GRE not working when drop_invalid is enabled on my OpenWrt-based edge router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone!

I appreciate your advice and share of experience on the following:

I used a Cisco 4321 (and tried Adtran NetVanta too) with an Open-WRT based router with LTE to provide the Cisco edge connectivity with static IP address in IP passthrough mode.

So all good, my Cisco get static public IP, routed to the Internet, but when I add a GRE tunnel to Cisco with reachable endpoint destination, the tunnel cannot get established. Once I uncheck the "Drop Invalid Packets" under the Network/Firewall settings, the tunnel works just fine. The fun thing is that the old LTE edge router that I'm trying to replace does not have that issue, but it's not Open-WRT and I don't know what kind of option it has there for invalid packets on its built-in firewall...

Is there a way to possibly modify iptables and add configuration so that Drop Invalid Packets would still be enabled, but wouldn't cause GRE tunnel to break?

Appreciate your input!

2

A common reason for the drop invalid rule to drop packets is to have an asymmetric path. But to troubleshoot any further a network diagram and device configuration is necessary.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1 Like
3

Hi Trendy! Thank you much for a prompt response.

The network diagram is really simple.

Cisco4321 router > OpenWRT router with LTE Module (static public IP) >>> The Internet <<< Another Cisco 4321 with public static IP.
GRE tunnel is between the two Cisco's.

Redacted below are the public static IP xxx.xxx.176.69/32 of one GRE endpoint, MAC address of the OpenWRT route.

OpenWRT Forum
{
        "kernel": "3.14.77",
        "hostname": "OpenWRT",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Qualcomm Technologies, Inc. IPQ40xx\/AP-DK04.1-C1",
        "release": {
                "distribution": "OpenWrt",
                "version": "Chaos Calmer",
                "revision": "r35193",
                "codename": "chaos_calmer",
                "target": "ipq806x\/generic",
                "description": "OpenWrt Chaos Calmer 15.05.1"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'auto'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option macaddr 'XX:XX:XX:24:31:F0'
        option ieee1905managed '1'
        option mtu '1430'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option macaddr 'XX:XX:XX:24:31:F1'
        option provision_macaddr 'XX:XX:XX:24:31:F1'
        option mtu '1430'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '1'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '2'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '3'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '4'
        option mode 'dscp'
        option status 'enable'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '5'
        option mode 'dscp'
        option status 'enable'

config interface 'LTE'
        option ifname 'usb0'
        option proto 'dhcp'
        option mtu '1430'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option disabled '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 LTE'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config rule
        option enabled '1'
        option src 'wan'
        option name 'wan_limit'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '80'
        option target 'DROP'

config zone
        option name 'SDWAN'
        option network 'SDWAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'SDWAN'
        option dest 'wan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_pptp_pt_1'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '1723'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_pptp_pt_2'
        option family 'ipv4'
        option proto '47'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_l2tp_pt'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '1701'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_ipsec_pt_1'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '500'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_ipsec_pt_2'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '4500'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_ipsec_pt_3'
        option family 'ipv4'
        option proto '50'
        option target 'DROP'
        option enabled '1'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'Alg_ipsec_pt_4'
        option family 'ipv4'
        option proto '51'
        option target 'DROP'
        option enabled '1'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'wan'
        option name 'web_manager_allow'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '443'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'wan'
        option name 'web_manager_allow'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '50080'

config rule
        option enabled '0'
        option target 'DROP'
        option src 'wan'
        option name 'http_limit'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '50080'

config rule
        option enabled '0'
        option target 'DROP'
        option src 'wan'
        option name 'http_limit_ssl'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '443'

config rule
        option enabled '1'
        option target 'DROP'
        option src 'wan'
        option name 'wan_telnet'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '23'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'wan'
        option name 'ssh_wan'
        option family 'ipv4'
        option proto 'tcp'
        option dest_port '22'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

. /lib/functions.sh
. /lib/functions/network.sh
. /sbin/common_lib.sh

drop_invalid=`uci get firewall.@defaults[0].drop_invalid`

if [ "$drop_invalid" = "1" ]; then
        iptables -I input_rule -p 47  -j ACCEPT
        iptables -I     output_rule -p 47  -j ACCEPT
fi






# Generated by iptables-save v1.4.21 on Tue Sep  1 10:15:59 2020
*nat
:PREROUTING ACCEPT [856:53459]
:INPUT ACCEPT [90:5784]
:OUTPUT ACCEPT [106:8886]
:POSTROUTING ACCEPT [284:16788]
:MINIUPNPD - [0:0]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_SDWAN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_SDWAN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_SDWAN_postrouting - [0:0]
:zone_SDWAN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7619:380313] -A PREROUTING -j delegate_prerouting
[8143:474832] -A POSTROUTING -j delegate_postrouting
[8143:474832] -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
[6559:342313] -A delegate_postrouting -o br-lan -j zone_lan_postrouting
[0:0] -A delegate_postrouting -o eth0 -j zone_wan_postrouting
[1343:117319] -A delegate_postrouting -o usb0 -j zone_wan_postrouting
[7619:380313] -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
[589:39846] -A delegate_prerouting -i br-lan -j zone_lan_prerouting
[0:0] -A delegate_prerouting -i eth0 -j zone_wan_prerouting
[7030:340467] -A delegate_prerouting -i usb0 -j zone_wan_prerouting
[0:0] -A zone_SDWAN_postrouting -m comment --comment "user chain for postrouting" -j postrouting_SDWAN_rule
[0:0] -A zone_SDWAN_prerouting -m comment --comment "user chain for prerouting" -j prerouting_SDWAN_rule
[6559:342313] -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
[589:39846] -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
[1343:117319] -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
[1343:117319] -A zone_wan_postrouting -j MASQUERADE
[7030:340467] -A zone_wan_prerouting -j MINIUPNPD
[7030:340467] -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Tue Sep  1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep  1 10:15:59 2020
*raw
:PREROUTING ACCEPT [78921:7044608]
:OUTPUT ACCEPT [7079:765445]
:delegate_notrack - [0:0]
[4:190] -A PREROUTING -s xxx.xxx.176.69/32 -p udp -j CT --notrack
[4:190] -A PREROUTING -s xxx.xxx.176.69/32 -p udp -j CT --notrack
[112:5824] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[22:1168] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[7364:302668] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[8640:381736] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[21332:1703707] -A PREROUTING -s xxx.xxx.176.69/32 -i br-lan -p tcp -j CT --notrack
[23732:1321893] -A PREROUTING -i usb0 -p tcp -j CT --notrack
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[0:0] -A PREROUTING -i usb0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN,ACK -j ACCEPT
[21332:1703707] -A PREROUTING -s xxx.xxx.176.69/32 -i br-lan -p tcp -j CT --notrack
[23732:1321893] -A PREROUTING -i usb0 -p tcp -j CT --notrack
[78921:7044608] -A PREROUTING -j delegate_notrack
COMMIT
# Completed on Tue Sep  1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep  1 10:15:59 2020
*mangle
:PREROUTING ACCEPT [94529:7711604]
:INPUT ACCEPT [8226:810589]
:FORWARD ACCEPT [85866:6875194]
:OUTPUT ACCEPT [7093:768289]
:POSTROUTING ACCEPT [93120:7709881]
:fwmark - [0:0]
:mssfix - [0:0]
:on - [0:0]
:pn - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
:we - [0:0]
[100381:8285002] -A PREROUTING -j we
[100381:8285002] -A PREROUTING -j we
[94532:7711744] -A PREROUTING -j fwmark
[85868:6875282] -A FORWARD -j mssfix
[11188:2074728] -A OUTPUT -j on
[11188:2074728] -A OUTPUT -j on
[16548:715568] -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[16542:741800] -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[98930:9132358] -A POSTROUTING -j pn
[98930:9132358] -A POSTROUTING -j pn
[0:0] -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
[8571:379532] -A mssfix -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
[16652:3402942] -A on -o usb0 -j CONNMARK --set-xmark 0x3/0xffffffff
[16652:3402942] -A on -o usb0 -m connmark --mark 0x3 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[16652:3402942] -A on -o usb0 -j CONNMARK --set-xmark 0x3/0xffffffff
[16652:3402942] -A on -o usb0 -m connmark --mark 0x3 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
[33082:1483480] -A pn -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[33082:1483480] -A pn -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xf0 --ctmask 0xf0
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[4:1372] -A we -i br-lan -p udp -m udp --sport 68 --dport 67 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 50080 -j RETURN
[8312:896156] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 443 -j RETURN
[1090:86596] -A we -i usb0 -p icmp -m icmp --icmp-type 8 -j RETURN
[20:1020] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 7547 -j RETURN
[7008:607388] -A we -i usb0 -m connmark --mark 0x3 -j RETURN
[83900:6010426] -A we -d xxx.xxx.176.69/32 -i usb0 -j MARK --set-xmark 0xb/0xffffffff
[90942:7977578] -A we -s xxx.xxx.176.69/32 -i br-lan -j MARK --set-xmark 0x16/0xffffffff
[0:0] -A we -i br-lan -p udp -m udp --sport 68 --dport 67 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 50080 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 443 -j RETURN
[0:0] -A we -i usb0 -p icmp -m icmp --icmp-type 8 -j RETURN
[0:0] -A we -d xxx.xxx.176.69/32 -i usb0 -p tcp -m tcp --dport 7547 -j RETURN
[0:0] -A we -i usb0 -m connmark --mark 0x3 -j RETURN
[83900:6010426] -A we -d xxx.xxx.176.69/32 -i usb0 -j MARK --set-xmark 0xb/0xffffffff
[90942:7977578] -A we -s xxx.xxx.176.69/32 -i br-lan -j MARK --set-xmark 0x16/0xffffffff
COMMIT
# Completed on Tue Sep  1 10:15:59 2020
# Generated by iptables-save v1.4.21 on Tue Sep  1 10:15:59 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [5932:466843]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:error_forward_lteip_drop - [0:0]
:error_output_lteip_drop - [0:0]
:forwarding_SDWAN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_SDWAN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_SDWAN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_SDWAN_dest_ACCEPT - [0:0]
:zone_SDWAN_forward - [0:0]
:zone_SDWAN_input - [0:0]
:zone_SDWAN_output - [0:0]
:zone_SDWAN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[8239:811121] -A INPUT -j delegate_input
[12132:1094280] -A FORWARD -j error_forward_lteip_drop
[6887:509492] -A FORWARD -j error_forward_lteip_drop
[7596:541964] -A FORWARD -j error_forward_lteip_drop
[7890:554918] -A FORWARD -j error_forward_lteip_drop
[8354:573621] -A FORWARD -j error_forward_lteip_drop
[8928:601021] -A FORWARD -j error_forward_lteip_drop
[9671:634872] -A FORWARD -j error_forward_lteip_drop
[10621:675916] -A FORWARD -j error_forward_lteip_drop
[11490:713928] -A FORWARD -j error_forward_lteip_drop
[11375:709474] -A FORWARD -j error_forward_lteip_drop
[12040:737877] -A FORWARD -j error_forward_lteip_drop
[13337:828635] -A FORWARD -j error_forward_lteip_drop
[13930:837001] -A FORWARD -j error_forward_lteip_drop
[41366:3394909] -A FORWARD -j error_forward_lteip_drop
[50026:3930354] -A FORWARD -j error_forward_lteip_drop
[41765:3010468] -A FORWARD -j error_forward_lteip_drop
[40433:2895836] -A FORWARD -j error_forward_lteip_drop
[41091:2925317] -A FORWARD -j error_forward_lteip_drop
[13:572] -A FORWARD -s xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0x16 -j ACCEPT
[0:0] -A FORWARD -d xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0xb -j ACCEPT
[0:0] -A FORWARD -s xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0x16 -j ACCEPT
[0:0] -A FORWARD -d xxx.xxx.176.69/32 -p tcp -m conntrack --ctstate INVALID -m mark --mark 0xb -j ACCEPT
[42990:3063061] -A FORWARD -j error_forward_lteip_drop
[41869:2982474] -A FORWARD -j error_forward_lteip_drop
[41869:2982474] -A FORWARD -j error_forward_lteip_drop
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[40930:2925296] -A FORWARD -j delegate_forward
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[648:86075] -A OUTPUT -j error_output_lteip_drop
[1136:139696] -A OUTPUT -j error_output_lteip_drop
[1558:181248] -A OUTPUT -j error_output_lteip_drop
[1901:215424] -A OUTPUT -j error_output_lteip_drop
[2232:249325] -A OUTPUT -j error_output_lteip_drop
[2614:295654] -A OUTPUT -j error_output_lteip_drop
[2958:331160] -A OUTPUT -j error_output_lteip_drop
[3285:364937] -A OUTPUT -j error_output_lteip_drop
[3637:410792] -A OUTPUT -j error_output_lteip_drop
[4025:450646] -A OUTPUT -j error_output_lteip_drop
[4367:486400] -A OUTPUT -j error_output_lteip_drop
[4734:523362] -A OUTPUT -j error_output_lteip_drop
[5077:561299] -A OUTPUT -j error_output_lteip_drop
[5427:599595] -A OUTPUT -j error_output_lteip_drop
[5830:650446] -A OUTPUT -j error_output_lteip_drop
[6245:689508] -A OUTPUT -j error_output_lteip_drop
[6583:724880] -A OUTPUT -j error_output_lteip_drop
[7008:764842] -A OUTPUT -j error_output_lteip_drop
[11211:2081884] -A OUTPUT -j error_output_lteip_drop
[11340:2104131] -A OUTPUT -j error_output_lteip_drop
[11342:2104274] -A OUTPUT -j error_output_lteip_drop
[7115:775385] -A OUTPUT -j delegate_output
[40930:2925296] -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
[535:22756] -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1:124] -A delegate_forward -i br-lan -j zone_lan_forward
[0:0] -A delegate_forward -i eth0 -j zone_wan_forward
[40394:2902416] -A delegate_forward -i usb0 -j zone_wan_forward
[2280:271242] -A delegate_input -i lo -j ACCEPT
[5959:539879] -A delegate_input -m comment --comment "user chain for input" -j input_rule
[3506:303950] -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[65:3128] -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
[1430:144170] -A delegate_input -i br-lan -j zone_lan_input
[0:0] -A delegate_input -i eth0 -j zone_wan_input
[1023:91759] -A delegate_input -i usb0 -j zone_wan_input
[2280:271242] -A delegate_output -o lo -j ACCEPT
[4835:504143] -A delegate_output -m comment --comment "user chain for output" -j output_rule
[3308:346461] -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[183:43205] -A delegate_output -o br-lan -j zone_lan_output
[0:0] -A delegate_output -o eth0 -j zone_wan_output
[1344:114477] -A delegate_output -o usb0 -j zone_wan_output
[5867:603684] -A error_forward_lteip_drop -s 107.125.176.0/24 -o usb0 -j ACCEPT
[249:19007] -A error_forward_lteip_drop -s 192.168.1.0/24 -o usb0 -j ACCEPT
[17:1542] -A error_forward_lteip_drop -o usb0 -j DROP
[0:0] -A error_output_lteip_drop ! -s 107.125.176.68/30 -o usb0 -j DROP
[0:0] -A input_rule -p gre -j ACCEPT
[0:0] -A input_rule -p gre -j ACCEPT
[0:0] -A output_rule -p gre -j ACCEPT
[0:0] -A output_rule -p gre -j ACCEPT
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -j REJECT --reject-with icmp-port-unreachable
[65:3128] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
[0:0] -A syn_flood -j DROP
[0:0] -A zone_SDWAN_forward -m comment --comment "user chain for forwarding" -j forwarding_SDWAN_rule
[0:0] -A zone_SDWAN_forward -m comment --comment "forwarding SDWAN -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_SDWAN_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_SDWAN_forward -j zone_SDWAN_dest_ACCEPT
[0:0] -A zone_SDWAN_input -m comment --comment "user chain for input" -j input_SDWAN_rule
[0:0] -A zone_SDWAN_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[0:0] -A zone_SDWAN_input -j zone_SDWAN_src_ACCEPT
[0:0] -A zone_SDWAN_output -m comment --comment "user chain for output" -j output_SDWAN_rule
[0:0] -A zone_SDWAN_output -j zone_SDWAN_dest_ACCEPT
[183:43205] -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
[1:124] -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 1723 -m comment --comment Alg_pptp_pt_1 -j zone_wan_dest_DROP
[1:124] -A zone_lan_forward -p gre -m comment --comment Alg_pptp_pt_2 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 1701 -m comment --comment Alg_l2tp_pt -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 500 -m comment --comment Alg_ipsec_pt_1 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 4500 -m comment --comment Alg_ipsec_pt_2 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p esp -m comment --comment Alg_ipsec_pt_3 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p ah -m comment --comment Alg_ipsec_pt_4 -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -j zone_lan_dest_ACCEPT
[1430:144170] -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[1430:144170] -A zone_lan_input -j zone_lan_src_ACCEPT
[183:43205] -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
[183:43205] -A zone_lan_output -j zone_lan_dest_ACCEPT
[1430:144170] -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
[1344:114477] -A zone_wan_dest_ACCEPT -o usb0 -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0 -j DROP
[1:124] -A zone_wan_dest_DROP -o usb0 -j DROP
[40394:2902416] -A zone_wan_forward -j MINIUPNPD
[40394:2902416] -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[40394:2902416] -A zone_wan_forward -j zone_wan_dest_ACCEPT
[1023:91759] -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
[0:0] -A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment wan_limit -j DROP
[469:36945] -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment web_manager_allow -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 50080 -m comment --comment web_manager_allow -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 23 -m comment --comment wan_telnet -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment ssh_wan -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[554:54814] -A zone_wan_input -j zone_wan_src_ACCEPT
[1344:114477] -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
[1344:114477] -A zone_wan_output -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0 -j ACCEPT
[554:54814] -A zone_wan_src_ACCEPT -i usb0 -j ACCEPT
COMMIT
# Completed on Tue Sep  1 10:15:59 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: usb0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1430 qdisc hyfi_pfifo_fast state UP group default qlen 1000
    inet xxx.xxx.176.69/24 brd 107.125.176.255 scope global usb0
       valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1430 qdisc noqueue state UP group default
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 107.125.176.1 dev usb0  table rt-usb0
107.125.176.0/24 dev usb0  table rt-usb0  scope link
192.168.1.0/24 dev br-lan  table rt-br-lan  proto kernel  scope link  src 192.168.1.1
192.168.1.254 dev br-lan  table rt-static  scope link
xxx.xxx.176.69 via 192.168.1.254 dev br-lan  table rt-lan
default via 107.125.176.1 dev usb0  table rt-wan
107.125.176.0/24 dev usb0  table rt-wan  scope link
107.125.176.0/24 dev usb0  proto kernel  scope link  src xxx.xxx.176.69
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
broadcast 107.125.176.0 dev usb0  table local  proto kernel  scope link  src xxx.xxx.176.69
local xxx.xxx.176.69 dev usb0  table local  proto kernel  scope host  src xxx.xxx.176.69
broadcast 107.125.176.255 dev usb0  table local  proto kernel  scope link  src xxx.xxx.176.69
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan  table local  proto kernel  scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan  table local  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan  table local  proto kernel  scope link  src 192.168.1.1
0:      from all lookup 128
0:      from all fwmark 0xb lookup rt-lan
0:      from all fwmark 0x16 lookup rt-wan
1:      from all lookup local
1000:   from 192.168.1.254 lookup rt-static
10102:  from all to 107.77.79.57 lookup rt-usb0
10202:  from all to 107.77.79.58 lookup rt-usb0
10302:  from xxx.xxx.176.69 lookup rt-usb0
10350:  from all lookup rt-br-lan
30001:  from all lookup rt-usb0
30003:  from all lookup rt-usb0
32766:  from all lookup main
32767:  from all lookup default

That said, somehow enabling drop_invalid breaks the GRE. I found a line with "drop_invalid" in /sbin/fw3 binary. Something must be going on there, but I'm not sure what exactly. Appreciate your help.

4

First of all Chaos Calmer is old, vulnerable, and unsupported. You need to upgrade to current 19.07.3 version, especially since it is facing the internet.
The allow all on wan interface I hope it is just some testing. Otherwise Input and forward must be Reject/Drop.
The iptables are flooded with repeating rules, a sign that you are applying continuously the same rules without flushing them.
The custom rules you have added for GRE are pointless, as the INPUT and OUTPUT concern the router itself, but the GRE is terminated on the Cisco. So you want FORWARD, which is allowed on the lan->wan.
What is the error in the logs for the invalid packets?

1 Like
5

I'm lost, wouldn't you want to make an ACCEPT firewall rule for the GRE traffic?

1 Like