nokoru
February 24, 2022, 1:20am
23
root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
{
"kernel": "4.14.221",
"hostname": "GL-MV1000",
"model": "GL.inet GL-MV1000",
"board_name": "gl-mv1000",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "mvebu/cortexa53",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7f:467c:2b5f::/48'
config interface 'lan0'
option ifname 'lan0'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
config interface 'lan1'
option ifname 'lan1'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'wan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain 'localhost'
option name 'console.gl-inet.com'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan0'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'lan0'
config zone
option name 'lan1'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'lan1'
config zone
option name 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'wan'
config forwarding
option src 'lan0'
option dest 'lan1'
config forwarding
option src 'lan1'
option dest 'lan0'
config redirect
option src 'lan1'
option src_dip '192.168.9.1'
option src_port '25000'
option src_dport '25000'
option dest_ip '224.10.10.11'
option target 'DNAT'
config redirect
option src 'lan0'
option src_dip '224.10.10.10'
option src_port '25000'
option src_dport '25000'
option dest_ip '192.168.9.123'
option target 'DNAT'
force_dns() {
# lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
lanip=$(uci get network.lan.ipaddr)
tor=$(ps|grep /usr/sbin/tor|grep -v grep)
[ "$1" = "add" ] && {
ip=$(uci get glconfig.general.ipaddr)
[ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip
uci set glconfig.general.ipaddr=$lanip
uci commit glconfig
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
if [ -n "$tor" ];then
iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
fi
}
[ "$1" = "remove" ] && {
lanip=$(uci get glconfig.general.ipaddr)
[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
if [ -n "$tor" ];then
iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
fi
}
}
force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
force_dns add
else
force_dns remove
fi
gl-firewall
# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
# increase TTL by 1
iptables -t mangle -D PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -D PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*nat
:PREROUTING ACCEPT [22:1229]
:INPUT ACCEPT [3:200]
:OUTPUT ACCEPT [23:1776]
:POSTROUTING ACCEPT [34:2216]
:GL_SPEC_DMZ - [0:0]
:postrouting_lan0_rule - [0:0]
:postrouting_lan1_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan0_rule - [0:0]
:prerouting_lan1_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan0_postrouting - [0:0]
:zone_lan0_prerouting - [0:0]
:zone_lan1_postrouting - [0:0]
:zone_lan1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[81:45022] -A PREROUTING -j GL_SPEC_DMZ
[71:42095] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[51:40970] -A PREROUTING -i lan0 -m comment --comment "!fw3" -j zone_lan0_prerouting
[20:1125] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan1_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[34:2216] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o lan0 -m comment --comment "!fw3" -j zone_lan0_postrouting
[12:480] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan1_postrouting
[15:1260] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan0_postrouting -m comment --comment "!fw3: Custom lan0 postrouting rule chain" -j postrouting_lan0_rule
[51:40970] -A zone_lan0_prerouting -m comment --comment "!fw3: Custom lan0 prerouting rule chain" -j prerouting_lan0_rule
[0:0] -A zone_lan0_prerouting -d 224.10.10.10/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[49:40866] -A zone_lan0_prerouting -d 224.10.10.10/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[12:480] -A zone_lan1_postrouting -m comment --comment "!fw3: Custom lan1 postrouting rule chain" -j postrouting_lan1_rule
[20:1125] -A zone_lan1_prerouting -m comment --comment "!fw3: Custom lan1 prerouting rule chain" -j prerouting_lan1_rule
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[15:1260] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*raw
:PREROUTING ACCEPT [281:61751]
:OUTPUT ACCEPT [264:38216]
:zone_lan0_helper - [0:0]
:zone_lan1_helper - [0:0]
:zone_wan_helper - [0:0]
[179:54082] -A PREROUTING -i lan0 -m comment --comment "!fw3: lan0 CT helper assignment" -j zone_lan0_helper
[31:2181] -A PREROUTING -i lan1 -m comment --comment "!fw3: lan1 CT helper assignment" -j zone_lan1_helper
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*mangle
:PREROUTING ACCEPT [54:13852]
:INPUT ACCEPT [40:2176]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:20456]
:POSTROUTING ACCEPT [77:20456]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[286:62761] -A PREROUTING -j mwan3_hook
[271:42844] -A OUTPUT -j mwan3_hook
[107:46137] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[557:105605] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[99:44925] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[99:44925] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[27:1916] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[557:105605] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[58:4708] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[4:336] -A mwan3_policy_default_poli -o wan -m mark --mark 0x0/0x3f00 -m comment --comment "out wan wan" -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[4:336] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
# Generated by iptables-save v1.8.3 on Wed Feb 23 09:48:42 2022
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_lan0_rule - [0:0]
:forwarding_lan1_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan0_rule - [0:0]
:input_lan1_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan0_rule - [0:0]
:output_lan1_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan0_dest_ACCEPT - [0:0]
:zone_lan0_forward - [0:0]
:zone_lan0_input - [0:0]
:zone_lan0_output - [0:0]
:zone_lan0_src_ACCEPT - [0:0]
:zone_lan1_dest_ACCEPT - [0:0]
:zone_lan1_forward - [0:0]
:zone_lan1_input - [0:0]
:zone_lan1_output - [0:0]
:zone_lan1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[229:20832] -A INPUT -j GL_SPEC_OPENING
[71:5488] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[150:14688] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[135:13392] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3:144] -A INPUT -i lan0 -m comment --comment "!fw3" -j zone_lan0_input
[12:1152] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan1_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[11:572] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i lan0 -m comment --comment "!fw3" -j zone_lan0_forward
[11:572] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan1_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[11:572] -A FORWARD -m comment --comment "!fw3" -j reject
[71:5488] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[208:40112] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[190:38732] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A OUTPUT -o lan0 -m comment --comment "!fw3" -j zone_lan0_output
[2:80] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan1_output
[15:1260] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[11:572] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:104] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:40] -A zone_lan0_dest_ACCEPT -o lan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Custom lan0 forwarding rule chain" -j forwarding_lan0_rule
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Zone lan0 to lan1 forwarding policy" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3: Custom lan0 input rule chain" -j input_lan0_rule
[0:0] -A zone_lan0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:144] -A zone_lan0_input -m comment --comment "!fw3" -j zone_lan0_src_ACCEPT
[1:40] -A zone_lan0_output -m comment --comment "!fw3: Custom lan0 output rule chain" -j output_lan0_rule
[1:40] -A zone_lan0_output -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[2:104] -A zone_lan0_src_ACCEPT -i lan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A zone_lan1_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[11:572] -A zone_lan1_forward -m comment --comment "!fw3: Custom lan1 forwarding rule chain" -j forwarding_lan1_rule
[11:572] -A zone_lan1_forward -m comment --comment "!fw3: Zone lan1 to lan0 forwarding policy" -j zone_lan0_dest_ACCEPT
[0:0] -A zone_lan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[11:572] -A zone_lan1_forward -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[12:1152] -A zone_lan1_input -m comment --comment "!fw3: Custom lan1 input rule chain" -j input_lan1_rule
[0:0] -A zone_lan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[12:1152] -A zone_lan1_input -m comment --comment "!fw3" -j zone_lan1_src_ACCEPT
[2:80] -A zone_lan1_output -m comment --comment "!fw3: Custom lan1 output rule chain" -j output_lan1_rule
[2:80] -A zone_lan1_output -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[12:1152] -A zone_lan1_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[15:1260] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[15:1260] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[15:1260] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Feb 23 09:48:42 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global wan
valid_lft forever preferred_lft forever
4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.8.1/24 brd 192.168.8.255 scope global lan0
valid_lft forever preferred_lft forever
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global lan1
valid_lft forever preferred_lft forever
192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev lan0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev lan0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev lan0 table local proto kernel scope link src 192.168.8.1
broadcast 192.168.9.0 dev lan1 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev lan1 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev lan1 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
local 192.168.10.1 dev wan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
0: from all lookup local
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
I added the commands used to increment TTL in /etc/firewall.user
nokoru
February 25, 2022, 1:26am
25
Strange the initscript for mwan3 is shown to be disabled on luci.
I checked using ps | grep mwan3
and seems like mwan3rtmon and mwan3track are still running. How do I disable them? they are not listed by luci and also not in /etc/init.d.
In order to work around the issue with mwan3 running processes, I did the following steps, including the actions you listed:
removed every line except the TTL incrementing commands in firewall.user
added mroute from lan0 group 224.10.10.10 to lan1
reboot
ps | grep mwan3
and killed both mwan3rtmon and mwan3track
fw3 flush
(in hindsight does make step 1 kind of pointless)
service firewall restart
to get back rules added in /etc/config/firewall
manually issued the TTL incrementing commands to get back rules added in /etc/firewall.user
Still does not seem to get me any closer to my objective.
There are hits to the TTL chain, hits to the DNAT chain, no hit to forward chain, tcpdump shows no packet outputting on lan1 and Wireshark on receiving device shows the same.
trendy
February 25, 2022, 9:58am
26
There should be an init script under /etc/init.d/
which you can use to stop the service and disable it from running in the next boot.
nokoru:
Still does not seem to get me any closer to my objective.
There are hits to the TTL chain, hits to the DNAT chain, no hit to forward chain, tcpdump shows no packet outputting on lan1 and Wireshark on receiving device shows the same.
I suspect that the DNAT is applied too early and smcroute cannot match the packet based on the multicast address. Run a tcpdump on all interfaces to see where is it sent and try to make it very verbose to see if there is something weird in the contents of the packet.
nokoru
February 25, 2022, 10:32am
27
I do not see a file called "init script". I have however found mwan3, but is this any different from what I did, which was /etc/init.d/mwan3 disable
? Do I need to delete the file instead?
I had in fact tried the same thing a week ago, the "same thing" being adding multicast route with smcroute to route packets with destination 224.10.10.10 from lan0 to lan1. The reason why the multicast packet isn't sent may be because the receiving device does not subscribe to the group 224.10.10.10. In combination to the added route, setting multicast_to_unicast
to 1 for lan1 will result in the multicast packet being sent out. However, this is not what I want as the destination remains multicast.
trendy
February 25, 2022, 11:58am
28
I meant the mwan3. If you ran the stop and then disable, it should be killed and not run on next boot. If not, something else is wrong in your installation.
Problem is that you cannot apply the DNAT on that phase. Check where the packet goes, or if it is dropped from the firewall and post here a packet capture.
nokoru
February 28, 2022, 8:24am
29
You mean with option multicast_to_unicast '1'
or without?
Here are the outputs for the changes suggested 4days ago (without option multicast_to_unicast '1'
):
root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; uci export firewall; head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr; ip -4 ro li tab all; ip -4 ru
{
"kernel": "4.14.221",
"hostname": "GL-MV1000",
"model": "GL.inet GL-MV1000",
"board_name": "gl-mv1000",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "mvebu/cortexa53",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7f:467c:2b5f::/48'
config interface 'lan0'
option ifname 'lan0'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
config interface 'lan1'
option ifname 'lan1'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'wan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain 'localhost'
option name 'console.gl-inet.com'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan0'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'lan0'
config zone
option name 'lan1'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'lan1'
config zone
option name 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'wan'
config forwarding
option src 'lan0'
option dest 'lan1'
config forwarding
option src 'lan1'
option dest 'lan0'
config redirect
option src 'lan1'
option src_dip '192.168.9.1'
option src_port '25000'
option src_dport '25000'
option dest_ip '224.10.10.11'
option target 'DNAT'
config redirect
option src 'lan0'
option src_dip '224.10.10.10'
option src_port '25000'
option src_dport '25000'
option dest_ip '192.168.9.123'
option target 'DNAT'
# increase TTL by 1
iptables -t mangle -D PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p tcp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -D PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i lan0 -p udp -d 224.10.10.10 --sport 25000 --dport 25000 -j TTL --ttl-inc 1
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*nat
:PREROUTING ACCEPT [30:1752]
:INPUT ACCEPT [13:684]
:OUTPUT ACCEPT [6:512]
:POSTROUTING ACCEPT [6:512]
:postrouting_lan0_rule - [0:0]
:postrouting_lan1_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan0_rule - [0:0]
:prerouting_lan1_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan0_postrouting - [0:0]
:zone_lan0_prerouting - [0:0]
:zone_lan1_postrouting - [0:0]
:zone_lan1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[302:228600] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[292:228080] -A PREROUTING -i lan0 -m comment --comment "!fw3" -j zone_lan0_prerouting
[10:520] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_lan1_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[5:392] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:120] -A POSTROUTING -o lan0 -m comment --comment "!fw3" -j zone_lan0_postrouting
[0:0] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_lan1_postrouting
[0:0] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[1:120] -A zone_lan0_postrouting -m comment --comment "!fw3: Custom lan0 postrouting rule chain" -j postrouting_lan0_rule
[292:228080] -A zone_lan0_prerouting -m comment --comment "!fw3: Custom lan0 prerouting rule chain" -j prerouting_lan0_rule
[0:0] -A zone_lan0_prerouting -d 224.10.10.10/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[272:226848] -A zone_lan0_prerouting -d 224.10.10.10/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[1]" -j DNAT --to-destination 192.168.9.123:25000
[0:0] -A zone_lan1_postrouting -m comment --comment "!fw3: Custom lan1 postrouting rule chain" -j postrouting_lan1_rule
[10:520] -A zone_lan1_prerouting -m comment --comment "!fw3: Custom lan1 prerouting rule chain" -j prerouting_lan1_rule
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p tcp -m tcp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_lan1_prerouting -d 192.168.9.1/32 -p udp -m udp --sport 25000 --dport 25000 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 224.10.10.11:25000
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*raw
:PREROUTING ACCEPT [1681:502130]
:OUTPUT ACCEPT [2332:1554944]
:zone_lan0_helper - [0:0]
:zone_lan1_helper - [0:0]
:zone_wan_helper - [0:0]
[1637:499354] -A PREROUTING -i lan0 -m comment --comment "!fw3: lan0 CT helper assignment" -j zone_lan0_helper
[10:520] -A PREROUTING -i lan1 -m comment --comment "!fw3: lan1 CT helper assignment" -j zone_lan1_helper
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3: wan CT helper assignment" -j zone_wan_helper
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan0_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan0_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan1_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan1_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*mangle
:PREROUTING ACCEPT [1643:492644]
:INPUT ACCEPT [1363:272234]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2311:1555444]
:POSTROUTING ACCEPT [2311:1555444]
[0:0] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p tcp -m tcp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
[263:219342] -A PREROUTING -d 224.10.10.10/32 -i lan0 -p udp -m udp --sport 25000 --dport 25000 -j TTL --ttl-inc 1
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
# Generated by iptables-save v1.8.3 on Fri Feb 25 03:22:05 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan0_rule - [0:0]
:forwarding_lan1_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan0_rule - [0:0]
:input_lan1_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan0_rule - [0:0]
:output_lan1_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan0_dest_ACCEPT - [0:0]
:zone_lan0_forward - [0:0]
:zone_lan0_input - [0:0]
:zone_lan0_output - [0:0]
:zone_lan0_src_ACCEPT - [0:0]
:zone_lan1_dest_ACCEPT - [0:0]
:zone_lan1_forward - [0:0]
:zone_lan1_input - [0:0]
:zone_lan1_output - [0:0]
:zone_lan1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[32:2176] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1375:272638] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1362:271954] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[12:624] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[13:684] -A INPUT -i lan0 -m comment --comment "!fw3" -j zone_lan0_input
[0:0] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_lan1_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i lan0 -m comment --comment "!fw3" -j zone_lan0_forward
[0:0] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_lan1_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[32:2176] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2331:1560952] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2328:1560592] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:360] -A OUTPUT -o lan0 -m comment --comment "!fw3" -j zone_lan0_output
[0:0] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_lan1_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[12:624] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:360] -A zone_lan0_dest_ACCEPT -o lan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Custom lan0 forwarding rule chain" -j forwarding_lan0_rule
[0:0] -A zone_lan0_forward -m comment --comment "!fw3: Zone lan0 to lan1 forwarding policy" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan0_forward -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[13:684] -A zone_lan0_input -m comment --comment "!fw3: Custom lan0 input rule chain" -j input_lan0_rule
[0:0] -A zone_lan0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[13:684] -A zone_lan0_input -m comment --comment "!fw3" -j zone_lan0_src_ACCEPT
[3:360] -A zone_lan0_output -m comment --comment "!fw3: Custom lan0 output rule chain" -j output_lan0_rule
[3:360] -A zone_lan0_output -m comment --comment "!fw3" -j zone_lan0_dest_ACCEPT
[13:684] -A zone_lan0_src_ACCEPT -i lan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan1_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan1_forward -m comment --comment "!fw3: Custom lan1 forwarding rule chain" -j forwarding_lan1_rule
[0:0] -A zone_lan1_forward -m comment --comment "!fw3: Zone lan1 to lan0 forwarding policy" -j zone_lan0_dest_ACCEPT
[0:0] -A zone_lan1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan1_forward -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan1_input -m comment --comment "!fw3: Custom lan1 input rule chain" -j input_lan1_rule
[0:0] -A zone_lan1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan1_input -m comment --comment "!fw3" -j zone_lan1_src_ACCEPT
[0:0] -A zone_lan1_output -m comment --comment "!fw3: Custom lan1 output rule chain" -j output_lan1_rule
[0:0] -A zone_lan1_output -m comment --comment "!fw3" -j zone_lan1_dest_ACCEPT
[0:0] -A zone_lan1_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Feb 25 03:22:05 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global wan
valid_lft forever preferred_lft forever
4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.8.1/24 brd 192.168.8.255 scope global lan0
valid_lft forever preferred_lft forever
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global lan1
valid_lft forever preferred_lft forever
192.168.8.0/24 dev lan0 proto kernel scope link src 192.168.8.1
192.168.9.0/24 dev lan1 proto kernel scope link src 192.168.9.1
192.168.10.0/24 dev wan proto kernel scope link src 192.168.10.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev lan0 table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev lan0 table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev lan0 table local proto kernel scope link src 192.168.8.1
broadcast 192.168.9.0 dev lan1 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev lan1 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev lan1 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.10.0 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
local 192.168.10.1 dev wan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev wan table local proto kernel scope link src 192.168.10.1 linkdown
0: from all lookup local
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@GL-MV1000:~# tcpdump -i lan1 -evn udp port 25000
tcpdump: listening on lan1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
mgroup from lan1 group 224.10.10.11
mroute from lan1 group 224.10.10.11 to lan0
mroute from lan0 group 224.10.10.10 to lan1
Note that the tcpdump command was left running for a few minutes while the packets are sent out once every second.
trendy
February 28, 2022, 3:07pm
30
You can try both.
Okay it doesn't seem to go out of lan1. What about lan0 or wan?
Then enable logging on the firewall to verify if it is dropped at some point. We can see that packets hit the DNAT rule in prerouting, but this is before the device manipulates it, so the destination address is no longer 224.10.10.10 and smcroute will not catch it.
nokoru
March 8, 2022, 7:47am
31
According to the various iptables flow chart I found using Google, the next chain to enter after nat PREROUTING + routing process is either mangle INPUT or mangle FORWARD. Hence, I added logging in those chains.
iptables -t mangle -A INPUT -s 192.168.8.123 -j LOG
iptables -t mangle -A INPUT -d 192.168.9.123 -j LOG
iptables -t mangle -A INPUT -d 224.10.10.10 -j LOG
iptables -t mangle -A FORWARD -s 192.168.8.123 -j LOG
iptables -t mangle -A FORWARD -d 192.168.9.123 -j LOG
iptables -t mangle -A FORWARD -d 224.10.10.10 -j LOG
All of them had 0 hits. Does this mean that somehow the routing process failed? logread
is empty as well.
trendy
March 8, 2022, 9:17am
32
Use -I
instead of -A
to make sure that logging will be first in the queue.
nokoru
March 8, 2022, 9:18am
33
There is no other entry in the chains. The chains were empty before I added the logs.
trendy
March 8, 2022, 11:06am
34
Any other unicast packets are flowing without problems and you can see the hits on the mangle log rules you added?
nokoru
March 9, 2022, 1:16am
35
I believe the 4 rules with unicast source/destination addresses should be able to pick it up. However, as I mentioned, there was 0 hit and logread
shows an empty log.
Is there any reason packets would be dropped during the routing decision?
trendy
March 9, 2022, 7:47am
36
Not by the firewall. Firewall is dropping packets during the filter table rule evaluation.
nokoru
March 9, 2022, 8:19am
37
I do not quite understand what you mean.
Did you mean to say "The packets are not dropped by the firewall. Firewall only drop packets during the filter table rule evaluation?" ? If so, I agree as I suspect that they were dropped during routing instead as mentioned in my previous reply.
Or is there a mistake in your reply and you actually mean to say that "No, it is dropped by the firewall. Firewall is dropping packets during the filter table rule evaluation?" ?
trendy
March 9, 2022, 8:22am
38
Number one is closer to what I wanted to say.
If you don't see anything in the logs or hits in the firewall log lines, then it most likely is dropped some place else. Not by the firewall. Because the firewall is dropping the packets when it runs the rules in filter table.
nokoru
March 10, 2022, 2:10am
39
If anyone has any idea please feel free to share.
Currently, the implemented solution is a custom application, residing in the router, that receives specific packets and sends them out as multicast or unicast depending on the packet received.
Despite having a working solution, I am trying to find a more performance efficient solution by using the kernel firewall and routing.
sxd
November 26, 2022, 6:53am
40
multicast's pkt_type is PACKET_MULTICAST,and ip_forward only forward PACKET_HOST.iptables(at layer3) can not change multicast's pkt_type(at layer2),so you first need ebtables or iptables with br_netfilter change multicast's pkt_type to PACKET_HOST,then iptables DNAT rule can work for multicast to unicast.
ebtables' BROUTING and PREROUTING both automatically change the multicast's pkt_type to PACKET_HOST.