Iptables reports no wan traffic

This morning I did a clean install of a fresh build of trunk for the bthh5a, a Lantiq xrx200 Soc. I changed only the network WAN zone definition to an NCM wireless internet setup for a huawei usb lte modem. Then I enable wireless and reboot, ssh in and I have internet. LAN clients too.

When I run query iptables I see this:

    1    83 zone_wan_input  all  --  wwan0  any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_input (1 references)
root@OpenWrt:~#

Nothing unusual. As devices connect to the device, the number of chains, and the count increases, All fine.

Most of time when I boot, zone_wan_input shows zeros. When it does not, as described above, it soon reverts to zero. Any ifup of wan, or network restart zeros zone_wan_input and it stays that way. The highest number of chains I have seen is 3 and count 160.

If I use eth.02 as WAN device, zone_wan_input is much more heavily populated even directly after boot, dozens of chains and the count in the thousands.

This behaviour prohits applying a blocklist to the WAN NCM device using iptables, the excellent banip ap for OpenWRT, and thus represents a serious security threat to those of us in rural communities that get their internet wirelessly.

Is this behaviour a feature of an NCM network or is it a bug? I'm hoping it is the later.

In any case it is easy to reproduce. All thoughts or insights are most welcome.

I have flushed iptables before reboot with

iptables -F
 iptables -X
 iptables -t nat -F
 iptables -t nat -X
 iptables -t mangle -F
 iptables -t mangle -X
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT

but I do not see consistent behaviour when it comes back up, sometime it's zero, sometimes not.

Sounds normal. After boot all counters start from zero.

Just a guess, the eth0.2 has a public IP which is being scanned from the internet. The 3g/lte usually is behind cgnat so you won't have any ingress traffic, unless there is some port forwarding from your ISP.

There is no need to do that, iptables are not preserved after reboot.

2 Likes

@trendy,

Good to see you again and thank you for your expertise, I greatly appreciate it.

To test further, I route my ethernet WAN though the USB-Net subsystem using a usb to ethernet adaptor using kmod-usb-net-dm960-ether. The WAN source is on the LAN side of a pfsense router with a serious firewall. I do a clean install and immediately after boot i see this:

root@OpenWrt:~# iptables -vL | grep zone_wan_
  181 13820 zone_wan_input  all  --  eth1   any     anywhere             anywhere             /* !fw3 */
    0     0 zone_wan_forward  all  --  eth1   any     anywhere             anywhere             /* !fw3 */
   57  3766 zone_wan_output  all  --  any    eth1    anywhere             anywhere             /* !fw3 */
   24  1730 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
Chain zone_wan_dest_ACCEPT (2 references)
Chain zone_wan_dest_REJECT (1 references)
Chain zone_wan_forward (1 references)
    0     0 zone_wan_dest_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_input (1 references)
  181 13820 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_output (1 references)
   57  3766 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
root@OpenWrt:~#

This behaviour looks the same as if I use the dedicated WAN ethernet port. wan_zone_input always show significant traffic even when I ssh in right after boot.

If I change to use the NCM usb interface, I do not see consistent behaviour. Usually zone_wan_input is zero when I ssh in and it stays that way, once in a while it shows some traffic, never much, and soon is showing zero.

Do you think this behaviour is a feature of an NCM network, meaning I will never be able to secure my WAN interface?

Thanks again.

You didn't confirm though if the NCM has public IP or private cgnat.
As long as the wwan0 belongs to the wan zone it has the same policies as eth0.2
Furthermore when you connect it to your lan there might be some more traffic, not coming from the internet, that can hit the firewall.

Thank you.

You didn't confirm though if the NCM has public IP or private cgnat.

My current Wan public ip address over ncm is 10.241.71.13 which is outside the cgNAT Shared Address Space address range, 100.64.0.0/10, according to RFC 6598.

The LAN public ip address is 213.233.150.120 right now.

Just to add that I flashed 19.07.05 and tried it with ncm and banip. Behaviour is identical to trunk afaics.

Still very private IP.

1 Like

@trendy,

yes indeed, you are of course spot on. I spoke with mobile ISPs here today and they all use cgNAT, some exclusively, with others it depends on contract. Of course, none offer IPv6 now. They expect rollout of IPv6 in a year or so. It's all rather frustrating.

You have been most helpful, continue the good work

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.