        ip dscp set af23
        ip6 dscp set af23
    }
 
    chain prerouting {
        type filter hook prerouting priority 0; policy accept;
 
        meta l4proto tcp th dport {80, 443} jump dscp_set_af23
    }
}

Run the following code. Add it to /etc/rc.local to make it persist. 

nft -f /etc/nftables.conf

Testing

Use nslookup, ping, ping6 on LAN clients to verify the firewall configuration.

Troubleshooting

Collect and analyze the following information. 

# Log and status
service firewall restart
 
# Runtime configuration
lsmod | grep -e bridge
nft list ruleset
 
# Persistent configuration
uci show firewall

Extras

References

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/11/01 16:42
  • by vgaetera