Firewall opens ports that are not defined

fever_wits · March 27, 2021, 9:04pm

Hello,
I have two x86_64 routers based on which I have installed keepalived and mwan3.
Today I configured postfix to receive emails if the ISP or one router fails.
At telnet on port 25 it turned out that the master router responds. When scanning with nmap, I saw that other ports were open.

With ncat I opened any port that is not defined for external access. When trying to telnet to this port, the router responds.

The openwrt version is 19.07.7, r11306-c4a6851c72

Has anyone had a similar problem?

Regards,

psherman · March 27, 2021, 9:12pm

A few questions:

Do you have upnp installed and enabled? If so, that may be the reason you're seeing additional ports open
How are you testing? nmap from inside or outside the network? If you test your WAN IP from a cellular connection or another location entirely, do you still see the same ports open?
Did you make any changes to the firewall or port forwarding?
please post the contents of /etc/config/firewall (be sure to paste it into the </> code block).

fever_wits · March 27, 2021, 9:27pm

Hello,

Do you have upnp installed and enabled? If so, that may be the reason you're seeing additional ports open

I checked and I don't have upnp installed

How are you testing? nmap from inside or outside the network? If you test your WAN IP from a cellular connection or another location entirely, do you still see the same ports open?

I did the nmap tests on a server outside my network. That's how I realized I had open ports.

Did you make any changes to the firewall or port forwarding?

Yes, I have opened and redirected several ports.
For test I stopped ports 22 and 80.
As 22 was redirected to IP in my internal network, and 80 to web administration.
Port 25 is not defined.
All three ports are visible from the outside of my network. Also port 53

please post the contents of /etc/config/firewall

cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'
        option synflood_protect '1'
        option custom_chains '1'
        option synflood_burst '50'
        option tcp_ecn '1'
        option tcp_syncookies '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'netx'
        list network 'net1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        list proto 'tcp'
        option name '443'
        option src 'wan'
        option dest_port '443'

config rule
        option name '32400'
        option src 'wan'
        option target 'ACCEPT'

config rule
        option dest_port '22'
        option src 'wan'
        option name 'EnableSSH'
        option target 'ACCEPT'
        list proto 'tcp'
        option enabled '0'

config rule
        option dest_port '80'
        option src 'wan'
        option name '80'
        option target 'ACCEPT'
        list proto 'tcp'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '21'
        option src 'wan'
        option name 'ftp 2121 -> ftp 21'
        option src_dport '2121'
        option target 'DNAT'
        option dest_ip '192.168.198.21'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option dest_port '3389'
        option src 'wan'
        option name 'RDC Win10'
        option src_dport '3389'
        option target 'DNAT'
        option dest_ip '192.168.198.30'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option target 'DNAT'
        option name 'plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '32400'
        option dest 'lan'
        option dest_ip '192.168.198.21'
        option dest_port '32400'

config redirect
        option dest_port '49125-65534'
        option src 'wan'
        option name 'ftp:49125-65534'
        option src_dport '49125-65534'
        option target 'DNAT'
        option dest_ip '192.168.198.21'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'node_pi'
        list proto 'tcp'
        option src 'wan'
        option src_dport '31400-31409'
        option dest 'lan'
        option dest_ip '192.168.198.30'
        option dest_port '31400-31409'
        option enabled '0'

config redirect
        option dest_port '22'
        option src 'wan'
        option name 'ssh'
        option src_dport '22'
        option target 'DNAT'
        option dest_ip '192.168.198.32'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

Regards,

psherman · March 27, 2021, 9:39pm

You have a TON of ports being forwarded to 192.168.192.21 (49125-65534). This is not directly the cause of your issue, but doesn't look right at all. No services should ever require 16K ports forwarded. And it is possible that your NAT layer is running out of ports causing the other (normally reserved) ports to be used for normal network functionality. (although this rule does appear to be disabled, but don't re-enable that one)

What is upstream of your router? Try unplugging the router and then running the same test. Sometimes the upstream device (modem/ONT, or modem+router) has some ports open.

fever_wits · March 27, 2021, 9:49pm

Hello.

What is upstream of your router?

Both routers are virtual.
My network has the following configuration.
ISP1 and ISP 2 are connected to the manage switch.
The vlan reaches two Hipervisors and so on to the routers.
A third vlan returns traffic to my network.
I do tests with nmap on both ISPs. I get a real IP address from both ISPs.

Regards,

psherman · March 27, 2021, 9:51pm

Since your routers are virtual, have you been able to 100% confirm that the response is not coming from the host itself? You could shut down the OpenWrt VMs and then repeat your test. If you still see the issue, it is either your host or could be something on the switch. Next step would be to disconnect the host from the switch and run the test again.

fever_wits · March 27, 2021, 10:18pm

Hello,
After stopping both routers there was no ping next to them. In nmap, to make sure that IP addresses are not picked up elsewhere, nmap reports that there are no live hosts.

The problem is in openwrt, but I don't understand where. I can close the ports manually, but this is not a solution. One router (Master) was configured 1 week ago (I updated).

Regards,

trendy · March 27, 2021, 10:48pm

iptables-save -c ?

anon50098793 · March 27, 2021, 10:49pm

those statements are contradictory...

did your telnet -> 25 produce a response? ( like postfix ABC? )
lsof -i -nP || netstat -lnp ?

fever_wits · March 27, 2021, 11:12pm

# Generated by iptables-save v1.8.3 on Sun Mar 28 01:10:25 2021
*nat
:PREROUTING ACCEPT [15171:2409276]
:INPUT ACCEPT [12033:1116680]
:OUTPUT ACCEPT [3046:233991]
:POSTROUTING ACCEPT [2362:123061]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[17521:2531492] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3549:1311464] -A PREROUTING -i eth0.10 -m comment --comment "!fw3" -j zone_lan_prerouting
[6037:514104] -A PREROUTING -i eth0.270 -m comment --comment "!fw3" -j zone_wan_prerouting
[7935:705924] -A PREROUTING -i eth0.11 -m comment --comment "!fw3" -j zone_wan_prerouting
[6704:1236523] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2351:122280] -A POSTROUTING -o eth0.10 -m comment --comment "!fw3" -j zone_lan_postrouting
[2238:646447] -A POSTROUTING -o eth0.270 -m comment --comment "!fw3" -j zone_wan_postrouting
[2102:466895] -A POSTROUTING -o eth0.11 -m comment --comment "!fw3" -j zone_wan_postrouting
[2351:122280] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.198.0/23 -d 192.168.198.21/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: ftp 2121 -> ftp 21 (reflection)" -j SNAT --to-source 192.168.198.252
[0:0] -A zone_lan_postrouting -s 192.168.198.0/23 -d 192.168.198.30/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDC Win10 (reflection)" -j SNAT --to-source 192.168.198.252
[2:120] -A zone_lan_postrouting -s 192.168.198.0/23 -d 192.168.198.21/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: plex (reflection)" -j SNAT --to-source 192.168.198.252
[3549:1311464] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP2/32 -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp 2121 -> ftp 21 (reflection)" -j DNAT --to-destination 192.168.198.21:21
[0:0] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP1/32 -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp 2121 -> ftp 21 (reflection)" -j DNAT --to-destination 192.168.198.21:21
[0:0] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP2/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDC Win10 (reflection)" -j DNAT --to-destination 192.168.198.30:3389
[0:0] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP1/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDC Win10 (reflection)" -j DNAT --to-destination 192.168.198.30:3389
[1:60] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP2/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: plex (reflection)" -j DNAT --to-destination 192.168.198.21:32400
[1:60] -A zone_lan_prerouting -s 192.168.198.0/23 -d ISP1/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: plex (reflection)" -j DNAT --to-destination 192.168.198.21:32400
[4340:1113342] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4340:1113342] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[13972:1220028] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 2121 -m comment --comment "!fw3: ftp 2121 -> ftp 21" -j DNAT --to-destination 192.168.198.21:21
[2346:121976] -A zone_wan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDC Win10" -j DNAT --to-destination 192.168.198.30:3389
[2:120] -A zone_wan_prerouting -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: plex" -j DNAT --to-destination 192.168.198.21:32400
COMMIT
# Completed on Sun Mar 28 01:10:25 2021
# Generated by iptables-save v1.8.3 on Sun Mar 28 01:10:25 2021
*raw
:PREROUTING ACCEPT [243229:425584656]
:OUTPUT ACCEPT [62001:8760538]
COMMIT
# Completed on Sun Mar 28 01:10:25 2021
# Generated by iptables-save v1.8.3 on Sun Mar 28 01:10:25 2021
*mangle
:PREROUTING ACCEPT [241814:424053353]
:INPUT ACCEPT [30021:4835693]
:FORWARD ACCEPT [210533:418853108]
:OUTPUT ACCEPT [61206:8697092]
:POSTROUTING ACCEPT [271687:427547508]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_net1 - [0:0]
:mwan3_iface_in_netx - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_net1_only - [0:0]
:mwan3_policy_netx_only - [0:0]
:mwan3_rules - [0:0]
[243080:425568582] -A PREROUTING -j mwan3_hook
[1142:62152] -A FORWARD -o eth0.270 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1412:77812] -A FORWARD -i eth0.270 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1890:100788] -A FORWARD -o eth0.11 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2091:112096] -A FORWARD -i eth0.11 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[61939:8755196] -A OUTPUT -j mwan3_hook
[97194:93879533] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[305019:434323778] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[21132:2797771] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[6779:1560529] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[4285:955382] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[305019:434323778] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[179536:109750728] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[11:3476] -A mwan3_iface_in_net1 -i eth0.11 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[8114:710450] -A mwan3_iface_in_net1 -i eth0.11 -m mark --mark 0x0/0x3f00 -m comment --comment net1 -j MARK --set-xmark 0x200/0x3f00
[72:8516] -A mwan3_iface_in_netx -i eth0.270 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[6156:514800] -A mwan3_iface_in_netx -i eth0.270 -m mark --mark 0x0/0x3f00 -m comment --comment netx -j MARK --set-xmark 0x100/0x3f00
[21132:2797771] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_netx
[14802:2263949] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_net1
[2110:464015] -A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m statistic --mode random --probability 0.50000000000 -m comment --comment "net1 1 2" -j MARK --set-xmark 0x200/0x3f00
[2083:481836] -A mwan3_policy_balanced -m mark --mark 0x0/0x3f00 -m comment --comment "netx 1 1" -j MARK --set-xmark 0x100/0x3f00
[0:0] -A mwan3_policy_net1_only -m mark --mark 0x0/0x3f00 -m comment --comment "net1 1 1" -j MARK --set-xmark 0x200/0x3f00
[0:0] -A mwan3_policy_netx_only -m mark --mark 0x0/0x3f00 -m comment --comment "netx 1 1" -j MARK --set-xmark 0x100/0x3f00
[4193:945851] -A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_balanced
COMMIT
# Completed on Sun Mar 28 01:10:25 2021
# Generated by iptables-save v1.8.3 on Sun Mar 28 01:10:25 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[233:20659] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[29788:4815034] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6842:2960042] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[351:14556] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[8161:409700] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[8215:580423] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_input
[6620:561234] -A INPUT -i eth0.270 -m comment --comment "!fw3" -j zone_wan_input
[7760:698779] -A INPUT -i eth0.11 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -m comment --comment "!fw3" -j reject
[210533:418853108] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[206602:417803483] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[50:2516] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[1533:925009] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_forward
[781:40612] -A FORWARD -i eth0.270 -m comment --comment "!fw3" -j zone_wan_forward
[1567:81488] -A FORWARD -i eth0.11 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[233:20659] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[60971:8676257] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[21926:5082672] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[35894:3352652] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_output
[665:55812] -A OUTPUT -o eth0.270 -m comment --comment "!fw3" -j zone_wan_output
[2486:185121] -A OUTPUT -o eth0.11 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[570:47728] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[8161:409700] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[35894:3352652] -A zone_lan_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[1533:925009] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1533:925009] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[2:120] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[8215:580423] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[8215:580423] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[35894:3352652] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[35894:3352652] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[8215:580423] -A zone_lan_src_ACCEPT -i eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.270 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1489:597994] -A zone_wan_dest_ACCEPT -o eth0.270 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.11 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[3193:567828] -A zone_wan_dest_ACCEPT -o eth0.11 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.270 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.11 -m comment --comment "!fw3" -j reject
[2348:122100] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[2348:122100] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[14380:1260013] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[66:20856] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[233:327608] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[383:15380] -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443" -j ACCEPT
[7758:394577] -A zone_wan_input -p tcp -m comment --comment "!fw3: 32400" -j ACCEPT
[5370:453864] -A zone_wan_input -p udp -m comment --comment "!fw3: 32400" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[570:47728] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[3151:240933] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[3151:240933] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.270 -m comment --comment "!fw3" -j reject
[570:47728] -A zone_wan_src_REJECT -i eth0.11 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Mar 28 01:10:25 2021

fever_wits · March 27, 2021, 11:14pm

COMMAND     PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
netserver  2155    root    3u  IPv6    304      0t0  TCP *:12865 (LISTEN)
sshd       2200    root    3u  IPv4    338      0t0  TCP *:22 (LISTEN)
sshd       2200    root    4u  IPv6    340      0t0  TCP *:22 (LISTEN)
master     2505    root   13u  IPv4    406      0t0  TCP *:25 (LISTEN)
nginx      2634    root   15u  IPv4   6595      0t0  TCP *:80 (LISTEN)
nginx      2634    root   16u  IPv4   6596      0t0  TCP *:443 (LISTEN)
nginx      2634    root   17u  IPv4   6597      0t0  TCP *:32400 (LISTEN)
nginx      2634    root   18u  IPv4   6598      0t0  TCP *:8080 (LISTEN)
conntrack  3612    root    6u  IPv4    946      0t0  UDP *:53901 
conntrack  3612    root    7u  IPv4    947      0t0  UDP 192.168.198.252:3780 
ntpd       3998    root    3u  IPv6   6302      0t0  UDP *:123 
mini_snmp  4372    root    3u  IPv4   4387      0t0  UDP *:161 
mini_snmp  4372    root    4u  IPv4   4388      0t0  TCP *:161 (LISTEN)
nginx      4717    root   15u  IPv4   6595      0t0  TCP *:80 (LISTEN)
nginx      4717    root   16u  IPv4   6596      0t0  TCP *:443 (LISTEN)
nginx      4717    root   17u  IPv4   6597      0t0  TCP *:32400 (LISTEN)
nginx      4717    root   18u  IPv4   6598      0t0  TCP *:8080 (LISTEN)
nginx      4718    root   15u  IPv4   6595      0t0  TCP *:80 (LISTEN)
nginx      4718    root   16u  IPv4   6596      0t0  TCP *:443 (LISTEN)
nginx      4718    root   17u  IPv4   6597      0t0  TCP *:32400 (LISTEN)
nginx      4718    root   18u  IPv4   6598      0t0  TCP *:8080 (LISTEN)
nginx      4719    root   15u  IPv4   6595      0t0  TCP *:80 (LISTEN)
nginx      4719    root   16u  IPv4   6596      0t0  TCP *:443 (LISTEN)
nginx      4719    root   17u  IPv4   6597      0t0  TCP *:32400 (LISTEN)
nginx      4719    root   18u  IPv4   6598      0t0  TCP *:8080 (LISTEN)
nginx      4720    root   15u  IPv4   6595      0t0  TCP *:80 (LISTEN)
nginx      4720    root   16u  IPv4   6596      0t0  TCP *:443 (LISTEN)
nginx      4720    root   17u  IPv4   6597      0t0  TCP *:32400 (LISTEN)
nginx      4720    root   18u  IPv4   6598      0t0  TCP *:8080 (LISTEN)
dnsmasq    8813 dnsmasq    4u  IPv4  40353      0t0  UDP *:67 
dnsmasq    8813 dnsmasq    6u  IPv4  40356      0t0  UDP ISP2:53 
dnsmasq    8813 dnsmasq    7u  IPv4  40357      0t0  TCP ISP2:53 (LISTEN)
dnsmasq    8813 dnsmasq    8u  IPv4  40358      0t0  UDP ISP1:53 
dnsmasq    8813 dnsmasq    9u  IPv4  40359      0t0  TCP ISP1:53 (LISTEN)
dnsmasq    8813 dnsmasq   10u  IPv4  40360      0t0  UDP 192.168.198.254:53 
dnsmasq    8813 dnsmasq   11u  IPv4  40361      0t0  TCP 192.168.198.254:53 (LISTEN)
dnsmasq    8813 dnsmasq   12u  IPv4  40362      0t0  UDP 192.168.198.252:53 
dnsmasq    8813 dnsmasq   13u  IPv4  40363      0t0  TCP 192.168.198.252:53 (LISTEN)
dnsmasq    8813 dnsmasq   14u  IPv4  40364      0t0  UDP 127.0.0.1:53 
dnsmasq    8813 dnsmasq   15u  IPv4  40365      0t0  TCP 127.0.0.1:53 (LISTEN)
dnsmasq    8813 dnsmasq   16u  IPv6  40366      0t0  UDP [fe80::848f:55ff:fe7e:6f7e]:53 
dnsmasq    8813 dnsmasq   17u  IPv6  40367      0t0  TCP [fe80::848f:55ff:fe7e:6f7e]:53 (LISTEN)
dnsmasq    8813 dnsmasq   18u  IPv6  40368      0t0  UDP [fe80::290:7fff:fe44:5a41]:53 
dnsmasq    8813 dnsmasq   19u  IPv6  40369      0t0  TCP [fe80::290:7fff:fe44:5a41]:53 (LISTEN)
dnsmasq    8813 dnsmasq   20u  IPv6  40370      0t0  UDP [fe80::848f:55ff:fe7e:6f7e]:53 
dnsmasq    8813 dnsmasq   21u  IPv6  40371      0t0  TCP [fe80::848f:55ff:fe7e:6f7e]:53 (LISTEN)
dnsmasq    8813 dnsmasq   22u  IPv6  40372      0t0  UDP [fe80::848f:55ff:fe7e:6f7e]:53 
dnsmasq    8813 dnsmasq   23u  IPv6  40373      0t0  TCP [fe80::848f:55ff:fe7e:6f7e]:53 (LISTEN)
dnsmasq    8813 dnsmasq   24u  IPv6  40374      0t0  UDP [::1]:53 
dnsmasq    8813 dnsmasq   25u  IPv6  40375      0t0  TCP [::1]:53 (LISTEN)
sshd      12294    root    4u  IPv4  41945      0t0  TCP 192.168.198.252:22->192.168.198.149:34504 (ESTABLISHED)
smtpd     20385 postfix    6u  IPv4    406      0t0  TCP *:25 (LISTEN)
smtpd     20385 postfix   14u  IPv4  52973      0t0  TCP ISP1:25->External_IP:52905 (ESTABLISHED)

fever_wits · March 27, 2021, 11:21pm

Hello,
ports can be blocked manually, for example:
iptables -I INPUT -p tcp -m tcp --dport 25th DROP
But this is a temporary solution.

Any ideas what to look for?
Regards,

trendy · March 27, 2021, 11:21pm

[7758:394577] -A zone_wan_input -p tcp -m comment --comment "!fw3: 32400" -j ACCEPT
[5370:453864] -A zone_wan_input -p udp -m comment --comment "!fw3: 32400" -j ACCEPT

config rule
        option name '32400'
        option src 'wan'
        option target 'ACCEPT'

fever_wits · March 27, 2021, 11:28pm

Hello,
If I understand correctly,
it's about the fact that there are 2 lines in iptables, but there are none in the config.
I usually use the web interface to configure rules. There I noted tcp and udp, but today after restarting the firewall I noticed that there is an error that they do not exist.
This is a problem I thought I would solve later
Regards,

trendy · March 27, 2021, 11:30pm

The problem is that you have an incomplete rule which eventually allows everything.

fever_wits · March 27, 2021, 11:45pm

Hello
I understand, but the configuration file is generated by the system, not manually.
And I have no idea why it is generated this way, given that I have chosen TCP and UDP ports.

I temporarily closed the ports like this:
iptables -I zone_wan_input -p tcp -m tcp --dport 25 -j reject

It's already midnight for me and I will continue to investigate.
I've been looking for what's wrong for 7 hours now.

Regards,

trendy · March 27, 2021, 11:50pm

You can delete this rule and all the problems will go away.

fever_wits · March 28, 2021, 8:00am

Good morning :),

Thanks a lot @trendy
Now I realized what nonsense I had done.
I fixed the problem.

Regards,

system · April 7, 2021, 8:00am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.