Skip to content

Instantly share code, notes, and snippets.

@craigphicks
Last active April 24, 2019 19:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save craigphicks/ec73044ad700a64380246563979eaa40 to your computer and use it in GitHub Desktop.
Save craigphicks/ec73044ad700a64380246563979eaa40 to your computer and use it in GitHub Desktop.
Setting up openwrt to run on Paspberry Pi 3 B+ - and replacing `iptables` with `nftables`
  1. downloaded (https://downloads.openwrt.org/snapshots/targets/brcm2708/bcm2710/openwrt-brcm2708-bcm2710-rpi-3-ext4-factory.img.gz) and set up SD card

  2. modify /etc/network to set ip address, gateway, dns

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.39'
	option netmask '255.255.255.0'
	#option ip6assign '60'
        option gateway '192.168.1.2'
        option dns '192.168.1.14'

  1. Modify /etc/config/firewall to allow ssh in

  2. Set /etc/dropbear/authorized_keys

  3. boot with SD, login with ssh

  4. Set root password or prevent root login

opkg update
opkg install nano 
opkg install tree
opkg install openssh-sftp-server

With openssh-sftp-server installed on operwrt, you can mount the openwrt filesystem from your work pc to edit files easily.

sshfs root@rpi-owrt:/  ~/sshfs/rpi-owrt
emacs ~/sshfs/rpi-owrt/etc/nftables.conf
  1. Switch to nftables Note: The firewall will be dropped during the transition causing a security risk. If you can in advance pre-cache the necessary files for installation the you may be able to complete this step wiht a private lan cable between your work pc and the rpi.

Remove all packages kmod-nf*and kmod-ip and force removal of all their dependencies.

opkg list-installed | grep -e kmod-nf -e kmod-ip | while read m x ; do opkg --force-removal-of-dependent-packages remove $m ; done

Remove all modules ip*. May require several iterations.

lsmod | grep -e "^ip" | while read m xx ;  do echo "--------- $m " ; rmmod $m ; done

Install or reinstall all packages kmod-nf*. Requires a sleep. Make sure they are ALL installed - if necessary use multiple iterations.

# opkg list | grep -e kmod-nf  | while read m xx ; do echo ":::: $m ::::" ; sleep 1 ; opkg install $m ; done
  1. Nft firewall Set up a simple /etc/nftables.conf - don't forget to allow yourself to ssh in. Load with
# nft -f /etc/nftables.conf
  1. Service to load nftable.conf at boot

10.a.

Set up a service /etc/init.d/nft-fw to take the place of /etc/init.d/firewall which was automatically removed when iptables was removed.

#!/bin/sh /etc/rc.common

# /etc/init.d/nft-fw - adapted from /etc/init.d/firewall

START=19
USE_PROCD=1
QUIET=""

# validate_firewall_redirect()
# {
# 	uci_validate_section firewall redirect "${1}" \
# 		'proto:or(uinteger, string)' \
# 		'src:string' \
# 		'src_ip:cidr' \
# 		'src_dport:or(port, portrange)' \
# 		'dest:string' \
# 		'dest_ip:cidr' \
# 		'dest_port:or(port, portrange)' \
# 		'target:or("SNAT", "DNAT")'
# }

# validate_firewall_rule()
# {
# 	uci_validate_section firewall rule "${1}" \
# 		'proto:or(uinteger, string)' \
# 		'src:string' \
# 		'dest:string' \
# 		'src_port:or(port, portrange)' \
# 		'dest_port:or(port, portrange)' \
# 		'target:string'
# }

# service_triggers() {
# 	procd_add_reload_trigger firewall	

# 	procd_open_validate
# 	validate_firewall_redirect
# 	validate_firewall_rule
# 	procd_close_validate
# }

restart() {
	# fw3 restart
	nft flush ruleset
	nft -f /etc/nftable.conf
}

start_service() {
	#fw3 ${QUIET} start
	restart
}

stop_service() {
	#fw3 flush
	nft flush ruleset
}

reload_service() {
	#fw3 reload
	restart
}

boot() {
	## Be silent on boot, firewall might be started by hotplug already,
	## so don't complain in syslog.
	#QUIET=-q
	#start
	restart
}

# start() didn't exist in the fw3 original
start() {
	restart
}

10.b.

# ln -s /etc/init.d/nft-wf /etc/rc.init/S19nft-fw

10.c.

# service nft-fw enable
  1. Check modules and packages for *ipt*
root@OpenWrt:~# lsmod | grep -e ipt
ip_tables              24576  3 iptable_raw,iptable_mangle,iptable_filter
ipt_REJECT             16384  0 
iptable_filter         16384  0 
iptable_mangle         16384  0 
iptable_raw            16384  0 
nf_reject_ipv4         16384  4 nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,ipt_REJECT
x_tables               24576 18 iptable_raw,iptable_mangle,iptable_filter,ipt_REJECT,ip6_tables,ip_tables,xt_time,xt_tcpudp,xt_state,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_LOG,xt_CT
root@OpenWrt:~# opkg list installed  | grep -e ipt

root@OpenWrt:~# rmmod iptable_raw
root@OpenWrt:~# rmmod iptable_mangle
root@OpenWrt:~# rmmod iptable_filter
root@OpenWrt:~# rmmod ip_tables
root@OpenWrt:~# for m in iptable_raw iptable_mangle iptable_filter ipt_REJECT ip6_tables ip_tables xt
_time xt_tcpudp xt_state xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_LO
G xt_CT ; do echo $m ; rmmod $m ; done
...
root@OpenWrt:~# rmmod x_tables 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment