Конфигурация межсетевого экрана

Конфигурация межсетевого экрана ¹⁾ находится в файле /etc/config/firewall.

Для пакетной фильтрации, NAT и искажения пакетов (mangling, манглинг) OpenWrt использует netfilter. с Для упрощения настройки файрволл UCI предоставляет абстрагированный от подсистемы ядра iptables интерфейс конфигурации, что является вполне достаточным в большинстве случаев, но в то же время этот интерфейс сохраняет возможность пользователю - когда это необходимо - самостоятельно определить необходимые нестандартные правила iptables. Файрволл UCI отображает один и более интерфейсов ²⁾ в специальные зоны ³⁾, которые используются для для описания правил по-умолчанию для данного интерфейса, правил пересылки пакетов между интерфейсами ⁴⁾, а также дополнительные правила, которые не подпадают под первые два типа. В конфигурационном файле правила по-умолчанию идут первыми, но вступают в силу последними. Система netfilter является системой фильтрации с последовательной ⁵⁾ обработкой, в которой пакеты последовательно, по цепочке, обрабатываются различными правилами. Первое совпавшее ⁶⁾ правило выполняется, но оно часто выполняет переход на другую цепочку правил, по которой движется пакет пока не встретит команды ACCEPT ⁷⁾ или DROP/REJECT ⁸⁾. Правила с такими командами выполняются последними в цепочке правил, поэтому правила по-умолчанию вступят в силу последними, а более конкретные правила будут проверяться в первую очередь. Зоны также используются для конфигурации маскарадинга ⁹⁾, также известного как NAT ¹⁰⁾, а также для конфигурации правил переадресации портов, более известных как редирект ¹¹⁾.

Зоны должны всегда отображаться на один или несколько интерфейсов, что в конечном счете приводит к их отображению на физическое устройство; поэтому зоны не могут быть использованы для конкретных сетей (подсетей), и генерируемые правила iptables работают исключительно с пакетами на интерфейсах. The difference is that interfaces can be used to reach destinations not part of their own subnet, when their subnet contains another gateway. Usually however, forwarding is done between lan and wan interfaces, with the router serving as 'edge' gateway to the internet. The default configuration of UCI Firewall provides for such a common setup.

firewall (или firewall3) и его зависимости (уже инсталлированы)
- iptables (уже инсталлированы)
- iptables-mod-? (опционально), см. OPKG Netfilter Packages.

Ниже обзор типов секций которые могут быть определены в конфигурации файрволла. Минимальная конфигурация файрволла A minimal firewall configuration for a router usually consists of one defaults section, at least two zones (lan and wan) and one forwarding to allow traffic from lan to wan. (The forwarding section is not strictly required when there are no more than two zones as the rule can then be set as the 'global default' for that zone.)

Секция defaults ¹²⁾ определяет глобальные установки файрвола, которые не принадлежат каким-либо конкретным зонам. В этой секции определяются следующие опции:

Имя	Тип	Обязательная опция	Значение “по-умолчанию”	Описание
`input`	string	нет	`REJECT`	Set policy for the `INPUT` chain of the `filter` table.
`output`	string	нет	`REJECT`	Set policy for the `OUTPUT` chain of the `filter` table.
`forward`	string	нет	`REJECT`	Set policy for the `FORWARD` chain of the `filter` table.
`drop_invalid`	boolean	нет	`0`	Drop invalid packets (e.g. not matching any active connection).
`syn_flood`	boolean	нет	`0`	Enable SYN flood protection (obsoleted by `synflood_protect` setting).
`synflood_protect`	boolean	нет	`0`	Enable SYN flood protection.
`synflood_rate`	string	нет	`25`	Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
`synflood_burst`	string	нет	`50`	Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.
`tcp_syncookies`	boolean	нет	`1`	Enable the use of SYN cookies.
`tcp_ecn`	boolean	нет	`0`
`tcp_westwood`	boolean	нет	`0`
`tcp_window_scaling`	boolean	нет	`1`	Enable TCP window scaling.
`accept_redirects`	boolean	нет	`0`
`accept_source_route`	boolean	нет	`0`
`custom_chains`	boolean	нет	`1`
`disable_ipv6`	boolean	нет	`0`	Disable IPv6 firewall rules.

Секция zone группирует один или несколько интерфейсов, или IP-диапазонов для использования как источник - source, или назначение - destination, для пересылки трафика между интерфейсами - forwardings, создания правил - rules, и перенаправлений - redirects. Маскировка внутренних сетей (NAT - masquerading) для исходящего трафика также управляется на основе зон. К сведению! Маскирование задаётся на интерфейсе, из которого замаскированный трафик будет исходить.

правило INPUT для зоны описывает, что произойдёт с трафиком, входящим в роутер через интерфейсы этой зоны.
правило OUTPUT для зоны описывает, что произойдёт с трафиком, исходящим от самого роутера через интерфейсы этой зоны.
правило FORWARD для зоны описывает, что произойдёт с трафиком, проходящим между различными интерфейсами внутри этой зоны.

Ниже представлены параметры, используемые в секции zone:

Имя	Тип	Требуются?	Default	Описание
`name`	zone name	yes	(none)	уникальное имя зоны
`network`	list	no	(none)	Список интерфейсов прикреплённых к этой зоне. Если параметр опущен и нет других extra. опций, подсетей (subnets), или устройств (devices), имя зоны* будет использовано как имя интерфейса, прикреплённого к зоне.
`masq`	boolean	no	`0`	Описывает, должен ли маскироваться исходящий (outgoing) тафик зоны. Обычно так делается на wan-зонах.
`masq_src`	list of subnets	no	`0.0.0.0/0`	Маскирует только заданную внутреннюю подсеть. При указании `!` перед префиксом сети, будут маскироваться все сети кроме этой. допустимо указание нескольких сетей.
`masq_dest`	list of subnets	no	`0.0.0.0/0`	Предпиывает маскировку только для заданных dest-сетей. При указании `!` перед префиксом сети, будут маскироваться все сети кроме этой. допустимо указание нескольких сетей.
`conntrack`	boolean	no	`1` если используется маскировка, `0` иначе	Принудительно включает трэкинг соединений для этой зоны (см. заметки по connection tracking)
`mtu_fix`	boolean	no	`0`	разрешает MSS clamping для исходящего трафика зоны
`input`	string	no	`DROP`	Стандартная политика (`ACCEPT`, `REJECT`, `DROP`) для входящего трафика зоны.
`forward`	string	no	`DROP`	Стандартная политика (`ACCEPT`, `REJECT`, `DROP`) для forwarded трафика зоны.
`output`	string	no	`DROP`	Стандартная политика (`ACCEPT`, `REJECT`, `DROP`) для исходящего трафика зоны.
`family`	string	no	`any`	семейство протоколов (`ipv4`, `ipv6` or `any`) для генерации iptables rules.
`log`	boolean	no	`0`	Стимулирует запись в лог событий reject и drop для трафика этой зоны.
`log_limit`	string	no	`N * 10/minute`	Ограничивает количество сообщений в логе за интервал времени.
`device`	list	no	(none)	Список низкоуровневых сетевых интерфейсов, привязанных к этой зоне. Если указать, для примера, `ppp+`, этому будут соответствовать любой PPP-интерфейс. Поддерживается только Firewall v2, версии 58 или выше
`subnet`	list	no	(none)	Список IP-подсетей, привязанных к этой зоне. Поддерживается только Firewall v2, версии 58 или выше.
`extra`	string	no	(none)	Дополнительные аргументы, переданные напрямую iptables. Эти параметры будут переданы и source и destination правилам классификации, поэтому опциям, зависящим от направления, таким как `--dport` не должны использоваться здесь. - В этом случае надо использовать `extra_src` и `extra_dest` параметры. Поддерживается только Firewall v2, версии 58 или выше.
`extra_src`	string	no	Value of `extra`	Дополнительные аргументы, для классификации source-правил, переданные напрямую iptables. Поддерживается только Firewall v2, версии 58 или выше.
`extra_dest`	string	no	Value of `extra`	Дополнительные аргументы, для классификации destination-правил, переданные напрямую iptables. Поддерживается только Firewall v2, версии 58 или выше.

The forwarding sections control the traffic flow between zones and may enable MSS clamping for specific directions. Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.

Below is a listing of allowed option within forwardings:

Name	Type	Required	Default	Description
`src`	zone name	yes	(none)	Specifies the traffic source zone. Must refer to one of the defined zone names
`dest`	zone name	yes	(none)	Specifies the traffic destination zone. Must refer to one of the defined zone names
~~`mtu_fix`~~	~~boolean~~	no	~~`0`~~	Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to `zone` sections in 8.09.2+)
`family`	string	no	`any`	Protocol family (`ipv4`, `ipv6` or `any`) to generate iptables rules for.

The iptables rules generated for this section rely on the state match which needs connection tracking to work. At least one of the src or dest zones needs to have connection tracking enabled through either the masq or the conntrack option.

Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on the specified source zone which matches the given rules will be directed to the specified internal host.

Redirects are also commonly known as “port forwarding”, and “virtual servers”.

The options below are valid for redirects:

Name	Type	Required	Default	Description
`src`	zone name	yes for `DNAT` target	(none)	Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is `wan`
`src_ip`	ip address	no	(none)	Match incoming traffic from the specified source ip address
`src_dip`	ip address	yes for `SNAT` target	(none)	For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address.
`src_mac`	mac address	no	(none)	Match incoming traffic from the specified mac address
`src_port`	port or range	no	(none)	Match incoming traffic originating from the given source port or port range on the client host
`src_dport`	port or range	no	(none)	For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value.
`proto`	protocol name or number	yes	tcp udp	Match incoming traffic using the given protocol
`dest`	zone name	yes for `SNAT` target	(none)	Specifies the traffic destination zone, must refer to one of the defined zone names.
`dest_ip`	ip address	yes for `DNAT` target	(none)	For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address.
`dest_port`	port or range	no	(none)	For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports.
`ipset`	string	no	(none)	If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark
`mark`	string	no	(none)	If specified, match traffic against the given firewall mark, e.g. `0xFF` to match mark 255 or `0x0/0x1` to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. `!0x10` to match all but mark #16.
`start_date`	date (`yyyy-mm-dd`)	no	(always)	If specifed, only match traffic after the given date (inclusive).
`stop_date`	date (`yyyy-mm-dd`)	no	(always)	If specified, only match traffic before the given date (inclusive).
`start_time`	time (`hh:mm:ss`)	no	(always)	If specified, only match traffic after the given time of day (inclusive).
`stop_time`	time (`hh:mm:ss`)	no	(always)	If specified, only match traffic before the given time of day (inclusive).
`weekdays`	list of weekdays	no	(always)	If specified, only match traffic during the given week days, e.g. `sun mon thu fri` to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. `! sat sun` to always match but on saturdays and sundays.
`monthdays`	list of dates	no	(always)	If specified, only match traffic during the given days of the month, e.g. `2 5 30` to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. `! 31` to always match but on the 31st of the month.
`utc_time`	boolean	no	`0`	Treat all given time values as UTC time instead of local time.
`target`	string	no	`DNAT`	NAT target (`DNAT` or `SNAT`) to use when generating the rule
`family`	string	no	`any`	Protocol family (`ipv4`, `ipv6` or `any`) to generate iptables rules for.
`reflection`	boolean	no	`1`	Disables NAT reflection for this redirect if set to `0` - applicable to `DNAT` targets.
`reflection_src`	string	no	`internal`	The source address to use for NAT-reflected packets if `reflection` is `1`. This can be `internal` or `external`, specifying which interface’s address to use. Applicable to `DNAT` targets.
`limit`	string	no	(none)	Maximum average matching rate; specified as a number, with an optional `/second`, `/minute`, `/hour` or `/day` suffix. Example: `3/hour`.
`limit_burst`	integer	no	`5`	Maximum initial number of packets to match, allowing a short-term average above `limit`
`extra`	string	no	(none)	Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as `-m policy --dir in` for IPsec.

Sections of the type rule can be used to define basic accept or reject rules to allow or restrict access to specific ports or hosts.

Up to Firewall v2, version 57 and below the rules behave like redirects and are tied to the given source zone and match incoming traffic occuring there.

In later versions the rules are defined as follows:

If src and dest are given, the rule matches forwarded traffic
If only src is given, the rule matches incoming traffic
If only dest is given, the rule matches outgoing traffic
If neither src nor dest are given, the rule defaults to an outgoing traffic rule

Valid options for this section are:

Name	Type	Required	Default	Description
`src`	zone name	yes ( optional since Firewall v2, version 58 and above)	(none)	Specifies the traffic source zone. Must refer to one of the defined zone names.
`src_ip`	ip address	no	(none)	Match incoming traffic from the specified source ip address
`src_mac`	mac address	no	(none)	Match incoming traffic from the specified mac address
`src_port`	port or range	no	(none)	Match incoming traffic from the specified source port or port range, if relevant `proto` is specified.
`proto`	protocol name or number	no	`tcp udp`	Match incoming traffic using the given protocol. Can be one of `tcp`, `udp`, `udplite`, `icmp`, `esp`, `ah`, `sctp`, or `all` or it can be a numeric value, representing one of these protocols or a different one. A protocol name from `/etc/protocols` is also allowed. The number 0 is equivalent to `all`.
`dest`	zone name	no	(none)	Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
`dest_ip`	ip address	no	(none)	Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!
`dest_port`	port or range	no	(none)	Match incoming traffic directed at the given destination port or port range, if relevant `proto` is specified.
`ipset`	string	no	(none)	If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark
`mark`	mark/mask	no	(none)	If specified, match traffic against the given firewall mark, e.g. `0xFF` to match mark 255 or `0x0/0x1` to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. `!0x10` to match all but mark #16.
`start_date`	date (`yyyy-mm-dd`)	no	(always)	If specifed, only match traffic after the given date (inclusive).
`stop_date`	date (`yyyy-mm-dd`)	no	(always)	If specified, only match traffic before the given date (inclusive).
`start_time`	time (`hh:mm:ss`)	no	(always)	If specified, only match traffic after the given time of day (inclusive).
`stop_time`	time (`hh:mm:ss`)	no	(always)	If specified, only match traffic before the given time of day (inclusive).
`weekdays`	list of weekdays	no	(always)	If specified, only match traffic during the given week days, e.g. `sun mon thu fri` to only match on sundays, mondays, thursdays and fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. `! sat sun` to always match but on saturdays and sundays.
`monthdays`	list of dates	no	(always)	If specified, only match traffic during the given days of the month, e.g. `2 5 30` to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. `! 31` to always match but on the 31st of the month.
`utc_time`	boolean	no	`0`	Treat all given time values as UTC time instead of local time.
`target`	string	yes	`DROP`	Firewall action (`ACCEPT`, `REJECT`, `DROP`, `MARK`, `NOTRACK`) for matched traffic
`set_mark`	mark/mask	yes for target `MARK`	(none)	Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
`set_xmark`	mark/mask	yes for target `MARK`	(none)	Zeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
`family`	string	no	`any`	Protocol family (`ipv4`, `ipv6` or `any`) to generate iptables rules for.
`limit`	string	no	(none)	Maximum average matching rate; specified as a number, with an optional `/second`, `/minute`, `/hour` or `/day` suffix. Example: `3/hour`.
`limit_burst`	integer	no	`5`	Maximum initial number of packets to match, allowing a short-term average above `limit`
`extra`	string	no	(none)	Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as `-m policy --dir in` for IPsec.

It is possible to include custom firewall scripts by specifying one or more include sections in the firewall configuration.

There is only one possible parameter for includes:

Name	Type	Required	Default	Description
`enabled`	boolean	no	`1`	Allows to disable the corresponding include without having to delete the section
`type`	string	no	`script`	Specifies the type of the include, can be `script` for traditional shell script includes or `restore` for plain files in iptables-restore format
`path`	file name	yes	`/etc/firewall.user`	Specifies a shell script to execute on boot or firewall restarts
`family`	string	no	`any`	Specifies the address family (`ipv4`, `ipv6` or `any`) for which the include is called
`reload`	boolean	no	`0`	Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

Includes of type script may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.

Since custom iptables rules are meant to be more specific than the generic ones, you must make sure to use -I (insert) instead of -A (append) so that the rules appear before the default rules.

The UCI firewall version 3 supports referencing or creating ipsets to simplify matching of huge address or port lists without the need for creating one rule per item to match,

The following options are defined for ipsets:

Name	Type	Required	Default	Description
`enabled`	boolean	no	`1`	Allows to disable the declaration fo the ipset without the need to delete the section.
`external`	string	no	(none)	If the `external` option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the `external` option is unset, the firewall will create the ipset on start and destroy it on stop.
`name`	string	yes if `external` is unset no if `external` is set	(none) if `external` is unset value of `external` if `external` is set	Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.
`family`	string	no	`ipv4`	Protocol family (`ipv4` or `ipv6`) to create ipset for. Only applicable to storage types `hash` and `list`, the `bitmap` type implies `ipv4`.
`storage`	string	no	varies	Specifies the storage method (`bitmap`, `hash` or `list`) used by the ipset, the default varies depending on the used datatypes (see `match` option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. `bitmap:ip` vs. `hash:ip`).
`match`	list of direction/type tuples	yes	(none)	Specifies the matched data types (`ip`, `port`, `mac`, `net` or `set`) and their direction (`src` or `dest`). The direction is joined with the datatype by an underscore to form a tuple, e.g. `src_port` to match source ports or `dest_net` to match destination CIDR ranges.
`iprange`	IP range	yes for storage type `bitmap` with datatype `ip`	(none)	Specifies the IP range to cover, see ipset(8). Only applicable to the `hash` storage type.
`portrange`	Port range	yes for storage type `bitmap` with datatype `port`	(none)	Specifies the port range to cover, see ipset(8). Only applicable to the `hash` storage type.
`netmask`	integer	no	`32`	If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between `1` and `32`, see ipset(8). Only applicable to the `bitmap` storage type with match `ip` or the `hash` storage type with match `ip`.
`maxelem`	integer	no	`65536`	Limits the number of items that can be added to the set, only applicable to the `hash` and `list` storage types.
`hashsize`	integer	no	`1024`	Specifies the initial hash size of the set, only applicable to the `hash` storage type.
`timeout`	integer	no	`0`	Specifies the default timeout for entries added to the set. A value of `0` means no timeout.

Possible Storage / Match Combinations

The table below outlines the possible combinations of storage methods and matched datatypes as well as the usable IP address family. The order of the datatype matches is significant.

Family	Storage	Match	Notes
`ipv4`	`bitmap`	`ip`	Requries `iprange` option
`ipv4`	`bitmap`	`ip mac`	Requires `iprange` option
`ipv4`	`bitmap`	`port`	Requires `portrange` option
any	`hash`	`ip`	-
any	`hash`	`net`	-
any	`hash`	`ip port`	-
any	`hash`	`net port`	-
any	`hash`	`ip port ip`	-
any	`hash`	`ip port net`	-
-	`list`	`set`	Meta type to create a set-of-sets

As described above, the option family is used for distinguishing between IPv4, IPv6 and both protocols. However the family is inferred automatically if IPv6 addresses are used, e.g.

config rule
        option src wan
        option src_ip fdca:f00:ba3::/64
        option target ACCEPT

... is automatically treated as IPv6 only rule.

Similar, such a rule:

config rule
        option src wan
        option dest_ip 88.77.66.55
        option target REJECT

... is detected as IPv4 only.

Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option. Redirect rules (portforwards) are always IPv4 (for now) since there is no IPv6 DNAT support (yet).

Изначально, файрволл настроен пропускать вест трафик LAN и блокировать весь входящий WAN-трафик кроме портов, используемых для NAT и портов, открытых для созданных изнутри сессий. Чтобы открыть для доступа с WAN порт, добавьте секцию rule:

config rule
        option src              wan
        option dest_port        22
        option target           ACCEPT
        option proto            tcp

Этот пример разрешает всем доступ по ssh к вашему роутеру.

Если вы хотите, чтобы доступ по порту был открыт только с определённого адреса, или подсети, вам надо в правиле указать параметр src_ip. В этом поле можно указывать, как одиночный IP-адрес, так и подсеть с маской. config rule

      option src              wan
      option src_ip           12.34.56.64/28
      option dest_port        22
      option target           ACCEPT
      option proto            tcp

</code>

Этот пример разрешает доступ к вашему роутеру по SSH (порт 22) с подсети 12.34.56.64/28.

This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:

config redirect
        option src       wan
        option src_dport 80
        option proto     tcp
        option dest_ip   192.168.1.10

This other example forwards one arbitrary port that you define to a box running ssh.

config 'redirect'
        option 'name' 'ssh'
        option 'src' 'wan'
        option 'proto' 'tcp udp'
        option 'src_dport' '5555'
        option 'dest_ip' '192.168.1.100'
        option 'dest_port' '22'
        option 'target' 'DNAT'
        option 'dest' 'lan'

Source NAT changes an outgoing packet so that it looks as though the OpenWrt system is the source of the packet.

Define source NAT for UDP and TCP traffic directed to port 123 originating from the host with the IP address 10.55.34.85. The source address is rewritten to 63.240.161.99:

config redirect
        option src              lan
        option dest             wan
        option src_ip           10.55.34.85
        option src_dip          63.240.161.99
        option dest_port        123
        option target           SNAT

When used alone, Source NAT is used to restrict a computer's access to the internet, but allow it to access a few services by forwarding what appear to be a few local services, e.g. NTP, to the internet. While DNAT hides the local network from the internet, SNAT hides the internet from the local network.

Source NAT and destination NAT are combined and used dynamically in IP masquerading to make computers with private (192.168.x.x, etc.) IP address appear on the internet with the OpenWrt router's public WAN ip address.

Most users won't want this. Its usage is similar to SNAT, but as the the destination IP address isn't changed, machines on the destination network need to be aware that they'll receive and answer requests from a public IP address that isn't necessarily theirs. Port forwarding in this fashion is typically used for load balancing.

config redirect
        option src              wan
        option src_dport        80
        option dest             lan
        option dest_port        80
        option proto            tcp

The following rule blocks all connection attempts to the specified host address.

config rule
        option src              lan
        option dest             wan
        option dest_ip          123.45.67.89
        option target           REJECT

The following rule blocks all connection attempts from the client to the Internet.

config rule
        option src              lan
        option dest             wan
        option src_mac          00:00:00:00:00:00
        option target           REJECT

The following rule blocks all connection attempts to the internet from 192.168.1.27 on weekdays between 21:00pm and 09:00am.
The package iptables-mod-ipopt must be installed to provide xt_time.

config rule
        option src              lan
        option dest             wan
        option src_ip           192.168.1.27
        option extra            '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 21:00 --timestop 09:00'
        option target           REJECT

Using firewall v3 and later the example becomes:

config rule
        option src              lan
        option dest             wan
        option src_ip           192.168.1.27
        option start_time       21:00
        option stop_time        09:00
        option weekdays         'mon tue wed thu fri'
        option target           REJECT

The example below creates a forward rule rejecting traffic from lan to wan on the ports 1000-1100.

config rule
        option src              lan
        option dest             wan
        option dest_port        1000-1100
        option proto            'tcp udp'
        option target           REJECT

The example below creates an output rule which prevents the router from pinging the address 8.8.8.8.

Only supported by the Firewall v2, version 58 and above

config rule
        option dest             wan
        option dest_ip          8.8.8.8
        option proto            icmp
        option target           REJECT

The rule below redirects all outgoing HTTP traffic from lan through a proxy server listening at port 3128 on the router itself.

config redirect
	option src              lan
	option proto            tcp
	option src_dport        80
	option dest_port        3128
	option dest_ip          192.168.1.1

The following rule redirects all outgoing HTTP traffic from lan through an external proxy at 192.168.1.100 listening on port 3128. It assumes the OpenWrt lan address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy.

config redirect
        option src              lan
        option proto            tcp
        option src_ip           !192.168.1.100
        option src_dport        80
        option dest_ip          192.168.1.100
        option dest_port        3128
        option target           DNAT

config redirect
        option dest             lan
        option proto            tcp
        option src_dip          192.168.1.1
        option dest_ip          192.168.1.100
        option dest_port        3128
        option target           SNAT

The following rule redirects all WAN ports for all protocols to the internal host 192.168.1.2.

config redirect
	option src              wan
	option proto            all
	option dest_ip          192.168.1.2

This example enables proper forwarding of IPSec traffic through the wan.

# AH protocol
config rule
        option src              wan
        option dest             lan
        option proto            ah
        option target           ACCEPT

# ESP protocol
config rule
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

For some configurations you also have to open port 500/UDP.

# ISAKMP protocol
config rule
        option src              wan
        option dest             lan
        option proto            udp
        option src_port         500
        option dest_port        500
        option target           ACCEPT

This example declares a zone which maches any Linux network device whose name begins with “ppp”.

Only supported by the Firewall v2, version 58 and above

config zone
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option device           'ppp+'

This example declares a zone which maches any TCP stream in the 10.21.0.0/16 subnet.

Only supported by the Firewall v2, version 58 and above

config zone
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option subnet           '10.21.0.0/16'
        option extra            '-p tcp'

This example declares a zone which maches any TCP stream from and to port 22.

Only supported by the Firewall v2, version 58 and above

config zone
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option extra_src        '-p tcp --sport 22'
        option extra_dest       '-p tcp --dport 22'

Traditional iptables rules, in the standard iptables unix command form, can be specified in an external file and included in the firewall config file. It is possible to include multiple files this way.

config include
       option path /etc/firewall.user

config include
       option path /etc/firewall.vpn

The syntax for the includes is Linux standard, and therefore different from UCI's; its documentation can be found in netfilter.

After a configuration change, firewall rules are rebuilt by executing /etc/init.d/firewall restart; calling /etc/init.d/firewall stop will flush all rules and set the policies to ACCEPT on all standard chains. To manually start the firewall, call /etc/init.d/firewall start.

The firewall can be permananently disabled by executing /etc/init.d/firewall disable. Note that disable does not flush the rules, so it might be required to issue a stop before. Use enable to activate the firewall again.

Run /etc/init.d/firewall stop to flush all rules and set the policies to ACCEPT. To restart the firewall, run /etc/init.d/firewall start.

In addition to includes it is possible to let the firewall execute hotplug handlers when interfaces are added to a zone or removed from it. This is useful to create rules for interfaces with dynamic ip configurations (dhcp, pppoe) on the fly.

Each time an interface is added or removed from a zone, all scripts in the /etc/hotplug.d/firewall/ directory are executed. Scripts must be named in the form NN-name with NN being a numeric index between 00 and 99. The name can be freely choosen.

Once a handler script is invoked, the information about the event is passed through the environment. The table below lists defined variables and their meaning.

Variable	Description
ACTION	Type of the event: `add` if an interface was added, `remove` if it was removed
ZONE	Name of the firewall zone the interface was added to
INTERFACE	OpenWrt name of the interface, for example “lan” or “wan” - corresponds to the interfaces defined in `/etc/config/network`
DEVICE	The physical interface involved, for example “eth0” or “ppp0”

The decision whether to drop or to reject traffic should be done on a case-by-case basis. Many people see dropping traffic as a security advantage over rejecting it because it exposes less information to a hypothetical attacker. While dropping slightly increases security, it can also complicate the debugging of network issues or cause unwanted side-effects on client programs.

If traffic is rejected, the router will respond with an ICMP error message (“destination port unreachable”) causing the connection attempt to fail immediately. This also means that for each connection attempt a certain amount of response traffic is generated. This can cause harm if the firewall is “attacked” with many simultaneous connection attempts; the resulting “backfire” of ICMP responses can clog up all available bandwidth and make the connection unusable (DoS).

When connection attempts are dropped the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.

DROP

less information is exposed
less attack surface
client software may not cope well with it (hangs until connection times out)
may complicate network debugging (where was traffic dropped and why)

REJECT

may expose information (like the ip at which traffic was actually blocked)
client software can recover faster from rejected connection attempts
network debugging easier (routing and firewall issues clearly distinguishable)

By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating NOTRACK firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of NOTRACK is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing iptables -t raw -vnL, it will list all rules, check for NOTRACK target.

NOTRACK will render certain ipables extensions unusable, for example the MASQUERADE target or the state match will not work!

If connection tracking is required, for example by custom rules in /etc/firewall.user, the conntrack option must be enabled in the corresponding zone to disable NOTRACK. It should appear as option 'conntrack' '1' in the right zone in /etc/config/firewall. For further information see http://security.maruhn.com/iptables-tutorial/x4772.html .

If you made a mistake you can delete a rule this way.

First, issue this command to find the index of the rule:

# iptables -L -t raw --line-numbers

Now to delete, e.g. the third rule from chain OUTPUT, execute:

# iptables -t raw -D OUTPUT 3

It is possible to observe the iptables commands generated by the firewall program, this is useful to track down iptables errors during firewall restarts or to verify the outcome of certain uci rules.

In order to see the rules as they're executed, run the fw command with the FW_TRACE environment variable set to 1 (one):

# FW_TRACE=1 fw reload

To direct the output to a file for later inspection, use the command below:

# FW_TRACE=1 fw reload 2>/tmp/iptables.log

If you are using the firewall3, you can enable debug mode using the -d switch:

# fw3 -d reload 2>/tmp/iptables.log

Furthermore it is also possible to print the to-be generated ruleset using the print command in conjunction with the -4 and -6 switches:

# fw3 -4 print > /tmp/ipv4.rules
# fw3 -6 print > /tmp/ipv6.rules

Table	Chain	Type	Description
raw	`PREROUTING`	system
raw	`notrack`	internal	Internal chain for NOTRACK rules
mangle	`PREROUTING`	system
mangle	`fwmark`	internal	Internal chain for MARK rules
nat	`PREROUTING`	system
	`delegate_prerouting`	internal	Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding `zone_name_prerouting` chains
	`prerouting_rule`	user	Container chain for custom user prerouting rules (firewall.user)
	`zone_name_prerouting`	internal	Per-zone container chains for DNAT (port forwarding) rules
	`prerouting_name_rule`	user	Per-zone container chains for custom user prerouting rules (firewall.user)
mangle	`INPUT`	system
filter	`INPUT`	system
	`delegate_input`	internal	Internal chain to hold toplevel input rules, dispatches traffic to the corresponding `zone_name_input` chains
	`input_rule`	user	Container chain for custom user input rules (firewall.user)
	`syn_flood`	internal	Internal chain to match and drop syn flood attempts
	`zone_name_input`	internal	Per-zone container chains for input rules
	`input_name_rule`	user	Per-zone container chains for custom user input rules (firewall.user)

Table	Chain	Type	Description
raw	`OUTPUT`	system
mangle	`OUTPUT`	system
nat	`OUTPUT`	system
filter	`OUTPUT`	system
	`delegate_output`	internal	Internal chain to hold toplevel output rules, dispatches traffic to the corresponding `zone_name_output` chains
	`output_rule`	user	Container chain for custom user output rules (firewall.user)
	`zone_name_output`	internal	Per-zone container chains for output rules
	`output_name_rule`	user	Per-zone container chains for custom user output rules (firewall.user)
mangle	`POSTROUTING`	system
nat	`POSTROUTING`	system
	`delegate_postrouting`	internal	Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding `zone_name_postrouting` chains
	`postrouting_rule`	user	Container chain for custom user postrouting rules (firewall.user)
	`zone_name_postrouting`	internal	Per-zone container chains for postrouting rules (masq, snat)
	`postrouting_name_rule`	user	Per-zone container chains for custom user postrouting rules (firewall.user)

Table	Chain	Type	Description
raw	`PREROUTING`	system
raw	`notrack`	internal	Internal chain for NOTRACK rules
mangle	`PREROUTING`	system
mangle	`fwmark`	internal	Internal chain for MARK rules
nat	`PREROUTING`	system
	`delegate_prerouting`	internal	Internal chain to hold toplevel prerouting rules, dispatches traffic to the corresponding `zone_name_prerouting` chains
	`prerouting_rule`	user	Container chain for custom user prerouting rules (firewall.user)
	`zone_name_prerouting`	internal	Per-zone container chains for DNAT (port forwarding) rules
	`prerouting_name_rule`	user	Per-zone container chains for custom user prerouting rules (firewall.user)
mangle	`FORWARD`	system
mangle	`mssfix`	internal	Internal chain to hold for TCPMSS rules (mtu_fix)
filter	`FORWARD`	system
	`delegate_forward`	internal	Internal chain to hold toplevel forward rules, dispatches traffic to the corresponding `zone_name_forward` chains
	`forwarding_rule`	user	Container chain for custom user forward rules (firewall.user)
	`zone_name_forward`	internal	Per-zone container chains for output rules
	`forwarding_name_rule`	user	Per-zone container chains for custom user forward rules (firewall.user)
mangle	`POSTROUTING`	system
nat	`POSTROUTING`	system
	`delegate_postrouting`	internal	Internal chain to hold toplevel postrouting rules, dispatches traffic to the corresponding `zone_name_postrouting` chains
	`postrouting_rule`	user	Container chain for custom user postrouting rules (firewall.user)
	`zone_name_postrouting`	internal	Per-zone container chains for postrouting rules (masq, snat)
	`postrouting_name_rule`	user	Per-zone container chains for custom user postrouting rules (firewall.user)

¹⁾

далее для краткости будем использовать жаргонизм 'файрволл'

²⁾

interfaces

³⁾

zones

⁴⁾

forwarding

⁵⁾

chained

⁶⁾

matched

⁷⁾

принять пакет и закончить обработку по цепочке

⁸⁾

отбросить/отклонить пакет и закончить обработку по цепочке

⁹⁾

masquerading

¹⁰⁾

network-address-translation - трансляция сетевых адресов

¹¹⁾

redirect - перенаправление, “проброс” портов

¹²⁾

т.е. секция “по-умолчанию”, секция “дефолтных” настроек

Конфигурация межсетевого экрана

Введение

Требования

Секции

Значения "по-умолчанию"

Zones

Forwardings

Redirects

Rules

Includes

IP Sets

Possible Storage / Match Combinations

IPv6 notes

Примеры

Как разрешить доступ к порту

Как разрешить доступ к порту из определённой сети

Forwarding ports (Destination NAT/DNAT)

Source NAT (SNAT)

True destination port forwarding

Block access to a specific host

Block access to the Internet using MAC

Block access to the Internet for specific IP on certain times

Restricted forwarding rule

Simple output rule

Transparent proxy rule (same host)

Transparent proxy rule (external)

Simple DMZ rule

IPSec passthrough

Zone declaration for non-UCI interfaces

Zone declaration for a specific subnet and protocol

Zone declaration for a specific protocol and port

Manual iptables rules

Firewall management

Temporarily disable firewall

Hotplug hooks (8.09.2+)

Implications of DROP vs. REJECT

Note on connection tracking (NOTRACK)

How to delete a rule

Debug generated rule set

Packet flow

INPUT (destined to router)

OUTPUT (originating from router)

FORWARD (relayed through router)