7662 questions

9091 answers

14654 comments

12056 members

0 votes
346 views 3 comments
by

We have several RUT240 installed in the field with a openvpn connection. We only want to allow traffic from the LAN to the openvpn and not to the WAN (to minimize data traffic usage on mobile network)

In the webui we have set all default forwarding actions to reject (general settings and zone forwarding)
But in the firewall there is a rule (in priority before any zone rules) that allowes any traffic ?

Is there a way to remove this rule? Because we can not block traffic om LAN to WAN
Or is this a bug?

Thnx in advance!

Regards,
Robert

root@Teltonika-RUT240:~# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       
   79 23836 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
   75 23628 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    4   208 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding * -> * */
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_vpn_forward  all  --  tun_+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_l2tp_forward  all  --  l2tp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_l2tp_forward  all  --  xl2tp+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_pptp_forward  all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_gre_forward  all  --  gre+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun2   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun3   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_sstp_forward  all  --  sstp-+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

by

As a workaround I have configured the following:

In the WebGUI: Network -> Firewall -> Custom Rules

/usr/sbin/iptables -I FORWARD -i br-lan -o wwan0 -j DROP

This adds an extra firewall rule on the first position, dropping any traffic from lan to wan, before it hits the ACCEPT ALL rule.

root@Teltonika-RUT240:~# iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   858 DROP       all  --  br-lan wwan0   0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding * -> * */
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_vpn_forward  all  --  tun_+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_l2tp_forward  all  --  l2tp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_l2tp_forward  all  --  xl2tp+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_pptp_forward  all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_gre_forward  all  --  gre+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun2   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_hotspot_forward  all  --  tun3   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_sstp_forward  all  --  sstp-+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

2 Answers

0 votes
by
Make a Traffic rule to allow the traffic to the OpenVPN Networks

Set a drop rule from Source LAN (IP Adress Range) to WAN

If u need more need i can send u the a screenshot to the complete rule

bg
by

Adding a custom rule to block traffic is not helping, because the incorrect 'ALLOW ALL' rule is more in front of the whole firewall chain.
The block traffic rule is added to the zone_lan_forward chain.

Ik have this config in the GUI:

1) General forward is "Reject"
2) Default forwarding for the source zone LAN is "reject", except the vpn zone.

https://prnt.sc/vube6k

Those 2 settings together should block any traffic from LAN to WAN

But still, there is ACCEPT ANY rule up high in the FORWARD chain, so any firewall settings configured, will never be reached.

0 votes
by

Hello, 

Regarding your issue here is an example if you want to block LAN accessing WAN and allowing LAN will only have access to OpenVPN.

-----------------------------------------------------------------------
Via CLI
-----------------------------------------------------------------------
uci add firewall rule
uci set firewall.@rule[27].src='lan'
uci set firewall.@rule[27].proto='tcp udp'
uci set firewall.@rule[27].dest='wan'
uci set firewall.@rule[27].name='Block Traffic'
uci set firewall.@rule[27].target='DROP'
uci set firewall.@rule[27].enabled='1'

uci add firewall rule
uci set firewall.@rule[28].target='ACCEPT'
uci set firewall.@rule[28].src='lan'
uci set firewall.@rule[28].proto='tcp udp'
uci set firewall.@rule[28].name='OpenVPN Traffic'
uci set firewall.@rule[28].dest='vpn'
uci set firewall.@rule[28].enabled='1'

uci commit firewall
/etc/init.d/firewall restart

-----------------------------------------------------------------------

If you want to configure it on the Web UI you can do it like this:

https://prnt.sc/vb1v7q -> Block Traffic
https://prnt.sc/vb1vg3 -> OpenVPN Traffic 


Hope it helps.

Regards,
Jerome

by

Adding a custom rule to block traffic is not helping, because the incorrect 'ALLOW ALL' rule is more in front of the whole firewall chain.
The block traffic rule is added to the zone_lan_forward chain.

Ik have this config in the GUI:

1) General forward is "Reject"
2) Default forwarding for the source zone LAN is "reject", except the vpn zone.

https://prnt.sc/vube6k

Those 2 settings together should block any traffic from LAN to WAN

But still, there is ACCEPT ANY rule up high in the FORWARD chain, so any firewall settings configured, will never be reached.