OpenWrtでBridge Firewallを使う

NASにファイヤーウォールがないため、途中にProxyArpを使ってブリッジしたルータをファイヤーウォールにして使っていました。これでも十分機能したのですが複雑です。そこでブリッジファイヤウォールを使ってシンプルにしてみました。

OpenWrtの公式ファイヤーウォールは使えないので切っておきます。代わりにshorewall-liteを使います。

/etc/init.d/firewall stop
/etc/init.d/firewall disable
opkg update
opkg install shorewall-lite shorewall6-lite
opkg install kmod-br-netfilter iptables-mod-physdev kmod-ipt-physdev \
iptables-mod-conntrack-extra kmod-nf-conntrack-netlink \
kmod-nf-nathelper kmod-nf-nathelper-extra iptables-mod-extra \
iptables-mod-hashlimit kmod-ipt-raw6 kmod-ipt-raw
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1

OpenWrtをインストールしたOrangePi zeroがあったので、それにshorewallとshorewall6をインストールしてfirewallファイルをコンパイルします。

# shorewall compile ./shorewall ./firewall
# scp firewall USER@IP_ADDRESS:/etc/firewall-lite/state/
# shorewall compile ./shorewall6 ./firewall
# scp firewall USER@IP_ADDRESS:/etc/firewall6-lite/state/

ShorewallのBridge Firewallの設定例

#
# Shorewall -- /etc/shorewall/interfaces
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
?FORMAT 2
###############################################################################
#ZONE		INTERFACE		OPTIONS

world		br-lan			bridge
net		br-lan:eth0.1
net		br-lan:x+		physical=wlan+
loc		br-lan:eth0.2
#
# Shorewall -- /etc/shorewall/zones
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE		TYPE		OPTIONS		IN_OPTIONS	OUT_OPTIONS

fw		firewall
world		ipv4
net:world	bport4
loc:world	bport4
#
# Shorewall -- /etc/shorewall/policy
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE		DEST		POLICY	LOGLEVEL	RATE	CONNLIMIT

$FW		all		ACCEPT
loc		all		DROP   info
net		all		DROP   info

# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT	info
#
# Shorewall -- /etc/shorewall/rules
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##############################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Drop packets in the INVALID state

Invalid(DROP)	net	$FW	tcp

# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT		net	$FW	icmp
ACCEPT		loc	$FW	icmp
ACCEPT		net	loc	icmp
ACCEPT		loc	net	icmp

# dhcp
ACCEPT		loc	$FW	udp	68
ACCEPT		net	$FW	udp	68

# Accept out from DNS & time ports for FW, tinc and vpn
ACCEPT		loc	$FW	udp	53
ACCEPT		net	$FW	udp	53
ACCEPT		loc	net	udp	53
ACCEPT		net	loc	udp	53

# mdns(avahi)
ACCEPT		net	$FW	udp	5353
ACCEPT		loc	$FW	udp	5353
ACCEPT		net	loc	udp	5353
ACCEPT		loc	net	udp	5353

# ntp
ACCEPT		loc	$FW	udp	123
ACCEPT		net	$FW	udp	123
ACCEPT		net	loc	udp	123
ACCEPT		loc	net	udp	123

# Accept SSH connections from the internet for administration
ACCEPT		loc $FW     tcp     22
ACCEPT		net	$FW     tcp     22
ACCEPT		loc	net     tcp     22
ACCEPT		net	loc     tcp     22

# sip
#ACCEPT		net	$FW		udp	5060

# rtp
#ACCEPT		net	$FW		udp	7070-7080

# rsync
ACCEPT		net	loc		tcp	873
ACCEPT		loc	net		tcp	873

# cvs
#ACCEPT		net	$FW		tcp	2401
#ACCEPT		net	$FW		udp	2401

# HTTPS, HTTP
ACCEPT		loc	$FW		tcp	80,443
ACCEPT		net	$FW		tcp	80,443
ACCEPT		loc	net		tcp	80,443
ACCEPT		net	loc		tcp	80,443

# radius
ACCEPT          loc     $FW     udp     1812-1813
ACCEPT          net     $FW     udp     1812-1813

# smbd-139
ACCEPT		net	loc	tcp	139
ACCEPT		loc	net	tcp	139

# smbd-445
ACCEPT		net	loc	tcp	445
ACCEPT		loc	net	tcp	445

# iscsi
ACCEPT		net	loc	tcp	3260
ACCEPT		loc	net	tcp	3260

# snmp
ACCEPT		loc	$FW	udp	161-162
ACCEPT		net	$FW	udp	161-162
ACCEPT		loc	net	udp	161-162
ACCEPT		net	loc	udp	161-162

# IPsec
#ACCEPT		net	$FW	esp
#ACCEPT		net	$FW	udp	500,4500

# OpenVpn
#ACCEPT		net	$FW	udp	1194

# tinc
ACCEPT		net	$FW	udp,tcp		655
ACCEPT		net	loc	udp,tcp		655
ACCEPT		loc	net	tcp,tcp		655

# wireguard
ACCEPT		loc	net	udp	51820

テスト

$ nmap -A -T4 ROUTER_IP_ADDRESS
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-21 09:25 UTC
Nmap scan report for 192.168.1.20
Host is up (0.0018s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          Dropbear sshd (protocol 2.0)
80/tcp   open   http?
139/tcp  closed netbios-ssn
443/tcp  open   ssl
445/tcp  closed microsoft-ds
587/tcp  closed submission
873/tcp  closed rsync
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
$ nmap -A -T4 NAS_IP_ADDRESS
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-21 18:40 JST
Nmap scan report for 192.168.1.254
Host is up (0.021s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT     STATE  SERVICE       VERSION
22/tcp   open   ssh           OpenSSH 6.7p1-hpn14v5 Debian 5+deb8u7.netgear1 (protocol 2.0)
...
80/tcp   open   http          Apache httpd
...
139/tcp  open   netbios-ssn?
443/tcp  open   ssl/http      Apache httpd
...
445/tcp  open   microsoft-ds  Samba smbd 4.8.0
587/tcp  closed submission
873/tcp  open   rsync         (protocol version 31)
3260/tcp closed iscsi
5001/tcp closed commplex-link
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

TODO

DSA switchだとうまくいかない

参考

  • https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge
  • https://shorewall.org/bridge-Shorewall-perl.html
This entry was posted in OpenWrt. Bookmark the permalink.