I have a bog-standard configuration with wlan0+lan in my lan zone and a
separate wan zone, which is actually connected to the rest of my wired
network. I am trying to set up a simple set of firewall rules - both via
the (LuCi gui) and uci, but I am getting really frustrated with it.
Here is what I am trying to do (assuming 10.1.1.2 is the wan IP address
of my OpenWrt, 10.1.2.2 is the lan zone address):
config 'rule'
option 'src' 'wan'
option 'src_ip''10.1.1.2'
option 'dest_ip' '10.1.1.127'
option 'dest_port' '53'
option 'proto' 'udp'
option 'family''ipv4'
option 'target''ACCEPT'
This, basically, enables my OpenWrt to make dns queries. The 10.1.1.127
machine hosts my network-wide dns server. The above rule, surprisingly
(and annoyingly) translates in the following iptables chain:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
[...]
0 0 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 input all -- * * 0.0.0.0/0 0.0.0.0/0
[...]
Chain input (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_lan all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan all -- eth1 * 0.0.0.0/0 0.0.0.0/0
[...]
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 10.1.1.2 10.100.100.10 udp dpt:53
The way this is set up, my rule above will *never* get any matches! Why
is my rule gone into the INPUT chain where it should have been placed in
the OUTPUT (or similar) chain as the source zone (and ip address) is
clearly the machine on which OpenWrt runs? Am I missing something
obvious here?
Another mystery - I see that all of my input/output_rule chains are in
the right places, but they are empty - how do I get rules defined by
them to be included in?
Thanks in advance for any advice given!
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-users
