0

I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24

Iptables

Default Forward Deny

Admin+Lan

Forward Deny

In/Out Allow

Lan to Wan Forward Allow

Wan

Input Deny

Output Allow

Masquerading

Dropbear

Listen only on admin interface

EDIT: The switch is actually split into 3 segments with untagged Vlans. Wan, Lan, Admin. So the different interfaces are not all on the same Layer 2 device.

When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1

If I do ssh [email protected] --> connection refused

If I do ssh [email protected] --> I get a working ssh connection.

I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?

I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.

Improve this question
2
  • TPLink wdr4300 (ar71xx)
    – Bitshitch
    Commented Apr 13, 2017 at 13:29
  • If its an option to you, specify the interface that is allowed, eg iptables -I INPUT -p tcp --dport 22 -j DROP; iptables -I INPUT -i ADMINIF -p tcp --dport 22 -j ACCEPT (Order is important, with the -I line, rules are added to the top, so you need to ensure the drop comes before the accept.
    – davidgo
    Commented Apr 15, 2017 at 7:07

1 Answer 1

Reset to default
0

I think you should try this, just edit in /etc/config/firewall file
Before 

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

After

config zone
    option name 'lan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT' 
    option network 'lan'    

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'lan DNS'
    option src 'lan'

config rule
    option enabled '1'
    option target 'ACCEPT'
    option name 'lan DHCP'
    option src 'lan'
    option proto 'udp'
    option dest_port '67-68'

This will help you to reject shh to your router through lan.

Improve this answer
2
  • If you find this helpful, then tick as a write answer so anyone can refer this.
    – Vishal Rabadiya
    Commented Apr 18, 2017 at 4:40
  • 1
    No you have to just replace, options input and forward to reject in config zone option lan.
    – Vishal Rabadiya
    Commented Apr 25, 2017 at 5:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .