OpenWRT Firewarll INPUT Chain allowing everything?


I haven't done anything to my the default firewall rules except open a port for ssh from the wan and add the rules for OpenVPN as defined in this tutorial:, but I'm concerned that I have left more ports open than intended because of the output iptables -L. I've put the complete output below, but in particular:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere
from the:
ACCEPT     all  --  anywhere             anywhere

bit does that mean that everything is being accepted from anywhere?

Complete IP Tables output for reference:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forward    all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
output     all  --  anywhere             anywhere
Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere
zone_vpn_forward  all  --  anywhere             anywhere
Chain forwarding_lan (1 references)
target     prot opt source               destination
Chain forwarding_rule (1 references)
target     prot opt source               destination
Chain forwarding_vpn (1 references)
target     prot opt source               destination
Chain forwarding_wan (1 references)
target     prot opt source               destination
Chain input (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn
zone_lan   all  --  anywhere             anywhere
zone_wan   all  --  anywhere             anywhere
zone_vpn   all  --  anywhere             anywhere
Chain input_lan (1 references)
target     prot opt source               destination
Chain input_rule (1 references)
target     prot opt source               destination
Chain input_vpn (1 references)
target     prot opt source               destination
Chain input_wan (1 references)
target     prot opt source               destination
Chain output (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere
zone_vpn_ACCEPT  all  --  anywhere             anywhere
Chain output_rule (1 references)
target     prot opt source               destination
Chain reject (7 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere
Chain zone_lan (1 references)
target     prot opt source               destination
input_lan  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere
Chain zone_lan_ACCEPT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
Chain zone_lan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
Chain zone_lan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
Chain zone_lan_forward (1 references)
target     prot opt source               destination
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_lan  all  --  anywhere             anywhere
zone_lan_REJECT  all  --  anywhere             anywhere
Chain zone_vpn (1 references)
target     prot opt source               destination
input_vpn  all  --  anywhere             anywhere
zone_vpn_ACCEPT  all  --  anywhere             anywhere
Chain zone_vpn_ACCEPT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
Chain zone_vpn_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
Chain zone_vpn_REJECT (0 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
Chain zone_vpn_forward (1 references)
target     prot opt source               destination
zone_wan_ACCEPT  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere
forwarding_vpn  all  --  anywhere             anywhere
zone_vpn_ACCEPT  all  --  anywhere             anywhere
Chain zone_wan (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:23232
input_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere
Chain zone_wan_ACCEPT (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
Chain zone_wan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
Chain zone_wan_REJECT (2 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere
Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere


Try to post output for iptables -nL --line-numbers



I am sorry, but I fail to see where the problem lies here. Yes, you have a firewall which allows any packet to get through, both as INPUT and as FORWARD. This is the standard configuration for the newly installed OpenWRT firewall, I had the same configuration.

Basically, iptables rules are to be read sequentially: reading from the first to the last, the first rule that fits is applied and the remaining rules are not even tested. If all rules are tested and none fits, the default policy is applied (for instance, in the case of your INPUT chain, the default policy is ACCEPT).

Taking as an example your INPUT chain, the incoming packet is tested to ascertain whether it is related to an existing connection; if it is, the rule is applied, thus the packet is ACCEPTED. If it is not (thus the packet belongs to an as yet unestablished connection), we move to the second rule. The second rule has no criteria to meet, thus all packets fit it; thus it is applied, and its application means: ACCEPT.

The remaining rules never come into question. This is why you should carefully check iptables rules before saving them permanently: the order in which you supplied the rules may differ from that in which they are applied, and thus cause unpleasant consequences.

This overall policy (first rule that fits is applied, the following rules are neglected) differs for instance from the policy with which the kernel applies routing rules: in that case, the most restrictive rule that fits is applied, regardless of the order in which routing rules are stored.


Thanks, so does that mean that by default openwrt firewalls are wide open? I would think that is a major issue. – rainkinz – 2014-08-03T13:30:33.893

@rainkinz Yes, it does mean that they are wide open when you first install OpenWRT. I disagree that this is a major issue: discovering it was wide open forced me, for instance, to lock it down pretty good as the first thing I did. I think presenting some sort of half closed firewall would induce a false sense of security. – MariusMatutiae – 2014-08-03T13:39:17.733

thanks again. I'm a little surprised that it's wide open, don't suppose you have a suggestion for a good set of 'default' rules that block all incoming traffic, unless it's established etc? – rainkinz – 2014-08-03T14:26:22.277

@rainkinz Difficult and long question. Basically, if you have no services, (http, ssh, openvpn...), you may block everything coming in, excpet for ESTABLISHED,RELATED; same thing for forward; allow all OUTPUT. If you want something more articulate, read here:

– MariusMatutiae – 2014-08-03T14:37:34.160

Thanks, I'll read through that. One issue is that I'm not sure I should be using iptables commands to configure my firewall or uci which creates a config in /etc/config/firewall, which I think is then used to create iptables calls to configure the firewall. It would be great if there were a tutorial on configuring the firewall with uci, say to allow no input from the wan (except for established connections). – rainkinz – 2014-08-03T14:52:10.933

@rainkinz depends on how much detail you wish. For lots of details, see the OpenWRT uci man page, I must confess I never used it, I am perfectly comfortable with iptables, for which once again OpenWRT has a fine man page, Once again, this has lots of details, this is why initially I pointed you to the other reference.However, this man page allows you to configure expertly an iptables firewall. If you google openwrt firewall example, you will find several such, which should point you in the right direction.

– MariusMatutiae – 2014-08-03T15:37:33.680