Chain input not showing traffic

I'm on RPi4 and I don't understand why I'm not seeing traffic in the input chain??

iptables -t nat -A INPUT -i wan -j ACCEPT -m comment --comment "stage 1"

Firewall shows no error.

root@OpenWrt:~# service firewall restart
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'ubus:https-dns-proxy[instance1] rule 1'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'ubus:https-dns-proxy[instance1] redirect 0'
   * Redirect 'DMZ'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'ubus:https-dns-proxy[instance1] redirect 0'
   * Redirect 'DMZ'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'

Was there any packet destined to the router itself?


I don't understand why you are interested in the nat table INPUT chain. It is used only in some special cases of SNAT.

To see any hits on your rule, there are two conditions:

  1. The interface name used in the rule must be the physical, not the logical interface name (оf course both could be the same).
  2. The packets should successfully traverse the filter table input chain first (see this flowchart).

Whatever you do, do not apply this rule to the filter table INPUT chain!

1 Like

I'm behind double NAT (dynamic IP not static) so I'm trying few things out. I'm new to this so still figuring things out. The code I mentioned is just a simple example to show I'm receiving zero traffic in the chain INPUT. First I thought it could be because of Flow Offloading. I disabled and still it's the same. Maybe I'm missing a module? BTW if someone know another way to make nat open rather relying on miniupnp then please let me know.

The packets should successfully traverse the filter table input chain first

See now here comes the interesting part. Filter INPUT shows traffic, INPUT chain doesn't.
Also, may I ask why anyone shouldn't apply the rule(s) to the INPUT chain?

I'm not sure. But I tried eth0 (br-lan) instead wan just to test, it captured the packets but the whole network started freezing lol. Thanks for that diagram.

Because you'll open up all access from the internet.

To test what exactly? What are you trying to achieve with that?


Ah that would be terrible TIL. Are there any benefit to adding rules in the INPUT rather PREROUTE?

Well I've a close NAT. So I'm trying methods like full cone and port mapping etc. Just few tests for better gaming experience.

Unless the game is running on the OpenWrt, then what you are trying to do is pointless.
Use the port forwards on OpenWrt firewall menu to open the ports you need.