I'm pretty new at this, I hope I'm at the right place.?
I'm running a ovpn router with LEDE Reboot 17.01-SNAPSHOT r4020-c476954633 / LuCI lede-17.01 branch (git-19.271.72080-7b230b0)
and I'm having issues with an ip that's outside the firewalls port forward iprange that I've specified in the system.
this is the setting I have:
vilfo-port-00:00:00:00:01:13-443-tcp
IPv4-tcp
From IP range 90.129.192.0/19 in vilfo0
Via any router IP at port 443
and when I'm monitoring the 443 port I'm getting this info: 07:49:28.088985 IP 82.94.168.22.https > server-h.52958: Flags [P.], seq 2864553083:2864553117, ack 2189864738, win 19, options [nop,nop,TS val 4085929821 ecr 1486368408], length 34
if I now have an iprange specified on port forward 443, why is then this 82.94.168.22 constantly accessing my 443 port?
Is vilfo0 your WAN facing interface? Do you have a port forward active for 443 by any chance alongside that FW rule? Is the firewall rule in question getting any hits at all? Was the firewall or device restarted after you added the rule?
Have you tried port scanning your IP from an outside device, that isn't in that IP range?
Is the WAN zone set to DROP/REJECT input/forward?
PS. Try to post the rule itself from the firewall config (/etc/config/firewall), like:
config rule
option dest_port '123'
option src 'lan'
option name 'Allow-Hikvision-IP-Camera-NTP'
list src_ip '192.168.1.100'
option family 'ipv4'
option target 'ACCEPT'
option dest 'wan'
list proto 'udp'
Vilfo0 is an incoming vpn, so yes, it's from the outside
config redirect
option target 'DNAT'
option dest 'lan'
option src_dport '443'
option dest_port '443'
option proto 'tcp'
option dest_ip '192.168.0.11'
option name 'vilfo-port-00:00:00:00:01:13-443-tcp'
option src 'vilfo0'
option src_ip '90.129.192.0/19'
if the rule was triggered, I have no idea, is there a log for that?
I've tested from an outside computer, and I couldn't connect to 443 when I was outside the range.
I also did a nmap when scan from outside of the range, and didn't find anything, and the server didn't record any hits from me, but I found a new access attempt from livepatch.canonical.com
is it possible that some program on the server ims transmitting something OUT, on port 443? maybe I'm intercepting outgoing calls, and there's no fault in the firewall since I can't get In..
You don't need to reply twice (unless you have a crush with @vgaetera and you wanted to wink )
This will match any src or dst port 443, tcp or udp. And since almost every page served now is encrypted, this will capture a lot of traffic. Use host 192.168.0.11 and tcp port 443 and ...