Help please!
Version:
OpenWrt SNAPSHOT r6951-22c16c5 / LuCI Master (git-18.138.53073-828202e)
I previously had udp SIP+RTP forwarding (ports 5060,10000-10010) working using a snapshot version of OpenWrt from about a month ago, but after upgrading to the latest this week (more than once to see if things changed) it seems that port forwarding is broken. I have, just to make sure, started from scratch using Luci to just configure this one thing.
Some relevent info, I have a static IP address from my ISP configured via DHCP from their residential gateway and on the router I can successfully see the UDP packets flowing to the router using the following:
tcpdump -i eth1.2 udp port 5060
However, on my server (that's running the target Asterisk endpoint), I get nothing passed on listening with the equivalent tcpdump. Oddly, tcp port forwarding (ssh) still works.
My config in /etc/config/firewall is:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '5060'
option dest_ip '10.1.1.100'
option dest_port '5060'
option src_ip 'voip.provider.ip.addr'
option name 'sip0'
option src_dip 'external.ip.addr'
I'm not enough of an iptables expert to debug but here is the filtered dump:
fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wan_prerouting -p udp -s voip.provider.ip.addr/255.255.255.255 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -D zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -A zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -D zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_wan_prerouting -p udp -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -D zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -A zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -D zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu