I am having trouble connecting to my openvpn server.
firewall
config rule
option name 'Allow-OpenVPN-Server'
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
Server Log
Thu Mar 14 11:39:58 2019 us=815037 OpenVPN 2.4.5 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Mar 14 11:39:58 2019 us=815251 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
Thu Mar 14 11:39:58 2019 us=817700 Diffie-Hellman initialized with 4096 bit key
Thu Mar 14 11:39:58 2019 us=819692 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Mar 14 11:39:58 2019 us=819764 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 14 11:39:58 2019 us=819805 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Mar 14 11:39:58 2019 us=819849 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 14 11:39:58 2019 us=819895 TLS-Auth MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Thu Mar 14 11:39:58 2019 us=820427 TUN/TAP device tun_server opened
Thu Mar 14 11:39:58 2019 us=820549 TUN/TAP TX queue length set to 100
Thu Mar 14 11:39:58 2019 us=820600 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 14 11:39:58 2019 us=820672 /sbin/ifconfig tun_server 10.6.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.6.0.255
Thu Mar 14 11:39:58 2019 us=824922 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Mar 14 11:39:58 2019 us=825037 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Mar 14 11:39:58 2019 us=825097 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Mar 14 11:39:58 2019 us=825152 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Mar 14 11:39:58 2019 us=825189 UDPv4 link remote: [AF_UNSPEC]
Thu Mar 14 11:39:58 2019 us=825239 GID set to nogroup
Thu Mar 14 11:39:58 2019 us=825287 UID set to nobody
Thu Mar 14 11:39:58 2019 us=825332 MULTI: multi_init called, r=256 v=256
Thu Mar 14 11:39:58 2019 us=825410 IFCONFIG POOL: base=10.6.0.2 size=252, ipv6=0
Thu Mar 14 11:39:58 2019 us=825501 Initialization Sequence Completed
Client Log
2019-49-14 11:49:30 1
2019-49-14 11:49:30 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04
2019-49-14 11:49:30 Frame=512/2048/512 mssfix-ctrl=1250
2019-49-14 11:49:30 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-tun]
7 [persist-key]
8 [auth-nocache]
12 [verb] [5]
2019-49-14 11:49:30 EVENT: RESOLVE
2019-49-14 11:49:31 Contacting [server_ip]:1194/UDP via UDP
2019-49-14 11:49:31 EVENT: WAIT
2019-49-14 11:49:31 Connecting to [server_hostname]:1194 (server_ip) via UDPv4
2019-49-14 11:49:41 Server poll timeout, trying next remote entry...
2019-49-14 11:49:41 EVENT: RECONNECTING
2019-49-14 11:49:41 EVENT: RESOLVE
2019-49-14 11:49:41 Contacting [server_ip]:1194/UDP via UDP
2019-49-14 11:49:41 EVENT: WAIT
2019-49-14 11:49:41 Connecting to [server_hostname]:1194 (server_ip) via UDPv4
2019-49-14 11:49:51 Server poll timeout, trying next remote entry...
2019-49-14 11:49:51 EVENT: RECONNECTING
2019-49-14 11:49:51 EVENT: RESOLVE
2019-49-14 11:49:51 Contacting [server_ip]:1194/UDP via UDP
2019-49-14 11:49:51 EVENT: WAIT
2019-49-14 11:49:51 Connecting to [server_hostname]:1194 (server_ip) via UDPv4
2019-50-14 11:50:01 EVENT: CONNECTION_TIMEOUT [ERR]
2019-50-14 11:50:01 Raw stats on disconnect:
BYTES_OUT : 1620
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2
2019-50-14 11:50:01 Performance stats on disconnect:
CPU usage (microseconds): 69393
Network bytes per CPU second: 23345
Tunnel bytes per CPU second: 0
2019-50-14 11:50:01 EVENT: DISCONNECTED
2019-50-14 11:50:01 Raw stats on disconnect:
BYTES_OUT : 1620
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2
2019-50-14 11:50:01 Performance stats on disconnect:
CPU usage (microseconds): 69960
Network bytes per CPU second: 23156
Tunnel bytes per CPU second: 0
Server Config
config openvpn 'OpenVPN_Server'
option dev_type 'tun'
option dev 'tun_server'
option proto 'udp'
option port '1194'
option server '10.6.0.0 255.255.255.0'
option topology 'subnet'
option ifconfig '10.6.0.1 255.255.255.0'
list push 'route 192.168.1.0 255.255.255.0'
option ca '/etc/openvpn/server/ca.crt'
option dh '/etc/openvpn/server/dh.pem'
option tls_crypt '/etc/openvpn/server/tc.pem'
option cert '/etc/openvpn/server/vpnserver.crt'
option key '/etc/openvpn/server/vpnserver.key'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option tls_server '1'
option tls_version_min '1.2'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
option reneg_sec '1800'
option reneg_bytes '64000000'
option remote_cert_tls 'client'
option log '/tmp/openvpn.log'
option verb '5'
option keepalive '10 60'
option compress 'lzo'
option script_security '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option enabled '1'
Client Config
client
dev tun
proto udp
remote hostname 1194
resolv-retry infinite
nobind
persist-tun
persist-key
auth-nocache
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
verb 5
ca
cert
key
tls-crypt
I have configured everything using the openwrt wiki and this guide for security.
OpenVPN Server Hardening – OpenWRT TUN device | cave's tinker pit
vgaetera:
Verify your server domain name is resolved correctly.
Try to change port/protocol to 443/TCP.
Run tcpdump to monitor connection attempts.
It is resolved correctly.
Already did this, same results.
No activity on my tun_server interface.
vgaetera:
Verify your server has globally routed IP-address.
What exactly do you mean by that?
You need to capture connection requests on WAN-interface.
IP-address routing scope can be limited, so you won't be able to access it from the internet:
https://en.wikipedia.org/wiki/Reserved_IP_addresses
14:49:59.737041 IP CLIENT.dyn.telefonica.de.26957 > OVPNSERVER.1194: UDP, length 54
14:50:00.736085 IP CLIENT.dyn.telefonica.de.26957 > OVPNSERVER.1194: UDP, length 54
14:50:01.743656 IP CLIENT.dyn.telefonica.de.26957 > OVPNSERVER.1194: UDP, length 54
14:50:02.861802 IP CLIENT.dyn.telefonica.de.26957 > OVPNSERVER.1194: UDP, length 54
14:50:02.877199 IP OVPNSERVER > CLIENT.dyn.telefonica.de: ICMP host OVPNSERVER unreachable, length 90
14:50:02.877333 IP OVPNSERVER > CLIENT.dyn.telefonica.de: ICMP host OVPNSERVER unreachable, length 90
14:50:02.877420 IP OVPNSERVER > CLIENT.dyn.telefonica.de: ICMP host OVPNSERVER unreachable, length 90
14:50:02.877500 IP OVPNSERVER > CLIENT.dyn.telefonica.de: ICMP host OVPNSERVER unreachable, length 90
netstat -l -n -p | grep 1194
iptables-save | grep 1194
root@OPENWRT-ROUTER:~# netstat -l -n -p | grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 2877/openvpn
root@OPENWRT-ROUTER:~# iptables-save | grep 1194
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Server" -j ACCEPT
1 Like
Looks like your WAN-interface is not bound to WAN-zone properly.
uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdda:450e:acb6::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ifname='eth2 eth3'
network.wan=interface
network.wan.proto='pppoe'
network.wan.username='@t-online.de'
network.wan.password=''
network.wan.ipv6='0'
network.wan.peerdns='0'
network.wan.dns='185.121.177.177 169.239.202.202'
network.wan.ifname='eth0.7'
network.modem=interface
network.modem.proto='static'
network.modem.ipaddr='192.168.0.2'
network.modem.netmask='255.255.255.0'
network.modem.ifname='eth1'
network.ovpn_server=interface
network.ovpn_server.proto='none'
network.ovpn_server.ifname='tun_server'
network.airvpn=interface
network.airvpn.proto='none'
network.airvpn.ifname='tun_airvpn'
network.ibvpn=interface
network.ibvpn.proto='none'
network.ibvpn.ifname='tap_ibvpn'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.1.5'
firewall.@redirect[0].name='VoIP FB-7412'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src_dport='5060'
firewall.@redirect[0].dest_port='5060'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.1.5'
firewall.@redirect[1].name='VoIP FB-7412'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].src_dport='7078-7085'
firewall.@redirect[1].dest_port='7078-7085'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].name='DMZ Xbox One'
firewall.@redirect[2].dest_ip='192.168.1.31'
firewall.@redirect[2].proto='tcp udp'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan modem'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-OpenVPN-Server'
firewall.@rule[9].src='wan'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='1194'
firewall.@zone[2]=zone
firewall.@zone[2].name='airvpn'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='airvpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='airvpn'
firewall.@zone[3]=zone
firewall.@zone[3].name='ibvpn'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@zone[3].network='ibvpn'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='ibvpn'
Wait, that's strange.
OpenWrt firewall shouldn't reject with that ICMP-type.
It should be icmp-port-unreachable
for UDP:
# iptables-save | grep "j REJECT"
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
I never touched any of the default firewall settings.
What would I have to change?
trendy
March 14, 2019, 3:11pm
12
Stop the firewall
/etc/init.d/firewall stop
Try to connect and check the tcpdump.
Did you add any custom firewall rules?
2 Likes
With the firewall turned off I can connect successful.
tcpdump
16:44:05.032437 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 62
16:44:05.032503 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 1116
16:44:05.032559 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 1116
16:44:05.032622 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 1116
16:44:05.032678 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 1116
16:44:05.137384 IP CLIENT.dyn.telefonica.de.28044 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 62
16:44:05.138068 IP SERVER.dip0.t-ipconnect.de.1194 > CLIENT.dyn.telefonica.de.28044: UDP, length 269
16:44:05.141216 IP CLIENT.dyn.telefonica.de.28044 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 62
16:44:05.149380 IP CLIENT.dyn.telefonica.de.28044 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 62
16:44:05.153387 IP CLIENT.dyn.telefonica.de.28044 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 62
Nothing, except for some port forwards and the OpenVPN client firewall zones.
And of course the one for the server, see the OP.
I only added the things after "option path '/etc/firewall.user' " and the 2 DMZs at the beginning.
firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.5'
option name 'VoIP FB-7412'
option proto 'udp'
option src_dport '5060'
option dest_port '5060'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.1.5'
option name 'VoIP FB-7412'
option proto 'udp'
option src_dport '7078-7085'
option dest_port '7078-7085'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.5'
option name 'DMZ FB-7412'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option name 'DMZ Xbox One'
option dest_ip '192.168.1.31'
option proto 'tcp udp'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-OpenVPN-Server'
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
config zone
option name 'airvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'airvpn'
config forwarding
option src 'lan'
option dest 'airvpn'
config zone
option name 'ibvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'ibvpn'
config forwarding
option src 'lan'
option dest 'ibvpn'
trendy
March 14, 2019, 4:15pm
14
TheHellSite:
/etc/firewall.user
I was referring to this file.
At least we have narrowed it down to firewall issue.
Post the whole firewall configuration please, after you start it.
iptables -L -vn ; iptables -t nat -L -vn ; iptables -t mangle -L -vn
/etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -L -vn ; iptables -t nat -L -vn ; iptables -t mangle -L -vn
root@OPENWRT-ROUTER:~# iptables -L -vn ; iptables -t nat -L -vn ; iptables -t mangle -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 284 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
117 10384 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
116 10219 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
1 165 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_input all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_input all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_input all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_input all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
286 64514 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
25 6432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
36 4380 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
225 53702 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_forward all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_forward all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 284 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
112 15756 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
109 15492 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
3 264 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_output all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_output all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_output all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_output all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain forwarding_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (9 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn forwarding rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_airvpn_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_airvpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn output rule chain */
0 0 zone_airvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn forwarding rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_ibvpn_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_ibvpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn output rule chain */
0 0 zone_ibvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
3 264 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
36 4380 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
36 4380 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 zone_airvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to airvpn forwarding policy */
0 0 zone_ibvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to ibvpn forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
1 165 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
1 165 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
3 264 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
3 264 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
1 165 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
4 160 DROP all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
32 4220 ACCEPT all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (2 references)
pkts bytes target prot opt in out source destination
225 53702 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
225 53702 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (2 references)
pkts bytes target prot opt in out source destination
0 0 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow-OpenVPN-Server */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (2 references)
pkts bytes target prot opt in out source destination
0 0 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain PREROUTING (policy ACCEPT 19 packets, 1126 bytes)
pkts bytes target prot opt in out source destination
26 2700 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
19 1126 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
7 1574 zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_prerouting all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_prerouting all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 1 packets, 165 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 230 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10 packets, 1804 bytes)
pkts bytes target prot opt in out source destination
14 2040 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
8 1614 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
5 356 zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_postrouting all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_postrouting all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_airvpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn prerouting rule chain */
Chain zone_ibvpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
8 1614 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.5 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.5 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.31 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.31 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.1
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
19 1126 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT udp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT tcp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT udp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
5 356 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
5 356 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
7 1574 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
3 213 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
4 1361 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ Xbox One */ to:192.168.1.31
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ Xbox One */ to:192.168.1.31
Chain PREROUTING (policy ACCEPT 443 packets, 76931 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 141 packets, 11468 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 289 packets, 64858 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone airvpn MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone ibvpn MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 155 packets, 44320 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 438 packets, 109K bytes)
pkts bytes target prot opt in out source destination
trendy
March 14, 2019, 7:15pm
17
iptables look good, but I didn't see any hits on the firewall rules. With the firewall restarted (to reset counters) let the client try to connect a few times to increase hits of the guilty line.
Also as a test temporarily remove eth1 interface from the wan firewall zone. I suppose you have it just to manage the modem.
1 Like
firewall hits
root@OPENWRT-ROUTER:~# iptables -L -vn ; iptables -t nat -L -vn ; iptables -t mangle -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
418 45604 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
273 26953 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
57 14183 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
88 4468 zone_wan_input all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_input all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_input all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_input all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
881 197K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
683 181K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
91 5025 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
107 10518 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_forward all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_forward all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
380 88433 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
277 83619 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
5 504 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
98 4310 zone_wan_output all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_output all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_output all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_output all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain forwarding_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (9 references)
pkts bytes target prot opt in out source destination
88 4468 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn forwarding rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_airvpn_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_airvpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn output rule chain */
0 0 zone_airvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn forwarding rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_ibvpn_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_ibvpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn output rule chain */
0 0 zone_ibvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
5 504 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
91 5025 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
91 5025 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 zone_airvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to airvpn forwarding policy */
0 0 zone_ibvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to ibvpn forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
57 14183 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
57 14183 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
5 504 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
5 504 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
57 14183 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
116 4868 DROP all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
67 4221 ACCEPT all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
6 246 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (2 references)
pkts bytes target prot opt in out source destination
107 10518 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
107 10518 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (2 references)
pkts bytes target prot opt in out source destination
88 4468 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow-OpenVPN-Server */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
88 4468 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (2 references)
pkts bytes target prot opt in out source destination
98 4310 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
98 4310 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
88 4468 reject all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain PREROUTING (policy ACCEPT 80 packets, 6640 bytes)
pkts bytes target prot opt in out source destination
179 16712 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
80 6640 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
99 10072 zone_wan_prerouting all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth1 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_prerouting all -- tun_airvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_prerouting all -- tap_ibvpn * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 22 packets, 2454 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 1079 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 102 packets, 10272 bytes)
pkts bytes target prot opt in out source destination
152 13840 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
101 10152 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
45 3442 zone_wan_postrouting all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
6 246 zone_wan_postrouting all -- * eth1 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_airvpn_postrouting all -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ibvpn_postrouting all -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_airvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_ibvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_airvpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_airvpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_airvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom airvpn prerouting rule chain */
Chain zone_ibvpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn postrouting rule chain */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ibvpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_ibvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ibvpn prerouting rule chain */
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
101 10152 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.5 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.5 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.31 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.31 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.1
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
80 6640 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT udp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ FB-7412 (reflection) */ to:192.168.1.5
0 0 DNAT tcp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT udp -- * * 192.168.1.0/24 80.134.95.252 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 /* !fw3: DMZ Xbox One (reflection) */ to:192.168.1.31
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
51 3688 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
51 3688 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
99 10072 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
12 2938 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
87 7134 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ Xbox One */ to:192.168.1.31
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ Xbox One */ to:192.168.1.31
Chain PREROUTING (policy ACCEPT 1335 packets, 244K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 434 packets, 46244 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 881 packets, 197K bytes)
pkts bytes target prot opt in out source destination
14 808 TCPMSS tcp -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * tun_airvpn 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone airvpn MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * tap_ibvpn 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone ibvpn MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 402 packets, 116K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1167 packets, 308K bytes)
pkts bytes target prot opt in out source destination
Did this before testing the hits. But didn't solve the problem, so I added it back before running the test.
vgaetera:
Try to stop OpenVPN server and check reject message type via tcpdump.
If it changes to icmp-port-unreachable
then the root of the issue is OpenVPN server.
21:43:21.646348 IP CLIENT.dyn.telefonica.de.20902 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 54
21:43:21.647130 IP SERVER.dip0.t-ipconnect.de > CLIENT.dyn.telefonica.de: ICMP SERVER.dip0.t-ipconnect.de udp port 1194 unreachable, length 90
21:43:22.836291 IP CLIENT.dyn.telefonica.de.7766 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 54
21:43:22.837170 IP SERVER.dip0.t-ipconnect.de > CLIENT.dyn.telefonica.de: ICMP SERVER.dip0.t-ipconnect.de udp port 1194 unreachable, length 90
21:43:23.874847 IP CLIENT.dyn.telefonica.de.19760 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 54
21:43:23.875663 IP SERVER.dip0.t-ipconnect.de > CLIENT.dyn.telefonica.de: ICMP SERVER.dip0.t-ipconnect.de udp port 1194 unreachable, length 90
21:43:24.913162 IP CLIENT.dyn.telefonica.de.8682 > SERVER.dip0.t-ipconnect.de.1194: UDP, length 54
21:43:24.913798 IP SERVER.dip0.t-ipconnect.de > CLIENT.dyn.telefonica.de: ICMP SERVER.dip0.t-ipconnect.de udp port 1194 unreachable, length 90
trendy
March 14, 2019, 10:09pm
20
Pretty weird problem indeed.
In INPUT chain we have hits in zone_wan_input as expected.
However in zone_wan_input chain ZERO hits for Openvpn
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow-OpenVPN-Server */
Which means that packet is captured somewhere else. Before INPUT we have NAT and MANGLE PREROUTING and MANGLE INPUT. MANGLE is clean and the culprit is found in NAT PREROUTING:
12 2938 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
87 7134 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: DMZ FB-7412 */ to:192.168.1.5
You are forwarding everything to 192.168.1.5, which is not the same as what you posted earlier:
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.1.5'
firewall.@redirect[0].name='VoIP FB-7412'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src_dport='5060'
firewall.@redirect[0].dest_port='5060'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.1.5'
firewall.@redirect[1].name='VoIP FB-7412'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].src_dport='7078-7085'
firewall.@redirect[1].dest_port='7078-7085'
So can you tell us what is the actual firewall configuration?
1 Like