Hi,
I could solve the issue by my own. The "option dest lan" is missing in the
blocking rule and the destination port must be 8443.
Regards,
Hartmut
Am 26.11.2022 um 11:47 schrieb e9hack:
Hi,
I do redirect https traffic from wan to a specific ip address in lan with a
different port:
config redirect
option enabled '1'
option name 'wan: Redirect HTTPS for .net:443 to my-box..lan:8443'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option family 'ipv4'
option src_dport '443'
option dest_ip '192.168.101.92'
option dest_port '8443'
option reflection '1'
I would like to block some ip ranges and following the example from the
firewall documentation.
config ipset
option enabled '1'
option name 'dropcidr'
option match 'src_net'
option loadfile '/var/dropcidr.txt'
config rule
option enabled '1'
option src 'wan'
option proto 'tcp'
option ipset 'dropcidr'
option dest_port '443'
option target 'DROP'
option name 'DROP-HTTPS-WAN-LAN'
It doesn't block redirected traffic from wan at 443 to the internal lan at
8443. I did try it with port 8443 in the blocking rule too, but it doesn't
block anything. How must I define such a blocking rule?
With firewall3 (iptables), I did add the the following to firewall.user:
ipset restore -file /tmp/https_blacklist.conf
iptables -n --list https_scan >/dev/null 2>&1
[ $? -eq 0 ] && iptables -X https_scan
iptables -N https_scan
iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --update
--seconds 1800 --reap -j DROP
iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --set -j LOG --log-level
info --log-prefix "HTTPS blocked: "
iptables -A https_scan -j DROP
iptables -A forwarding_wan_rule -p tcp --dport 8443 -m conntrack --ctstate DNAT
-m set --match-set HTTPS_BLACKLIST src -j https_scan
How can I define a similar rule set for firewall4 (nftables)?
Regards,
Hartmut
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
