LINUX.ORG.RU
ФорумAdmin

OpenWRT+VLAN разграничить доступ.


0

1

Роутер с OpenWRT. Сеть такая: есть 2 провайдера, настроена балансировка между ними. Настроен vlan1 и vlan4 для разных сетей. ip первой сети 192.168.123.0/24 ip второй сети 192.168.4.0/24

Никак не могу настроить firewall, так что бы сети не видели друг друга. Подозреваю, что где-то раньше стоит разрешающее правило на все.

Вот кусок /etc/config/firewall (без редиректов портов)

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
        option name 'Allow-WEB-router'
        option src 'lan'
        option proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-SSH-router'
        option src 'lan'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DNS'
        option src 'lan vlan4'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Deny-private'
        option src 'vlan4'
        option dest 'lan'
        option target 'DROP'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'wan'


config include
	option path '/etc/firewall.user'

config zone
	option name 'vlan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option family 'ipv4'
	option network 'vlan4'
	option forward 'ACCEPT'

config zone
	option name 'wan2'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'wan2'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan2'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'vlan4'

config forwarding
	option dest 'wan2'
	option src 'vlan4'


Вот сеть - два бриджа, один на lan, другой для vlan4:

config interface 'lan'
	option ifname 'eth0.1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.123.1'

config interface 'wan'
	option ifname 'eth0.2'
	option _orig_ifname 'eth0.2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '80.80.80.2'
	option netmask '255.255.255.0'
	option gateway '80.80.80.1'
	option metric '10'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1 8t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2 8t'

config interface 'wan2'
	option proto 'static'
	option ifname 'eth0.3'
	option _orig_ifname 'eth0.3'
	option _orig_bridge 'false'
	option ipaddr '82.82.82.82'
	option netmask '255.255.255.0'
	option gateway '82.82.82.1'
	option metric '20'

config interface 'vlan4'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth0.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

при таком раскладе пинги с обоих сетей ходят спокойно друг к другу. Даже если добавить правила в custom rules:

iptables -A FORWARD --src 192.168.123.0/24 --dst 192.168.4.0/24 -j DROP
iptables -A FORWARD --src 192.168.123.0/24 --dst 10.1.100.0/24 -j DROP
iptables -A FORWARD --src 192.168.123.0/24 --dst 172.23.0.0/16 -j DROP
они не срабатывают.

Вывод iptables-save

# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*nat
:PREROUTING ACCEPT [131912:12191086]
:INPUT ACCEPT [2406:256025]
:OUTPUT ACCEPT [9587:742249]
:POSTROUTING ACCEPT [832:117234]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_mainc_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan2_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_mainc_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan2_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_mainc_postrouting - [0:0]
:zone_mainc_prerouting - [0:0]
:zone_wan2_postrouting - [0:0]
:zone_wan2_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
-A delegate_postrouting -o br-mainc -j zone_mainc_postrouting
-A delegate_postrouting -o eth0.3 -j zone_wan2_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
-A delegate_prerouting -i br-mainc -j zone_mainc_prerouting
-A delegate_prerouting -i eth0.3 -j zone_wan2_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule

-A zone_wan2_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan2_rule
-A zone_wan2_postrouting -j MASQUERADE
-A zone_wan2_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan2_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment ssh -j DNAT --to-destination 192.168.123.222:22
-A zone_wan_prerouting -p tcp -m tcp --dport 2003 -m comment --comment graphite -j DNAT --to-destination 192.168.123.222:2003
-A zone_wan_prerouting -p tcp -m tcp --dport 2004 -m comment --comment graphite2 -j DNAT --to-destination 192.168.123.222:2004
-A zone_wan_prerouting -p tcp -m tcp --dport 8082 -m comment --comment graphite-web -j DNAT --to-destination 192.168.123.222:8082
-A zone_wan_prerouting -p tcp -m tcp --dport 8081 -m comment --comment owncloud -j DNAT --to-destination 192.168.123.222:8081
-A zone_wan_prerouting -p tcp -m tcp --dport 8083 -m comment --comment zabbix -j DNAT --to-destination 192.168.123.222:8083
-A zone_wan_prerouting -p tcp -m tcp --dport 8084 -m comment --comment munin -j DNAT --to-destination 192.168.123.222:8084
-A zone_wan_prerouting -p tcp -m tcp --dport 8085 -m comment --comment grafana -j DNAT --to-destination 192.168.123.222:8085
-A zone_wan_prerouting -p tcp -m tcp --dport 9200 -m comment --comment eleasticsearch -j DNAT --to-destination 192.168.123.222:9200
-A zone_wan_prerouting -p tcp -m tcp --dport 9000 -m comment --comment dump -j DNAT --to-destination 192.168.123.222:9000
-A zone_wan_prerouting -p tcp -m tcp --dport 888 -m comment --comment buh-1c -j DNAT --to-destination 192.168.123.16:80
-A zone_wan_prerouting -p tcp -m tcp --dport 13389 -m comment --comment buh-rdp -j DNAT --to-destination 192.168.123.16:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 3001 -m comment --comment mc-redmine -j DNAT --to-destination 192.168.4.3:3001
-A zone_wan_prerouting -p tcp -m tcp --dport 22325 -m comment --comment mainc-ssh -j DNAT --to-destination 192.168.4.3:22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "srv.codeinside.ru" -j DNAT --to-destination 192.168.123.222:80
-A zone_wan_prerouting -p tcp -m tcp --dport 223 -m comment --comment lxc-ssh -j DNAT --to-destination 192.168.123.223:22
-A zone_wan_prerouting -p tcp -m tcp --dport 224 -m comment --comment kvm-ssh -j DNAT --to-destination 192.168.123.224:22
-A zone_wan_prerouting -p tcp -m tcp --dport 225 -m comment --comment lxc2-ssh -j DNAT --to-destination 192.168.123.225:22
-A zone_wan_prerouting -p tcp -m tcp --dport 5225 -m comment --comment lxc2 -j DNAT --to-destination 192.168.123.225:5225
-A zone_wan_prerouting -p tcp -m tcp --dport 55900 -m comment --comment vnc-buh -j DNAT --to-destination 192.168.123.16:55900
-A zone_wan_prerouting -p tcp -m tcp --dport 55800 -m comment --comment vnc-web -j DNAT --to-destination 192.168.123.16:55800
-A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment openvpn -j DNAT --to-destination 192.168.123.222:1194
-A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment openvpn -j DNAT --to-destination 192.168.123.222:1194
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*raw
:PREROUTING ACCEPT [4795466:2426151760]
:OUTPUT ACCEPT [48801:10329428]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*mangle
:PREROUTING ACCEPT [4795487:2426156512]
:INPUT ACCEPT [49747:5007832]
:FORWARD ACCEPT [4738676:2419244372]
:OUTPUT ACCEPT [48812:10330688]
:POSTROUTING ACCEPT [4785830:2429226313]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A mssfix -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan2 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_mainc_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan2_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_mainc_rule - [0:0]
:input_rule - [0:0]
:input_wan2_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_mainc_rule - [0:0]
:output_rule - [0:0]
:output_wan2_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_mainc_dest_ACCEPT - [0:0]
:zone_mainc_forward - [0:0]
:zone_mainc_input - [0:0]
:zone_mainc_output - [0:0]
:zone_mainc_src_ACCEPT - [0:0]
:zone_wan2_dest_ACCEPT - [0:0]
:zone_wan2_forward - [0:0]
:zone_wan2_input - [0:0]
:zone_wan2_output - [0:0]
:zone_wan2_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A FORWARD -s 192.168.123.0/24 -d 192.168.4.0/24 -j DROP
-A FORWARD -s 192.168.123.0/24 -d 10.1.100.0/24 -j DROP
-A FORWARD -s 192.168.123.0/24 -d 172.23.0.0/16 -j DROP
-A FORWARD -s 192.168.4.0/24 -d 192.168.123.0/24 -j DROP
-A FORWARD -s 192.168.4.0/24 -d 10.9.0.0/24 -j DROP
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -i br-mainc -j zone_mainc_forward
-A delegate_forward -i eth0.3 -j zone_wan2_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_input -i br-mainc -j zone_mainc_input
-A delegate_input -i eth0.3 -j zone_wan2_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A delegate_output -o br-mainc -j zone_mainc_output
-A delegate_output -o eth0.3 -j zone_wan2_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_DROP -o br-lan -j DROP
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "forwarding lan -> wan2" -j zone_wan2_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_src_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 80 -m comment --comment Allow-WEB-router -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment Allow-SSH-router -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_mainc_dest_ACCEPT -o br-mainc -j ACCEPT
-A zone_mainc_forward -m comment --comment "user chain for forwarding" -j forwarding_mainc_rule
-A zone_mainc_forward -p tcp -m comment --comment Deny-private -j zone_lan_dest_DROP
-A zone_mainc_forward -p udp -m comment --comment Deny-private -j zone_lan_dest_DROP
-A zone_mainc_forward -m comment --comment "forwarding mainc -> wan" -j zone_wan_dest_ACCEPT
-A zone_mainc_forward -m comment --comment "forwarding mainc -> wan2" -j zone_wan2_dest_ACCEPT
-A zone_mainc_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_mainc_forward -j zone_mainc_src_ACCEPT
-A zone_mainc_input -m comment --comment "user chain for input" -j input_mainc_rule
-A zone_mainc_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_mainc_input -j zone_mainc_src_ACCEPT
-A zone_mainc_output -m comment --comment "user chain for output" -j output_mainc_rule
-A zone_mainc_output -j zone_mainc_dest_ACCEPT
-A zone_mainc_src_ACCEPT -i br-mainc -j ACCEPT
-A zone_wan2_dest_ACCEPT -o eth0.3 -j ACCEPT
-A zone_wan2_forward -m comment --comment "user chain for forwarding" -j forwarding_wan2_rule
-A zone_wan2_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan2_forward -j zone_wan2_src_REJECT
-A zone_wan2_input -m comment --comment "user chain for input" -j input_wan2_rule
-A zone_wan2_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan2_input -j zone_wan2_src_REJECT
-A zone_wan2_output -m comment --comment "user chain for output" -j output_wan2_rule
-A zone_wan2_output -j zone_wan2_dest_ACCEPT
-A zone_wan2_src_REJECT -i eth0.3 -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_src_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -j reject
COMMIT

Подскажите в какую сторону копать?


Сперва руками их разграничь с помощью iptables. Потом смотри, как это сделать с помощью конфигов firewall

cvs-255 ★★★★★
()
Ответ на: комментарий от cvs-255

Пока вроде решилось удалением пакетов связанных с ipv6. Возможно какие-то правила пересекались. После этого и перезагрузки роутера заработали нормальные запреты во вкладке luci - traffic rules. Попробую еще сегодня завести некоторые правила.

schmel
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.