Hairpining - doesnt work

lenovomi · July 11, 2022, 7:12pm

whats the connection with DNS?
Is joke or its not working i dunno.

Bill · July 11, 2022, 7:16pm

Let the community see this output. Perhaps other can chime in on this issue of yours.

lenovomi · July 11, 2022, 9:07pm

but its quite long list


# Generated by iptables-save v1.8.7 on Mon Jul 11 20:12:24 2022
*nat
:PREROUTING ACCEPT [94850:13337079]
:INPUT ACCEPT [6228:461254]
:OUTPUT ACCEPT [7895:550486]
:POSTROUTING ACCEPT [78:5477]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1921044:269860294] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1920774:269833172] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[270:27122] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[311547:31231738] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[365:34477] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[308641:31029795] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A postrouting_rule -s 10.0.1.0/24 -d 10.0.1.104/32 -o br-lan -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.1
[0:0] -A prerouting_rule -s 10.0.1.0/24 -d 78.12.7.9/32 -i br-lan -p tcp -m tcp --dport 8123 -j DNAT --to-destination 10.0.1.104:8123
[365:34477] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.156/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sour
ce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.156/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-s
ource 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sou
rce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-
source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sour
ce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-s
ource 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 554 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sou
rce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.39/32 -p tcp -m tcp --dport 554 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-
source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: x-tap (reflection)" -j SNAT --t
o-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: x-tap (reflection)" -j SNAT
--to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sourc
e 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: xc (reflection)" -j SNAT --to-so
urce 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sou
rce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: x (reflection)" -j SNAT --to-
source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 1196 -m comment --comment "!fw3: x-tun (reflection)" -j SNAT --t
o-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.44/32 -p udp -m udp --dport 1196 -m comment --comment "!fw3: x-tun (reflection)" -j SNAT
--to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.22/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sou
rce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.22/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-
source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.37/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x(reflection)" -j S
NAT --to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.37/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: nx (reflection)" -
j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.129/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j SNAT --to-
source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.129/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j SNAT --
to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.11/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x (reflection)" -j
 SNAT --to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.11/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x (reflection)"
 -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.11/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x (reflection)" -
j SNAT --to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.128/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j SNAT -
-to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.128/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x(reflection)" -j SNA
T --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.37/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j
 SNAT --to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.37/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)"
 -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.11/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3:x(reflection)" -j SNAT --t
o-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.11/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: odx (reflection)" -j SNAT
--to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-sour
ce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-s
ource 192.168.9.1
[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.128/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j SNAT --to-sou
rce 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.128/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: x (reflection)" -j SNAT --to-
source 192.168.9.1
[1920774:269833172] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 1122 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-de
stination 10.0.1.156:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 1122 -m comment --comment "!fw3: x(reflection)" -j DNAT --to
-destination 10.0.1.156:80
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-de
stination 10.0.1.39:8000
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: x(reflection)" -j DNAT --to
-destination 10.0.1.39:8000
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8001 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-d
estination 10.0.1.39:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8001 -m comment --comment "!fw3: x(reflection)" -j DNAT --t
o-destination 10.0.1.39:80
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 554 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-de
stination 10.0.1.39:554
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 554 -m comment --comment "!fw3: x(reflection)" -j DNAT --to
-destination 10.0.1.39:554
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: x-tap (reflection)" -j DNAT --
to-destination 10.0.1.44:1195
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: x-tap (reflection)" -j DNAT
 --to-destination 10.0.1.44:1195
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-dest
ination 10.0.1.44:500
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-d
estination 10.0.1.44:500
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-de
stination 10.0.1.44:4500
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: ipsec2 (reflection)" -j DNAT --to
-destination 10.0.1.44:4500
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 1196 -m comment --comment "!fw3: x-tun (reflection)" -j DNAT --
to-destination 10.0.1.44:1196
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p udp -m udp --dport 1196 -m comment --comment "!fw3: x-tun (reflection)" -j DNAT
 --to-destination 10.0.1.44:1196
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-de
stination 10.0.1.22:3389
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: c(reflection)" -j DNAT --to
-destination 10.0.1.22:3389
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2223 -m comment --comment "!fw3: c (reflection)" -
j DNAT --to-destination 10.0.1.37:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2223 -m comment --comment "!fw3: x (reflection)
" -j DNAT --to-destination 10.0.1.37:22
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2225 -m comment --comment "!fw3: x (reflection)" -j DNAT --t
o-destination 10.0.1.129:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2225 -m comment --comment "!fw3: x(reflection)" -j DNAT
--to-destination 10.0.1.129:22
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: x(reflection)" -
j DNAT --to-destination 10.0.1.11:2222
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: xp (reflection)
" -j DNAT --to-destination 10.0.1.11:2222
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: x (reflection)"
-j DNAT --to-destination 10.0.1.11:2222
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: x(reflection
)" -j DNAT --to-destination 10.0.1.11:2222
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: xo (reflection)" -j DNAT
 --to-destination 10.0.1.128:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x(reflection)" -j D
NAT --to-destination 10.0.1.128:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2223 -m comment --comment "!fw3: x (reflectio
n)" -j DNAT --to-destination 10.0.1.37:22
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2224 -m comment --comment "!fw3: x (reflection)" -j DNAT
--to-destination 10.0.1.11:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2224 -m comment --comment "!fw3: x(reflection)" -j DN
AT --to-destination 10.0.1.11:22
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-dest
ination 10.0.1.104:8123
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x (reflection)" -j DNAT --to-d
estination 10.0.1.104:8123
[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x (reflection)" -j DNAT --to-d
estination 10.0.1.128:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x (reflection)" -j DNAT --t
o-destination 10.0.1.128:22
[308641:31029795] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[308641:31029795] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[270:27122] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1122 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.156:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.39:8000
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8001 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.39:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 554 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.39:554
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 1195 -m comment --comment "!fw3: x-tap" -j DNAT --to-destination 10.0.1.44:1195
[33:4645] -A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.44:500
[7:710] -A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.44:4500
[146:11972] -A zone_wan_prerouting -p udp -m udp --dport 1196 -m comment --comment "!fw3: x-tun" -j DNAT --to-destination 10.0.1.44:1196
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.22:3389
[0:0] -A zone_wan_prerouting -s 95.105.x.x/32 -p tcp -m tcp --dport 2223 -m comment --comment "!fw3: x" -j DNAT --to-destination 1
0.0.1.37:22
[0:0] -A zone_wan_prerouting -s 95.105.x.x/32 -p tcp -m tcp --dport 2225 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.129:
22
[0:0] -A zone_wan_prerouting -s 95.105.x.x/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: x" -j DNAT --to-destination 1
0.0.1.11:2222
[0:0] -A zone_wan_prerouting -s 86.107.x.x/32 -p tcp -m tcp --dport 5511 -m comment --comment "!fw3: x" -j DNAT --to-destination 1
0.0.1.11:2222
[0:0] -A zone_wan_prerouting -s 185.111.x.x/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.
128:22
[0:0] -A zone_wan_prerouting -s 185.111.x.x/32 -p tcp -m tcp --dport 2223 -m comment --comment "!fw3: x" -j DNAT --to-destination
 10.0.1.37:22
[0:0] -A zone_wan_prerouting -s 95.105.x.x/32 -p tcp -m tcp --dport 2224 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.1
1:22
[27:1504] -A zone_wan_prerouting -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.104:8123
[0:0] -A zone_wan_prerouting -s 95.105.x.x/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: x" -j DNAT --to-destination 10.0.1.128:22
COMMIT
# Completed on Mon Jul 11 20:12:24 2022
# Generated by iptables-save v1.8.7 on Mon Jul 11 20:12:24 2022
*mangle
:PREROUTING ACCEPT [44946806:37599679684]
:INPUT ACCEPT [706511:71224334]
:FORWARD ACCEPT [43740668:37359852398]
:OUTPUT ACCEPT [938447:88461226]
:POSTROUTING ACCEPT [43520234:37375343591]
[142209:8143236] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[137166:7738252] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jul 11 20:12:24 2022
# Generated by iptables-save v1.8.7 on Mon Jul 11 20:12:24 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:banIP - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[6808:531741] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[699707:70692844] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[459492:45110666] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[14:740] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[238480:25510897] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[1735:71281] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[43740671:37359852663] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[40235259:35712395773] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3505198:1647437994] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[214:18896] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[6808:531741] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[931531:87918976] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[740914:75196976] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:6560] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[190597:12715440] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[291:96959] -A banIP -p udp -m udp --sport 67:68 --dport 67:68 -j RETURN
[14981:768429] -A banIP -m conntrack ! --ctstate NEW -j RETURN
[1292:46608] -A banIP -i wan -m set --match-set whitelist_4 src -j RETURN
[0:0] -A banIP -o wan -m set --match-set whitelist_4 dst -j RETURN
[0:0] -A banIP -i wan -m set --match-set blacklist_4 src -j DROP
[1144133:72206915] -A banIP -o wan -m set --match-set blacklist_4 dst -j REJECT --reject-with icmp-port-unreachable
[3505239:1647442817] -A forwarding_lan_rule -j banIP
[215:19016] -A forwarding_wan_rule -j banIP
[238499:25512377] -A input_lan_rule -j banIP
[1741:71819] -A input_wan_rule -j banIP
[433:24262] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[10:411] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[14:740] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1781620:1509638313] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[3505198:1647437994] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[2361051:1575230169] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[1781566:1509627063] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[238480:25510897] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[238480:25510897] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[20:6560] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[20:6560] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[238480:25510897] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[14627:752976] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

[755455:77565570] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[214:18896] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[34:4690] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[180:14206] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1735:71281] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[2:168] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[1290:46440] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-LAN" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[443:24673] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[190597:12715440] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[190597:12715440] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[443:24673] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Mon Jul 11 20:12:24 2022

Bill · July 11, 2022, 9:21pm

There are few that will understand the context of your iptable-save -c

With that said try not to bite the hand of that one, @trendy that was willing to assists.

trendy · July 11, 2022, 9:42pm

lenovomi:

[0:0] -A postrouting_rule -s 10.0.1.0/24 -d 10.0.1.104/32 -o br-lan -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.1
[0:0] -A prerouting_rule -s 10.0.1.0/24 -d 78.12.7.9/32 -i br-lan -p tcp -m tcp --dport 8123 -j DNAT --to-destination 10.0.1.104:8123

[0:0] -A zone_lan_prerouting -s 10.0.1.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j DNAT --to-destination 10.0.1.104:8123
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.0.4/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x (reflection)" -j DNAT --to-destination 10.0.1.104:8123

[0:0] -A zone_lan_postrouting -s 10.0.1.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-source 10.0.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -m comment --comment "!fw3: x(reflection)" -j SNAT --to-source 192.168.9.1

The rules are there but have no hits. And it is obvious that you are trying again to hairpin through the ISP router?

lenovomi · July 11, 2022, 10:22pm

@trendy,
thanks for a check.

i have following topology

public ip [:wan ISP (+nat) router lan:] -> [:wan openwrt router (+nat) :lan] => 10.0.1.104 (connected to lan)

So i have 1 rule that forward publicip:port via ISP router to openwrt
then on openwrt to 10.0.1.104

and on top of that i wanted to add Hairpinning to 10.0.1.104 so it can be accessed also from locally connected devices to openwrt -lan port/local wifi

thanks

lenovomi · July 11, 2022, 10:24pm

yeah i tried to fix it as was mentioned on link Hairpin nat broken not working properly
using
In your Openwrt router all you have to do is to edit the dnsmasq.conf file and add a line at the very bottom of the file address=/yourdomain/your_lan_address like this: address=/awesomenetworks.com/192.168.1.121.
Then restart the dnsmasq with /etc/init.d/dnsmasq restart

but the issue is that Android is not using local DNS so thats why i wanted to do a Hairpinning on openwrt not on the ISP router.

trendy · July 12, 2022, 9:35am

Hairpin doesn't work on your ISP router as we established in the previous topic. So your only solution is the static dns entry. If the android is using another nameserver, then your only hope is hijacking.

lenovomi · July 12, 2022, 10:45am

@trendy
i thought its that ISP router is not "required" for such a case, as all the packets are floating within openwrt router; i mean local clients trying to access local ip (via harpinning) ... maybe i am wrong?

in case hairpin doesnt work on ISP router... means it firmware issue, correct?

but for mine scenario isnt openwrt router enought?
thanks

trendy · July 12, 2022, 10:50am

Clients try to access the wan IP of the ISP router. Even if you create a rule to hairpin that IP on the OpenWrt, it will be rendered useless next time the IP changes, so it is not a permanent solution.

I suppose so.

lenovomi · July 12, 2022, 11:51am

thats where i thought it can be somehow done via iptables, that packets wont leave openwrt.
What ip changes? what ip are u reffering to?
thx

trendy · July 12, 2022, 11:52am

The wan IP of the ISP router.

lenovomi · July 12, 2022, 11:53am

well we can assume it Wont change ... as its fixed.

trendy · July 12, 2022, 11:56am

Very good, then run a tcpdump -i br-lan -vn tcp port 8123 to verify that it is working.

kukulo · July 12, 2022, 1:13pm

The openwrt in its default iptables configuration supports hairpin. Some ISP routers, e.g. Mikrotik does not support it from the default. I have an ISP Mikrotik router where I had to add hairpin rule to the underlying local network on top of the forwarding rule on the Mikrotik rouer. On the openwrt router I just did set up simple forwarding rule to the required service IP address. For the requests to the public IP ISP router coming from the local network, your ISP router requires a hairpin NAT rule in the very beginning of the firewall chain. Chain srcnat source address 192.168.xx.0/24 destination address 192.168.xx.0/24 action masquerade. This is how this rule looks like on Mikrotik routers. Your ISP router might have similar firewall. You will need to add this rule to NAT srcnat chain. Should be the second rule after srcnat for WAN. XX is your local subnet of the openwrt router.

lenovomi · July 12, 2022, 3:02pm

@kukulo but my ISP router doesn't have termina/iptables, so it wont be possible then?

kukulo · July 12, 2022, 3:18pm

OS on your ISP router needs to support the hairpin in its firewall. Look into your ISP router documentation.

lenovomi · July 12, 2022, 4:42pm

@kukulo
its not ... apparently and u cant touch router internals.

kukulo · July 12, 2022, 5:02pm

IP address based connection forwarding or hairpin from ISP is then ruled out. You can still do domain based redirection based on dnsmasq.conf redirect the outgoing requests back to your local network. This can be done on the underlying openwrt router then.

In dnsmasq.conf add a line like:


address=/yourdomain.com/192.168.5.62

Change yourdomain.com to your actual domain and IP address 192.168.5.62 to the IP address serving the service.

The requests for yourdomain.com from your local network will land on the 192.168.5.62 IP address then.

lenovomi · July 12, 2022, 5:21pm

hello,
thats what i practically did , issue is that android devices are not using local DNS server so it doesnt work on android devices