OpenWRT firewall configuration
- configure defaults settings
- create/delete/configure firewall zones
- create/delete/configure firewall zone forwardings
- create/delete/configure firewall traffic rules
- create/delete/configure firewall port forwardings
- create/delete/configure firewall ip sets
- create/delete/configure firewall nat rules
| Variable | Descritpion | Status | Type | Default/Example |
|---|---|---|---|---|
firewall_defaults |
Minimal firewall configuration | dictionary |
||
input |
Set policy for the INPUT chain of the filter table (ACCEPT, REJECT, DROP) |
optional |
string |
REJECT |
forward |
Set policy for the FORWARD chain of the filter table (ACCEPT, REJECT, DROP) |
optional |
string |
REJECT |
output |
Set policy for the OUTPUT chain of the filter table (ACCEPT, REJECT, DROP) |
optional |
string |
REJECT |
drop_invalid |
Drop invalid packets | optional |
boolean |
0 |
synflood_protect |
Enable SYN flood protection | optional |
boolean |
0 |
synflood_rate |
Set rate limit (packets/second) for SYN packets which the traffic is considered a flood | optional |
string |
25/s |
synflood_burst |
Set burst limit for SYN packets which the traffic is considered a flood if it exceeds the allowed rate | optional |
string |
50 |
flow_offloading |
Enable software flow offloading for connections | optional |
boolean |
0 |
flow_offloading_hw |
Enable hardware flow offloading for connections | optional |
boolean |
0 |
firewall_zones |
List of firewall zones | list of dictionaries |
||
id |
Unique zone ID | mandatory |
string |
guest |
name |
Unique zone name | mandatory |
string |
guest |
state |
Zone status (present or absent) |
required |
string |
present |
network |
List of interfaces attached to this zone (if omitted and neither extra* options, subnets nor devices are given, the value of name is used by default) |
required |
list |
["lan"] |
masq |
Masquerade outgoing zone IPv4 traffic | optional |
boolean |
0 |
mtu_fix |
Enable MSS clamping for outgoing zone traffic | optional |
boolean |
0 |
input |
Default policy for incoming zone traffic (ACCEPT, REJECT, DROP) |
optional |
string |
DROP |
forward |
Default policy for forwarded zone traffic (ACCEPT, REJECT, DROP) |
optional |
string |
DROP |
output |
Default policy for outgoing zone traffic (ACCEPT, REJECT, DROP) |
optional |
string |
DROP |
family |
Protocol family used by iptables rule (ipv4, ipv6 or any) |
optional |
string |
any |
enabled |
Enable zone | optional |
boolean |
1 |
firewall_forwardings |
List of zone forwardings | (list of dictionaries) |
||
name |
Unique forwarding name | mandatory |
string |
guest |
state |
Forwarding status (present or absent) |
required |
string |
present |
src |
Traffic source zone (one of the defined zone names) |
mandatory |
string |
lan |
dest |
Traffic destination zone (one of the defined zone names) |
mandatory |
string |
wan |
family |
Protocol family used by iptables rule (ipv4, ipv6 or any) |
optional |
string |
any |
ipset |
Match traffic against the given ipset | optional |
string |
ipset_example |
enabled |
Enable forwarding | optional |
boolean |
1 |
firewall_rules |
List of traffic rules | (list of dictionaries) |
||
id |
Unique rule ID | mandatory |
string |
rule_example |
name |
Unique rule name | mandatory |
string |
Example rule |
state |
Rule status (present or absent) |
required |
string |
present |
src |
Traffic source zone (one of the defined zone names or * for any zone) |
required |
string |
wan |
src_ip |
Match incoming traffic from the specified source IP address | optional |
string |
192.168.1.1 |
src_port |
Match incoming traffic from the specified source port or port range, if relevant proto is specified |
optional |
list |
["22", "80", "3000-3010"] |
src_mac |
Match incoming traffic from the specified MAC address | optional |
string |
00:11:22:33:44:55 |
dest |
Traffic destination zone (one of the defined zone names or * for any zone) |
required |
string |
lan |
dest_ip |
Match incoming traffic directed to the specified destination IP address | optional |
string |
192.168.1.10 |
dest_port |
Match incoming traffic directed at the given destination port or port range, if relevant proto is specified |
optional |
list |
["22", "80", "3000-3010"] |
target |
Firewall action (ACCEPT, REJECT, DROP, MARK, NOTRACK) for matched traffic |
mandatory |
string |
DROP |
proto |
Match incoming traffic using the given protocol (tcp, udp, udplite, icmp, esp, ah, sctp, or all) |
optional |
list |
["tcp", "udp"] |
family |
Protocol family used by iptables rule (ipv4, ipv6 or any) |
optional |
string |
any |
ipset |
Match traffic against the given ipset | optional |
string |
ipset_example |
mark |
Match traffic against the given firewall mark | optional |
string |
prohibit |
set_mark |
Zeroes out the bits given by mask and ORs value into the packet mark | optional |
string |
0xFFFFFFFF |
enabled |
Enable rule | optional |
boolean |
0 |
firewall_redirects |
List of port forwardings | (list of dictionaries) |
||
id |
Unique redirect ID | mandatory |
string |
redirect_example |
name |
Redirect description | mandatory |
string |
Example redirection |
state |
Redirect status (present or absent) |
required |
string |
present |
src |
Traffic source zone (one of the defined zone names) |
required |
string |
wan |
src_ip |
Match incoming traffic from the specified source IP address | optional |
string |
172.16.0.10 |
src_port |
Match incoming traffic originating from the given source port or port range on the client host | optional |
string |
22 |
src_mac |
Match incoming traffic from the specified MAC address | optional |
string |
00:11:22:33:44:55 |
src_dip |
Match incoming traffic directed at the given destination IP address (for DNAT), or rewrite the source address to the given address (for SNAT) | optional |
string |
172.16.0.10 |
src_dport |
Match incoming traffic directed at the given destination port or port range (for DNAT), or rewrite the source ports to the given value (for SNAT) | optional |
string |
22 |
dest |
Traffic destination zone (one of the defined zone names) |
required |
string |
lan |
dest_ip |
Redirect matches incoming traffic to the specified internal host (for DNAT), or match traffic directed at the given address (for SNAT) | optional |
string |
192.168.1.1 |
dest_port |
Redirect matched incoming traffic to the given port or port range (for DNAT), or match traffic directed at the given port or port range (for SNAT) | optional |
string |
22 |
target |
NAT target for the rule (DNAT or SNAT) |
optional |
string |
DNAT |
proto |
Match incoming traffic using the given protocol (tcp, udp, udplite, icmp, esp, ah, sctp, or all) |
optional |
list |
["tcp", "udp"] |
family |
Protocol family used by iptables rule (ipv4, ipv6 or any) |
optional |
string |
any |
ipset |
Match traffic against the given ipset | optional |
string |
ipset_example |
mark |
Match traffic against the given firewall mark | optional |
string |
0xFFFFFFFF |
enabled |
Enable redirect | optional |
boolean |
1 |
firewall_ipsets |
List of IP sets | (list of dictionaries) |
||
id |
Unique ipset ID | mandatory |
string |
ipset_example |
name |
Unique ipset name | mandatory |
string |
Example IPset |
state |
Forwarding status (present or absent) |
required |
string |
present |
comment |
Comment for the ipset | optional |
string |
Example IP set |
match |
List of matched data types (ip, port, mac, net or set) and their direction (src or dest) joined by an underscore |
mandatory |
list |
["src_ip", "port"] |
entry |
The IP address, CIDR, or MAC | optional |
list |
["00:11:22:33:44:55", "172.16.0.0/24"] |
family |
Protocol family used by ipset (ipv4, ipv6 or any) |
optional |
string |
ipv4 |
maxelem |
Limits of items that can be added to the ipset | optional |
integer |
65536 |
loadfile |
Path to file containing a list of CIDRs, subnets, host IPs | optional |
string |
/tmp/ipset.list |
enabled |
Enable ipset | optional |
boolean |
1 |
firewall_nats |
List of NAT rules | (list of dictionaries) |
||
id |
Unique nat ID | mandatory |
string |
nat_example |
name |
Unique rule name | mandatory |
string |
Example NAT |
state |
Redirect status (present or absent) |
required |
string |
present |
src |
Traffic source zone (one of the defined zone names) |
required |
string |
wan |
src_ip |
Match forwarded traffic from the specified source IP address or range | optional |
string |
172.16.0.10 |
src_port |
Match forwarded traffic originating from the given source port or port range | optional |
string |
22 |
dest_ip |
Match forwarded traffic directed at the given IP address | optional |
string |
192.168.1.1 |
dest_port |
Match forwarded traffic directed at the given destination port or port range | optional |
string |
22 |
snat_ip |
Rewrite matched traffic to the specified source IP address (for SNAT) |
optional |
string |
172.16.0.10 |
snat_port |
Rewrite matched traffic to the specified source port or port range | optional |
string |
22 |
target |
NAT target for the rule (ACCEPT, MASQUERADE or SNAT) |
mandatory |
string |
ACCEPT |
proto |
Match incoming traffic using the given protocol (tcp, udp, udplite, icmp, esp, ah, sctp, or all) |
optional |
list |
["tcp", "udp"] |
family |
Protocol family used by ipset (ipv4, ipv6 or any) |
optional |
string |
ipv4 |
mark |
Match traffic against the given firewall mark | optional |
string |
0xFFFFFFFF |
enabled |
Enable NAT rule | optional |
boolean |
0 |
| Name | Description |
|---|---|
Ansible Role: openwrt |
Ansible role by gekmihesg for managing OpenWRT and derivatives |
- hosts: openwrt
roles:
- role: flyoverhead.openwrt.firewallfirewall_defaults:
input: "ACCEPT"
forward: "REJECT"
output: "ACCEPT"
drop_invalid: "1"
synflood_protect: "1"
firewall_zones:
- id: "iot"
name: "iot"
state: "present"
network: ["iot"]
input: "DROP"
forward: "DROP"
output: "ACCEPT"
family: "ipv4"
firewall_forwardings:
- id: "lan_iot"
state: "present"
src: "lan"
dest: "iot"
family: "ipv4"
- id: "iot_wan"
state: "present"
src: "iot"
dest: "wan"
family: "ipv4"
firewall_rules:
- id: "allow_iot_dhcp_dns"
name: "Allow DHCP and DNS for IoT"
state: "present"
src: "iot"
src_port: ["53", "67", "68"]
dest: "lan"
dest_port: ["53", "67", "68"]
target: "ACCEPT"
family: "ipv4"
firewall_redirects:
- id: "force_dns_lan"
name: "Force lan DNS"
state: "present"
src: "lan"
src_dport: "53"
target: "DNAT"
family: "ipv4"
- id: "force_dns_iot"
name: "Force iot DNS"
state: "present"
src: "iot"
src_dport: "53"
target: "DNAT"
family: "ipv4"GNU General Public License v3.0
fly0v3rH34D