Thanks for this forum to help me troubleshoot my new install of OpenWrt, but my port forwarding for SSH is not working. Previous posts helped me get port 80 and 443 redirected. This redirect is one of many I need help to get working and I've included only one that I need help.
TP-Link TL-WR1043N/ND v2
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch
Zoom 5341j cable modem. Not acting as a router.
I have not enabled wireless yet so as to reduce the variables in this install.
My goal is to mimic my port forwarding in factory software of this TP-Link to accept an arbitrary port and then redirect it to a LAN client.
I can ssh to this client from any other client inside this LAN which suggests that this client has the SSH daemon running.
Starting from advice found in [SOLVED] Port forwarding not working
I can provide this info.
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config redirect
option name 'ssh colorful'
option src 'wan'
option proto 'tcpudp'
option src_port '8521'
option dest_port '22'
option dest_ip '192.168.1.105'
option target 'DNAT'
option dest 'lan'
option family 'ipv4'
I have moved the redirects near the top of this file.
I have added this in /etc/firewall.user
iptables -N Trace
iptables -N LOG_Trace
iptables -I INPUT -p tcp --dport 8521 -m conntrack --ctstate NEW -j Trace
iptables -A Trace -p tcp --dport 8521 -j LOG_Trace
iptables -A LOG_Trace -p tcp --dport 8521 -j LOG --log-prefix "<[[--- Trace 8521 --]]> : " --log-l
Output of /etc/init.d/firewall restart && logread -f
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Redirect 'http traffic'
* Redirect 'https traffic'
* Redirect 'ssh colorful'
* Redirect 'ssh rocky'
* Redirect 'ssh happenstances'
* Redirect 'rsyslog happenstances'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Redirect 'ssh colorful'
* Redirect 'http traffic'
* Redirect 'https traffic'
* Redirect 'ssh rocky'
* Redirect 'ssh happenstances'
* Redirect 'rsyslog happenstances'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
Mon Apr 8 12:33:15 2019 kern.warn kernel: [ 2314.592670] <[[--- Trace 8521 --]]> : IN=br-wan OUT= MAC=e8:de:27:b3:65:6f:00:01:5c:a5:a6:46:08:00 SRC=outsideserverIP DST=ComcastIPaddy LEN=60 TOS=0x00 PREC=0x20 TTL=55 ID=13015 DF PROTO=TCP SPT=40572 DPT=8521 WINDOW=14600 RES=0x00 SYN URGP=0
This appears to show that this port is being blocked by OpenWrt?
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd45:eb64:df5b::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
The output of tcpdump -vv -ni eth0 tcp port 8521
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:31:01.306787 IP (tos 0x20, ttl 55, id 17808, offset 0, flags [DF], proto TCP (6), length 60)
outsideserverIP.36558 > ComcastIPaddy.8521: Flags [S], cksum 0x6e23 (correct), seq 2381972926, win 14600, options [mss 1460,sackOK,TS val 1328365614 ecr 0,nop,wscale 9], length 0
The Zones in luci Firewall - Zone settings show
General Settings: Input: Accept, Output: Accept, Forward: Reject.
LAN forwards to WAN, accept for all three.
WAN: no forwards (i.e. reject), Input: Reject, Output: Accept, Forward: Reject.
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn
reveals this output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 Trace tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8521 ctstate NEW
15831 1262K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
11628 1245K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
8062 933K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
826 49860 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
3299 297K zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
267 15712 zone_wan_input all -- br-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_input all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
594K 546M forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
590K 546M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
4547 283K zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
25 7963 zone_wan_forward all -- br-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15831 1262K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
9897 1405K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
8221 1281K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
16 4968 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1660 119K zone_wan_output all -- * br-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_output all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain LOG_Trace (1 references)
pkts bytes target prot opt in out source destination
1 60 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8521 LOG flags 0 level 4 prefix "<[[--- Trace 8521 --]]> : "
Chain Trace (1 references)
pkts bytes target prot opt in out source destination
1 60 LOG_Trace tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8521
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
267 15712 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
826 49860 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
16 4968 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
4547 283K forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
4547 283K zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
1 64 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
3299 297K input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
3299 297K zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
16 4968 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
16 4968 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
3299 297K ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
436 22252 DROP all -- * br-wan 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
5770 380K ACCEPT all -- * br-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 DROP all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (2 references)
pkts bytes target prot opt in out source destination
25 7963 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
25 7963 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (2 references)
pkts bytes target prot opt in out source destination
267 15712 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
267 15712 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (2 references)
pkts bytes target prot opt in out source destination
1660 119K output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
1660 119K zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
267 15712 reject all -- br-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain PREROUTING (policy ACCEPT 5343 packets, 619K bytes)
pkts bytes target prot opt in out source destination
5358 621K prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
5197 609K zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
161 12030 zone_wan_prerouting all -- br-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 2760 packets, 230K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2128 packets, 156K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 489 packets, 38513 bytes)
pkts bytes target prot opt in out source destination
3556 246K postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
27 5241 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
3066 207K zone_wan_postrouting all -- * br-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
27 5241 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
1 64 SNAT tcp -- * * 192.168.1.0/24 192.168.1.150 tcp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.150 udp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.150 tcp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.150 udp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.105 tcp dpt:22 /* !fw3: ssh colorful (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.105 udp dpt:22 /* !fw3: ssh colorful (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.150 tcp dpt:22 /* !fw3: ssh rocky (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.150 udp dpt:22 /* !fw3: ssh rocky (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.103 tcp dpt:22 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.103 udp dpt:22 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.1
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.103 tcp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.1
0 0 SNAT udp -- * * 192.168.1.0/24 192.168.1.103 udp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.1
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
5197 609K prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
1 64 DNAT tcp -- * * 192.168.1.0/24 ComcastIP tcp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.150:80
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP udp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.150:80
0 0 DNAT tcp -- * * 192.168.1.0/24 ComcastIP tcp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.150:443
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP udp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.150:443
0 0 DNAT tcp -- * * 192.168.1.0/24 ComcastIP /* !fw3: ssh colorful (reflection) */ to:192.168.1.105:22
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP /* !fw3: ssh colorful (reflection) */ to:192.168.1.105:22
0 0 DNAT tcp -- * * 192.168.1.0/24 ComcastIP tcp dpt:8520 /* !fw3: ssh rocky (reflection) */ to:192.168.1.150:22
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP udp dpt:8520 /* !fw3: ssh rocky (reflection) */ to:192.168.1.150:22
0 0 DNAT tcp -- * * 192.168.1.0/24 ComcastIP tcp dpt:8523 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.103:22
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP udp dpt:8523 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.103:22
0 0 DNAT tcp -- * * 192.168.1.0/24 ComcastIP tcp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.103:8086
0 0 DNAT udp -- * * 192.168.1.0/24 ComcastIP udp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.103:8086
Chain zone_wan_postrouting (2 references)
pkts bytes target prot opt in out source destination
3066 207K postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
3066 207K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (2 references)
pkts bytes target prot opt in out source destination
161 12030 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
12 688 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: http traffic */ to:192.168.1.150:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 /* !fw3: http traffic */ to:192.168.1.150:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* !fw3: https traffic */ to:192.168.1.150:443
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 /* !fw3: https traffic */ to:192.168.1.150:443
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8521 /* !fw3: ssh colorful */ to:192.168.1.105:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:8521 /* !fw3: ssh colorful */ to:192.168.1.105:22
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8520 /* !fw3: ssh rocky */ to:192.168.1.150:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8520 /* !fw3: ssh rocky */ to:192.168.1.150:22
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8523 /* !fw3: ssh happenstances */ to:192.168.1.103:22
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8523 /* !fw3: ssh happenstances */ to:192.168.1.103:22
2 833 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8086 /* !fw3: rsyslog happenstances */ to:192.168.1.103:8086
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8086 /* !fw3: rsyslog happenstances */ to:192.168.1.103:8086
Chain PREROUTING (policy ACCEPT 623K packets, 549M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 27518 packets, 2511K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 594K packets, 546M bytes)
pkts bytes target prot opt in out source destination
3821 237K TCPMSS tcp -- * br-wan 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 25788 packets, 2693K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 620K packets, 549M bytes)
pkts bytes target prot opt in out source destination
The firewall is working, but I'm not understanding what I'm overlooking. I hope for pointers as to what I should do next.
thx, sam