LuCI option to enable/disable "NAT Leakage Prevention"

Where in LuCI's GUI is the option to enable/disable the "NAT leakage Prevention" ?

  • You may ask - What is a "NAT Leakage Prevention" ?
  • It is a rule in the OUTPUT chain of the filter table, that drops packets which are incapable of initiating a new connection OR which are not a part of an existing connection (in conntrack's terms).

Specifically, it is a rule added by LuCI in the user-defined chain zone_wan_dest_ACCEPT, which is a descendant of the OUTPUT chain in the filter table. Its definition is listed below:

iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

The following command, lets you see this rule on your system:

iptables -t filter -L zone_wan_dest_ACCEPT --line-numbers -v

I'm curious as to the use case, as dropping of out-of-sequence packets has always been a part of my firewall rules. The question for me tends to be not if to drop them, but if to differentially log them (such as packets from a remote web server's keep-alive after the connection has been closed, or timed out at the firewall).

I my case this rule interferes with debugging / testing of other routers connected to the WAN interface (eth0.2). It also interferes with the solution to the problem described here.

1 Like

I set up my VPN following this guide: https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm

Near the bottom, there's a couple of steps done to prevent leakage - works for me! Here it is in a nutshell:

(Optional) To prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with the following content:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
 
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
       iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

Bugs,

...am I to understand your answer, that "LuCI does not contain an option", to e.g. disable the "NAT Leakage Prevention" option ?

Note, that I was not asking "how to prevent the leakage" - I was asking "how to enable/disable this prevention through the LuCI's GUI".

Any experience with client-side JavaScript or Lua?

Yes, only JS, ...no Lua.

You can control this rule through the per-zone option masq_allow_invalid but I am unsure right now if it is exposed in LuCI.

Edit:
It is exposed: https://github.com/openwrt/luci/blob/master/applications/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js#L208

Is this the exposed option "masq_allow_invalid " ?

o = s.taboption('conntrack', form.Flag, 'masq_allow_invalid', _('Allow "invalid" traffic'), _('Do not install extra rules to reject forwarded traffic with conntrack state <em>invalid</em>. This may be required for complex asymmetric route setups.'));

...because if it is, then it does not affect the generation of the rule:

iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

No it is not. It is a per-zone setting. But I see you're using 18.06, the option is not present there, yet.

1 Like

This rule is only generated for firewall zones with masquerading, it would be nice to be able to manually/forcefully enable it. As an example (from firewall.user), I have this setup, with both eth1 and eth2 interfaces in the WAN zone…

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source ip1
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source ip2

… and since I'm doing SNAT, not MASQUERADE, I also have to add…

iptables -t filter -A output_wan_rule -m conntrack --ctstate INVALID -j DROP

… but it's not really a big deal, though.

… Come to think of it, how in blazes would non-NATted/martian packets leak to the WAN? :confused: (I'm assuming that's what's implied by "NAT leakage", right?) I've never seen the rule hit counter higher than zero on my setups. Wouldn't that qualify as a kernel bug in routing/NAT/conntrack?

From what version is it exposed in LuCI ?

The ones shipped with 19.07.0-rc1 or master.

1 Like