Masquerading all output ports except 80,443

zz64 · April 28, 2023, 7:29am

Hi,
I had added a "lanp" interface isolated from the main "lan" in order to block its output to the net, and the devices that are connected to this interface will be forced to go through the Tinyproxy (installed in the router). It works well maybe a little slowdown at the DNS level.
Today, I have my son that his computer passes through this interface, he asks me to open several ports so that he can play minetest, minecraft, OBS Youtube…

To avoid adding several rules in Firewall, I decided to authorize all ports in MASQ except 80 and 443.

here's the firewall config:

config zone
        option name 'lanp'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lanp'
        option forward 'ACCEPT'

config nat
        option name 'Out from Proxy'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'wan'
        option src_ip '192.168.5.0/24'
        option dest_port '!80-443'
        option target 'MASQUERADE'

but, is not working for gaming and OBS....
is need forwarding rules ?
any help from you would be much appreciated.

Thanks.
Hardware: ASUS RT-AX53U
OpenWrt 22.03.3 r20028-43d71ad93e

lleachii · April 28, 2023, 7:34am

In order to set this, your son's gaming device(s) will need to bypass said proxy you setup. You cannot simply tell the router to somehow forward packets "around" as you seem to be attempting.

Once that device uses normal internet connectivity, you can setup rules as you desire - but your son may find it works again after you take him off the proxy.

This stanza seem completely incorrect, even for a normal port forward.

jow · April 28, 2023, 7:36am

This section is a valid "nat" rule definition, it will translate into the following nftables masquerade rules:

ip saddr 192.168.5.0/24 tcp dport != 80-443 counter masquerade comment "!fw4: Out from Proxy"
ip saddr 192.168.5.0/24 udp dport != 80-443 counter masquerade comment "!fw4: Out from Proxy"
meta l4proto icmp ip saddr 192.168.5.0/24 counter masquerade comment "!fw4: Out from Proxy"

Whether it semantically makes sense in a wider context is another matter, but it is a valid firewall configuration section.

lleachii · April 28, 2023, 7:38am

I never said it was invalid as not to produce a rule in nft. It just won't open some port for a gaming device on a LAN, with a WAN SRC network; but internal IP as SRC - thats using a proxy.

jow · April 28, 2023, 7:39am

Your remark

made it sound so.

lleachii · April 28, 2023, 7:40am

Because of the OPs desire:

Unless there's something about NAT I'm missing?

The OP will need to make a vaild rule to open the ports for his son's device, after he removes it from the proxy.

Or set this up thru the proxy itself.

jow · April 28, 2023, 7:43am

Without knowing your tinyproxy setup in detail I would say a proper solution would entail two things:

change the rule that forcibly redirects forwarded traffic to tinyproxy to exempt the ip/port combination you want to whitelist
add one or more port forwards from src zone wan towards dest zone lanp where you redirect the desired ports

zz64 · April 28, 2023, 7:44am

here some logs

09:41:41.553133 ARP, Request who-has 192.168.5.20 tell 192.168.5.20, length 28
09:41:42.381350 ARP, Request who-has 192.168.5.1 tell 192.168.5.20, length 28
09:41:42.381591 ARP, Reply 192.168.5.1 is-at c8:7f:54:af:xx:xx, length 28
09:41:42.385127 IP 192.168.5.20.47894 > 192.168.5.1.53: 12883+ A? servers.minetest.net. (38)
09:41:42.385425 IP 192.168.5.20.47894 > 192.168.5.1.53: 9052+ AAAA? servers.minetest.net. (38)
09:41:42.395371 IP 192.168.5.1.53 > 192.168.5.20.47894: 12883 2/0/0 CNAME kitsunemimi.pw., A 93.190.143.88 (82)
09:41:42.396322 IP 192.168.5.1.53 > 192.168.5.20.47894: 9052 2/0/0 CNAME kitsunemimi.pw., AAAA 2a00:7c80:0:1e8::f (94)
09:41:42.478205 IP 192.168.5.20.34290 > 93.190.143.88.80: Flags [S], seq 1791469177, win 64240, options [mss 1460,sackOK,TS val 3759803530 ecr 0,nop,wscale 7], length 0
09:41:42.478593 IP 93.190.143.88.80 > 192.168.5.20.34290: Flags [R.], seq 0, ack 1791469178, win 0, length 0
09:41:43.397997 IP 192.168.5.20.5353 > 224.0.0.251.5353: 0*- [0q] 4/0/0 (Cache flush) PTR Device.local., (Cache flush) A 192.168.5.20,

lleachii · April 28, 2023, 7:45am

What are the logs showing?

How will they help us assist you with your son's gaming device?

Does he need to reach that DST IP?

If so, see @jow's suggestion:

zz64 · April 28, 2023, 7:49am

This log is for accessing main server list of minetest on port 80, should passe trough proxy.
But the problem is not in this log. sorry

lleachii · April 28, 2023, 7:52am

I assume you mean these are the DST IPs of your son's gaming server?

OK.

I'm sure it's more than port 80, but start with creating the rule for port 80, you can add more later.

?

The same suggestion applies for the correct IPs and ports.

Otherwise, an alternative:

Then:

zz64 · April 28, 2023, 8:01am

tinyproxy port is 8888, minecraft reach internet trough proxy but not game server port 25565

09:55:01.679975 IP 192.168.5.20 > 224.0.0.22: igmp v3 report, 1 group record(s)
09:55:03.922194 IP 192.168.5.20.41650 > 192.168.5.1.53: 37910+ SRV? _minecraft._tcp.mc.hypixel.net. (48)
09:55:03.922976 IP 192.168.5.1.53 > 192.168.5.20.41650: 37910 NXDomain 0/0/0 (48)
09:55:03.936477 IP 192.168.5.20.52498 > 209.222.114.109.25565: Flags [S], seq 1504213918, win 64240, options [mss 1460,sackOK,TS val 320075855 ecr 0,nop,wscale 7], length 0
09:55:03.936799 IP 209.222.114.109.25565 > 192.168.5.20.52498: Flags [R.], seq 0, ack 1504213919, win 0, length 0
09:55:04.750597 IP 192.168.5.1.8888 > 192.168.5.20.56216: Flags [F.], seq 3178235148, ack 1574920881, win 2003, options [nop,nop,TS val 203763869 ecr 1430035834], length 0
09:55:04.796070 IP 192.168.5.20.56216 > 192.168.5.1.8888: Flags [.], ack 1, win 501, options [nop,nop,TS val 1430101606 ecr 203763869], length 0
09:55:06.124099 IP 192.168.5.20 > 224.0.0.22: igmp v3 report, 1 group record(s)
09:55:06.336348 IP 192.168.5.20 > 224.0.0.22: igmp v3 report, 1 group record(s)
09:55:11.088982 IP 192.168.5.20.57866 > 192.168.5.1.53: 56207+ SRV? _minecraft._tcp.mc.hypixel.net. (48)
09:55:11.089705 IP 192.168.5.1.53 > 192.168.5.20.57866: 56207 NXDomain 0/0/0 (48)
09:55:11.093408 IP 192.168.5.20.38064 > 209.222.114.109.25565: Flags [S], seq 1181500727, win 64240, options [mss 1460,sackOK,TS val 320083012 ecr 0,nop,wscale 7], length 0
09:55:11.093724 IP 209.222.114.109.25565 > 192.168.5.20.38064: Flags [R.], seq 0, ack 1181500728, win 0, length 0

I need to allow all ports except 80, 443

lleachii · April 28, 2023, 8:03am

I would simply remove his device from the proxy and then block it from accessing 80 and 443

Since you haven't explained to us how clients use the proxy, it's difficult for us to explain in detail how to configure bypassing it

zz64 · April 28, 2023, 8:07am

his (Debian) computer is configured to use the proxy

lleachii · April 28, 2023, 8:08am

So when when he needs to game, turn proxy off.
Setup rules as needed
Block 80 and 443

zz64 · April 28, 2023, 8:09am

I don't have to give him permission for that

zz64 · April 28, 2023, 8:11am

can you give me an example please

lleachii · April 28, 2023, 8:11am

Ummm no...you haven't explained anything that says you prevted you son from simply bypassing the proxy by turning it off. You haven't even explained why the peope on this second LAN use the proxy.

I assume they could simply disable it.

To forward all ports except 80 and 443 to your son's gaming device?

zz64 · April 28, 2023, 8:14am

Yes, please

lleachii · April 28, 2023, 8:15am

rule blocking 80 and 443 SRC port in wan to <sons_ip> in lanp

Then:

forward all from wan to <sons_ip> in lanp

this usually isn't needed btw and is unsafe

If you need full UCI syntax, please let me know.

you may need to use sons_mac instead of IP to encompass IPv6 too.