firewall4 question

e9hack e9hack at gmail.com
Sat Nov 26 02:47:54 PST 2022


Hi,

I do redirect https traffic from wan to a specific ip address in lan with a different port:

config redirect
	option enabled '1'
	option name 'wan: Redirect HTTPS for xxxx.net:443 to my-box.yyyy.lan:8443'
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option family 'ipv4'
	option src_dport '443'
	option dest_ip '192.168.101.92'
	option dest_port '8443'
	option reflection '1'

I would like to block some ip ranges and following the example from the firewall documentation.

config ipset
	option enabled '1'
	option name 'dropcidr'
	option match 'src_net'
	option loadfile '/var/dropcidr.txt'

config rule
	option enabled '1'
	option src 'wan'
	option proto 'tcp'
	option ipset 'dropcidr'
	option dest_port '443'
	option target 'DROP'
	option name 'DROP-HTTPS-WAN-LAN'

It doesn't block redirected traffic from wan at 443 to the internal lan at 8443. I did try it with port 8443 in the blocking rule too, but it doesn't block anything. How must I define such a blocking rule?

With firewall3 (iptables), I did add the the following to firewall.user:

ipset restore -file /tmp/https_blacklist.conf

iptables -n --list https_scan >/dev/null 2>&1
[ $? -eq 0 ] && iptables -X https_scan
iptables -N https_scan

iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --update --seconds 1800 --reap -j DROP
iptables -A https_scan -m recent --name HTTPS_BLOCK --rsource --set -j LOG --log-level info --log-prefix "HTTPS blocked: "
iptables -A https_scan -j DROP

iptables -A forwarding_wan_rule -p tcp --dport 8443 -m conntrack --ctstate DNAT -m set --match-set HTTPS_BLACKLIST src -j https_scan


How can I define a similar rule set for firewall4 (nftables)?

Regards,
Hartmut



More information about the openwrt-devel mailing list