Where in LuCI's GUI is the option to enable/disable the "NAT leakage Prevention" ?
You may ask - What is a "NAT Leakage Prevention" ?
It is a rule in the OUTPUT chain of the filter table, that drops packets which are incapable of initiating a new connection OR which are not a part of an existing connection (in conntrack's terms).
Specifically, it is a rule added by LuCI in the user-defined chain zone_wan_dest_ACCEPT, which is a descendant of the OUTPUT chain in the filter table. Its definition is listed below:
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
The following command, lets you see this rule on your system:
I'm curious as to the use case, as dropping of out-of-sequence packets has always been a part of my firewall rules. The question for me tends to be not if to drop them, but if to differentially log them (such as packets from a remote web server's keep-alive after the connection has been closed, or timed out at the firewall).
I my case this rule interferes with debugging / testing of other routers connected to the WAN interface (eth0.2). It also interferes with the solution to the problem described here.
Near the bottom, there's a couple of steps done to prevent leakage - works for me! Here it is in a nutshell:
(Optional) To prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with the following content:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
Is this the exposed option "masq_allow_invalid " ?
o = s.taboption('conntrack', form.Flag, 'masq_allow_invalid', _('Allow "invalid" traffic'), _('Do not install extra rules to reject forwarded traffic with conntrack state <em>invalid</em>. This may be required for complex asymmetric route setups.'));
This rule is only generated for firewall zones with masquerading, it would be nice to be able to manually/forcefully enable it. As an example (from firewall.user), I have this setup, with both eth1 and eth2 interfaces in the WAN zone…
… Come to think of it, how in blazes would non-NATted/martian packets leak to the WAN? (I'm assuming that's what's implied by "NAT leakage", right?) I've never seen the rule hit counter higher than zero on my setups. Wouldn't that qualify as a kernel bug in routing/NAT/conntrack?