I have an Openwrt 10.03.1 installed from: openwrt-ar71xx-wrt160nl-squashfs-factory.bin (firewall only customized with this: sed 's/REJECT/DROP/g' /etc/config/firewall) – so besides this, IT'S A DEFAULT OPENWRT INSTALL
I have 3 SSID's on it for 3 clients. It's a WRT160NL.
It connects to the internet via pppoe, so pppoe-wan is the WAN interface (in reality the "eth1" is the WAN interface, the cable is plugged into that port).
So I printed out the next things to paper:
iptables-save
root@OPENWRT:~# iptables-save
# Generated by iptables-save v1.4.6 on Wed Nov 21 16:59:23 2012
*nat
:PREROUTING ACCEPT [282:28098]
:POSTROUTING ACCEPT [12:748]
:OUTPUT ACCEPT [170:12487]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule
-A PREROUTING -i br-lan -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -j zone_wan_prerouting
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o br-lan -j zone_lan_nat
-A POSTROUTING -o pppoe-wan -j zone_wan_nat
-A postrouting_rule -j nat_reflection_out
-A prerouting_rule -j nat_reflection_in
-A zone_lan_prerouting -j prerouting_lan
-A zone_wan_nat -j MASQUERADE
-A zone_wan_prerouting -j prerouting_wan
COMMIT
# Completed on Wed Nov 21 16:59:23 2012
# Generated by iptables-save v1.4.6 on Wed Nov 21 16:59:23 2012
*raw
:PREROUTING ACCEPT [88762:5585776]
:OUTPUT ACCEPT [32677:185865297]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack
-A PREROUTING -i pppoe-wan -j zone_wan_notrack
COMMIT
# Completed on Wed Nov 21 16:59:23 2012
# Generated by iptables-save v1.4.6 on Wed Nov 21 16:59:23 2012
*mangle
:PREROUTING ACCEPT [88762:5585776]
:INPUT ACCEPT [86059:4425898]
:FORWARD ACCEPT [2664:1156339]
:OUTPUT ACCEPT [32677:185865297]
:POSTROUTING ACCEPT [35338:187021465]
:zone_wan_MSSFIX - [0:0]
-A FORWARD -j zone_wan_MSSFIX
-A zone_wan_MSSFIX -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov 21 16:59:23 2012
# Generated by iptables-save v1.4.6 on Wed Nov 21 16:59:23 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j input
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j forward
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j output
-A forward -i br-lan -j zone_lan_forward
-A forward -i pppoe-wan -j zone_wan_forward
-A forwarding_rule -j nat_reflection_fwd
-A input -i br-lan -j zone_lan
-A input -i pppoe-wan -j zone_wan
-A output -j zone_lan_ACCEPT
-A output -j zone_wan_ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan -j input_lan
-A zone_lan -j zone_lan_ACCEPT
-A zone_lan_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_ACCEPT -i br-lan -j ACCEPT
**-A zone_lan_DROP -o br-lan -j DROP**
**-A zone_lan_DROP -i br-lan -j DROP**
**-A zone_lan_REJECT -o br-lan -j reject**
**-A zone_lan_REJECT -i br-lan -j reject**
-A zone_lan_forward -j zone_wan_ACCEPT
-A zone_lan_forward -j forwarding_lan
-A zone_lan_forward -j zone_lan_DROP
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan -p icmp -m icmp --icmp-type 8 -j DROP
-A zone_wan -j input_wan
-A zone_wan -j zone_wan_DROP
-A zone_wan_ACCEPT -o pppoe-wan -j ACCEPT
-A zone_wan_ACCEPT -i pppoe-wan -j ACCEPT
-A zone_wan_DROP -o pppoe-wan -j DROP
-A zone_wan_DROP -i pppoe-wan -j DROP
-A zone_wan_REJECT -o pppoe-wan -j reject
-A zone_wan_REJECT -i pppoe-wan -j reject
-A zone_wan_forward -j forwarding_wan
-A zone_wan_forward -j zone_wan_DROP
COMMIT
# Completed on Wed Nov 21 16:59:23 2012
root@OPENWRT:~#
ifconfig
root@OPENWRT:~# ifconfig
br-lan Link encap:Ethernet HWaddr AA:AA:AA:AA:AA:AA
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:87174 errors:0 dropped:0 overruns:0 frame:0
TX packets:137186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4532245 (4.3 MiB) TX bytes:192952659 (184.0 MiB)
eth0 Link encap:Ethernet HWaddr AA:AA:AA:AA:AA:AA
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:2578 (2.5 KiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr BB:BB:BB:BB:BB:BB
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3661 errors:0 dropped:0 overruns:0 frame:0
TX packets:3447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1221049 (1.1 MiB) TX bytes:224533 (219.2 KiB)
Interrupt:5
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2088 (2.0 KiB) TX bytes:2088 (2.0 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr CC-CC-CC-CC-CC-C1-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:263 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:20929 (20.4 KiB) TX bytes:0 (0.0 B)
pppoe-wan Link encap:Point-to-Point Protocol
inet addr:1.2.3.4 P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:1646 errors:0 dropped:0 overruns:0 frame:0
TX packets:1448 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1063783 (1.0 MiB) TX bytes:132628 (129.5 KiB)
wlan0 Link encap:Ethernet HWaddr CC:CC:CC:CC:CC:C1
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:2850 (2.7 KiB)
wlan0-1 Link encap:Ethernet HWaddr CC:CC:CC:CC:CC:C2
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:2850 (2.7 KiB)
wlan0-2 Link encap:Ethernet HWaddr CC:CC:CC:CC:CC:C3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:2850 (2.7 KiB)
brctl show
root@OPENWRT:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 8000.129ce121c98e no eth0
wlan0
wlan0-1
wlan0-2
root@OPENWRT:~#
…and take a closer look at it several times. I found a few things that I don't understand:
1)
These rules afaik completely USELESS, I'm sure about this, so there is no real question regarding this, at least a "fixme".
-A zone_lan_DROP -o br-lan -j DROP
-A zone_lan_DROP -i br-lan -j DROP
-A zone_lan_REJECT -o br-lan -j reject
-A zone_lan_REJECT -i br-lan -j reject
2)
The real question is… why are there soo many tables?
nat_reflection_in, nat_reflection_out, postrouting_rule, prerouting_lan, prerouting_rule, prerouting_wan, zone_lan_nat, zone_lan_prerouting, zone_wan_nat, zone_wan_prerouting, zone_lan, zone_lan_forward, zone_wan, zone_wan_forward, etc..
Couldn't the rules done without tables? OpenWrt routers are usually have small CPU, why use complex rules? Why not more simple? Without tables?
3)
…If no one can bring up with a good answer that why are these tables needed…… then afaik I will flush all the rules, etc., and do it by hand.. in a more simpler way..
Best Answer
No, these rules are useful. I'll tell you why if you tell me why you think they're useless.
Ok, I'm kidding, I'll tell you whether you want it or not. The purpose of these rules are to keep the design simple. Simplicity is not measured by the number of rules. There is method to these rules. Each table has a simple-to-understand purpose that is apparent in its name. It happens that in the default configuration some of the tables have a single rule. It would require substantially more complex code in OpenWRT to optimize away single-rule tables. It would also make it more difficult for a system administrator to tweak the rules without going through this hypothetical compiler.
The tables correspond to features of the firewall setup of OpenWRT. You could have fewer rules, but then you'd lose features that are useful to some users.
You could undoubtedly make your own configuration with fewer tables (unless your firewall is extremely simple, you'll probably end up creating a few). OpenWRT is more flexible because it accommodates many users.
The number of rules is unrelated to the CPU speed or RAM size. The effect of the number of tables is pretty much uncorrelated with the time it takes to go through them — on the contrary, having more tables and fewer rules per table means that the path each packet goes through will be shorter (having a wider tree helps make it less deep). The impact on memory is negligible: a few hundred bytes per table vs a few megabytes of RAM.