As part of my ongoing efforts with fwknopd I am try to use port forwarding with ipsets. The plan is that fwknop will temporarily add an element to the ipset for the source ip and destination port, and the forwarding rule will then conditionally, using the ip set, apply the port-forward.
However, as soon as the port forward rule is applied through luci, the port becomes unconditionally accessible.
These are the rules that luci has created:
chain dstnat_lan { ip saddr 192.168.2.0/24 ip daddr xx.xx.xx.xx tcp dport 8080 dnat ip to 192.168.2.99:80 comment "!fw4: SPA (reflection)" } chain srcnat_lan { ip saddr 192.168.2.0/24 ip daddr 192.168.2.99 tcp dport 80 snat ip to 192.168.2.1 comment "!fw4: SPA (reflection)" } chain dstnat_wan { tcp dport 8080 ip saddr . tcp dport @fwknop_allow_6 counter packets 0 bytes 0 dnat ip to 192.168.2.99:80 comment "!fw4: SPA" }
If I try to access port 8080 from the wan, I get this:
marc:~$ curl myhost.com:8080 Hello marc:~$
If I delete the port-forwarding rule, I get instead:
marc:~$ curl myhost.com:8080 curl: (7) Failed to connect to myhost.com port 8080 after 472 ms: Connection refused marc:~$
Note: I am redirecting http traffic rather than ssh as I don’t want to open the ssh port during this development phase, though I have tried it with ssh and get the same issue.
Experimentation: I deleted the ipset-based rule in `dstnat_wan` and was still able to connect to the forwarded port. It looks like this was through the rule in dstnat_lan which does not use the ipset. I confirmed this by also deleting that rule and being unable to connect using curl.
Is this a bug or have I misunderstood something?