Forwarding does not work?

Just wanna test.

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i br-lan -o tun0 -j ACCEPT
-A FORWARD -i br-lan -o tun0 -j LOG --log-prefix "vpn:" --log-level 7

and nothing:

root@OpenWrt:~# logread -fe vpn

Route:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1
10.96.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tun1
10.98.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Firewall:

cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'vpn1'
	list network 'vpn2'

config forwarding
	option src 'lan'
	option dest 'wan'

Should not FORWARD work here?

You won't log anything with the ACCEPT rule first.
Secondly you'll catch only traffic towards 10.98.0.0/16.
The firewall uci configuration is fine.

1 Like

There is log rule which you probably missed:

-A FORWARD -i br-lan -o tun0 -j LOG --log-prefix "vpn:" --log-level 7

As a workaround to forwading i use:

echo "200 vpn" >> /etc/iproute2/rt_tables
ip rule add default dev tun0 table vpn

ip rule add fwmark 1 lookup vpn

iptables -t mangle -A PREROUTING -i br-lan -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br-lan -j LOG --log-level 7 --log-prefix "around:"

which works:

logread -fe  around
Tue Jun 11 10:27:45 2024 kern.debug kernel: [168068.846922] around:IN=br-lan OUT= MAC=c8:7f:54:b7:0d:78:54:ee:75:e4:12:15:08:00 SRC=192.168.2.230 DST=13.226.2.25 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=24308 DF PROTO=TCP SPT=51326 DPT=443 WINDOW=501 RES=0x00 ACK URGP=0 MARK=0x1
Tue Jun 11 10:27:45 2024 kern.debug kernel: [168068.867138] around:IN=br-lan OUT= MAC=c8:7f:54:b7:0d:78:54:ee:75:e4:12:15:08:00 SRC=192.168.2.230 DST=13.226.2.25 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24303 DF PROTO=TCP SPT=51326 DPT=443 WINDOW=501 RES=0x00 ACK URGP=0 MARK=0x1
Tue Jun 11 10:27:45 2024 kern.debug kernel: [168068.887389] around:IN=br-lan OUT= MAC=c8:7f:54:b7:0d:78:54:ee:75:e4:12:15:08:00 SRC=192.168.2.230 DST=13.226.2.25 LEN=87 TOS=0x00 PREC=0x00 TTL=64 ID=24309 DF PROTO=TCP SPT=51326 DPT=443 WINDOW=501 RES=0x00 ACK PSH URGP=0 MARK=0x1

However, the question remains: why FORWARD in input chain does not work?

I didn't miss it, I explained that the ACCEPT rule will stop processing any other rules.

It's either FORWARD or INPUT, cannot be both.

Thanks, my bad, ACCEPT is a termiating rule.

I meant why FORWARD does not work in filter table.

I still don't get it. I define:

iptables -t filter -A FORWARD -i br-lan -p tcp -o tun0 -j ACCEPT

and then monitor:

tcpdump -i tun0

and nothing is forwarded.

Should not all traffik from br-lan go to tun0 with the forwarding rule?

I sense some confusion in regards to iptables FORWARD and routing forward.

This will allow all TCP traffic traversing the router from br-lan interface to tun0 interface.
Ping (which is ICMP) or DNS (which is UDP) will not be allowed, if the FORWARD policy in iptables is not ACCEPT. I mention that because you have an ACCEPT FORWARD policy in your previous posts, but this may have changed. And if you have an ACCEPT policy it is redundant to use another ACCEPT rule.

Back to routing, your routing table says that it sends to tun0 only the 10.98.0.0/16. So only the TCP flows from 192.168.2.0/24 -> 10.98.0.0/16 will be using the FORWARDING iptables rule.

Here you are marking only based on the ingress interface ( -i br-lan ), not ingress-egress as you did in the iptables rule. ( -i br-lan -o tun0 )

1 Like

We can help better if you start with explaining the problem you want to solve?

Furthermore iptables are deprecated on most current builds and replaced by nftables

Got it. Thanks alot

I'm experimenting, no special problem to solve.

Is not iptables is just a stub which interacts with nftables?

Yes and no it does its best to translate things to nft, for simple things (like your rule) that works but YMMV so better use native nft commands