firewall4 question

e9hack e9hack at gmail.com
Sat Nov 26 04:52:22 PST 2022


Hi,

I could solve the issue by my own. The "option dest lan" is missing in the blocking rule and the destination port must be 8443.

Regards,
Hartmut

Am 26.11.2022 um 11:47 schrieb e9hack:
> Hi,
> 
> I do redirect https traffic from wan to a specific ip address in lan with a different port:
> 
> config redirect
>      option enabled '1'
>      option name 'wan: Redirect HTTPS for xxxx.net:443 to my-box.yyyy.lan:8443'
>      option target 'DNAT'
>      option src 'wan'
>      option dest 'lan'
>      option proto 'tcp'
>      option family 'ipv4'
>      option src_dport '443'
>      option dest_ip '192.168.101.92'
>      option dest_port '8443'
>      option reflection '1'
> 
> I would like to block some ip ranges and following the example from the firewall documentation.
> 
> config ipset
>      option enabled '1'
>      option name 'dropcidr'
>      option match 'src_net'
>      option loadfile '/var/dropcidr.txt'
> 
> config rule
>      option enabled '1'
>      option src 'wan'
>      option proto 'tcp'
>      option ipset 'dropcidr'
>      option dest_port '443'
>      option target 'DROP'
>      option name 'DROP-HTTPS-WAN-LAN'
> 
> It doesn't block redirected traffic from wan at 443 to the internal lan at 8443. I did try it with port 8443 in the blocking rule too, but it doesn't block anything. How must I define such a blocking rule?
> 
> With firewall3 (iptables), I did add the the following to firewall.user:
> 
> ipset restore -file /tmp/https_blacklist.conf
> 
> iptables -n --list https_scan >/dev/null 2>&1
> [ $? -eq 0 ] && iptables -X https_scan
> iptables -N https_scan
> 
> iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --update --seconds 1800 --reap -j DROP
> iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --set -j LOG --log-level info --log-prefix "HTTPS blocked: "
> iptables -A https_scan -j DROP
> 
> iptables -A forwarding_wan_rule -p tcp --dport 8443 -m conntrack --ctstate DNAT -m set --match-set HTTPS_BLACKLIST src -j https_scan
> 
> 
> How can I define a similar rule set for firewall4 (nftables)?
> 
> Regards,
> Hartmut




More information about the openwrt-devel mailing list