Firewall question

e9hack e9hack at gmail.com
Wed Feb 9 09:38:08 PST 2022


Hi,

I've configured a lan and a guest network on my router. To the lan network is a linux server
connected with an apache2 running. The apache2 provides nextcloud, gitweb and a few other
things. Nextcloud and gitweb are reachable from the wan network. I do forward port 443 from
wan to port 8443 to the ip of the linux server. I'm using for external access port 8443 and
for internal access port 443 for a clear differentiation between external and internal
access. Apache2 at port 8443 use always authentication and most things on port 443 not.

The apache2 is reachable from the wan and lan network via the wan ip. This means nat
loopback is working. To reach the apache2 from guest network via wan ip, I add an
additional DNAT rule via a hotplug script on ifup and delete the rule on ifdown. The apache2
is reachable from the guest network via the wan ip too.

If I check the logs from apache2, I see from lan network only the gateway or router ip and
no client ip's. From guest network, I see every individual client ip's.

Does exist a way to see the individual client ip's from lan network too? Or is this only
possible, if I configure a third network for the linux server?

It is possible to do the things of hotplug script by a standard firewall rule in
'/etc/config/firewall' ?

Firewall is fw3.

Regards,
Hartmut


/etc/config/network:
config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.199.1'
	option netmask '255.255.255.0'
	...

config interface 'wan'
	option proto 'pppoe'
	option device 'br-wan.7'
	...

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.1.0.1'
	...

/etc/config/firewall:
config zone
	option name 'lan'
	list network 'lan'
	...

config zone
	option name 'wan'
	list network 'wan'
	...

config zone
	option name 'guest'
	list network 'guest'
	...

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config redirect
	option name 'Redirect wan HTTPS from port 443 to 192.168.199.80 on port 8443'
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option family 'ipv4'
	option src_dport '443'
	option dest_ip '192.168.199.80'
	option dest_port '8443'

/etc/hotplug.d/iface/24-firewall:
COMMENT="guest: Redirect wan HTTPS from port 443 to 192.168.199.80 on port 8443"
[ "$INTERFACE" = "wan" ] && {
	[ "$ACTION" = "ifup" ] && {
		network_get_ipaddr "IP" "$INTERFACE"
		iptables -t nat -A prerouting_guest_rule -p tcp -s 10.1.0.0/16 -d ${IP} \
			-m tcp --dport 443 -m comment --comment "${COMMENT}" -j DNAT \
			--to-destination 192.168.199.80:8443
	}
	[ "$ACTION" = "ifdown" ] && {
		RULES=$( iptables -t nat --line-number -nL prerouting_guest_rule | \
			grep "${COMMENT}" | awk '{print $1}' | tac)
		for rule in $RULES; do
			iptables -t nat -D prerouting_guest_rule $rule
			sleep 1
		done
	}
}



More information about the openwrt-devel mailing list