d368
November 17, 2020, 2:27pm
8
Now I'm connected by using the WAN port:
# Generated by iptables-save v1.6.2 on Thu Feb 27 22:22:27 2020
*nat
:PREROUTING ACCEPT [98:10623]
:INPUT ACCEPT [38:2016]
:OUTPUT ACCEPT [12:794]
:POSTROUTING ACCEPT [17:994]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[98:10623] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[14:1022] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[17:994] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[5:200] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[5:200] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[14:1022] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 102 -m comment --comment "!fw3: PLC" -j DNAT --to-destination 192.168.0.100:102
COMMIT
# Completed on Thu Feb 27 22:22:27 2020
trendy
November 17, 2020, 2:30pm
9
No difference, hits are still 0.
1 Like
d368
November 17, 2020, 2:33pm
10
Sorry, I don't understand what you mean ...
trendy
November 17, 2020, 2:37pm
11
These numbers at the beginning of the line show the packets:bytes for each rule. Zero means that nothing matched this rule.
d368:
[0:0]
You need to verify that you are trying to connect to the wan interface, correct protocol (tcp) and port (8080).
1 Like
d368
November 17, 2020, 2:38pm
12
I'm definitely connected to the WAN port and I try to open the page 10.42.25.232:8080 in my web browser.
opkg update
opkg install tcpdump
tcpdump -evn -i any tcp port 8080
2 Likes
d368
November 17, 2020, 2:58pm
14
What makes me a bit nervous is, that I can connect to the IP 10.42.25.232:8080 when I'm connected to the LAN interface with the local address 192.168.0.150 ....
trendy
November 17, 2020, 3:03pm
15
I think I found it. The wan zone is empty. Post uci export firewall to verify.
2 Likes
d368
November 17, 2020, 3:06pm
16
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8080'
option dest_ip '192.168.0.100'
option dest_port '80'
option name 'PLC_WEB'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.0.100'
option name 'PLC'
option proto 'tcp'
option src_dport '102'
option dest_port '102'
config forwarding
option dest 'wan'
option src 'lan'
trendy
November 17, 2020, 3:08pm
17
That is correct. What about uci show network.wan ?
d368
November 17, 2020, 3:11pm
18
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='static'
network.wan.ipaddr='10.42.25.232'
network.wan.netmask='255.255.252.0'
network.wan.gateway='10.42.24.1'
network.wan.dns='10.42.24.1'
trendy
November 17, 2020, 3:14pm
19
Looks good too, try to restart the firewall and post the output.fw3 restart
1 Like
d368
November 17, 2020, 3:15pm
20
Warning: Unable to locate ipset utility, disabling ipset support
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Redirect 'PLC_WEB'
* Redirect 'PLC'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Redirect 'PLC_WEB'
* Redirect 'PLC'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
trendy
November 17, 2020, 3:17pm
21
no errors, that's good. Post again the iptables-save -c
1 Like
d368
November 18, 2020, 1:48pm
22
# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*nat
:PREROUTING ACCEPT [173:33682]
:INPUT ACCEPT [50:3378]
:OUTPUT ACCEPT [41:2943]
:POSTROUTING ACCEPT [6:408]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[173:33682] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[173:33682] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[46:3143] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[40:2735] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: PLC_WEB (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.42.25.232/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB (reflection)" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.42.25.232/32 -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC (reflection)" -j DNAT --to-destination 192.168.0.100:102
[40:2735] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[40:2735] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[173:33682] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC" -j DNAT --to-destination 192.168.0.100:102
COMMIT
# Completed on Thu Feb 27 23:09:34 2020
# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*mangle
:PREROUTING ACCEPT [376:51121]
:INPUT ACCEPT [253:20817]
:FORWARD ACCEPT [5:260]
:OUTPUT ACCEPT [249:35813]
:POSTROUTING ACCEPT [244:35413]
[5:260] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Feb 27 23:09:34 2020
# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[79:6719] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[176:14178] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[95:7673] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[81:6505] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[5:260] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[5:260] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[79:6719] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[168:29438] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[113:25301] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[55:4137] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[5:260] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[55:4137] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[5:260] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[5:260] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5:260] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[81:6505] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[81:6505] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[55:4137] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[55:4137] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[81:6505] -A zone_wan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Feb 27 23:09:34 2020
1 Like
trendy
November 18, 2020, 1:56pm
23
Looks better now, the eth0 is assigned to the wan zone correctly.
1 Like
d368
November 18, 2020, 2:10pm
24
I'm still connected by WAN - doesn't work. I still cant open the 10.42.25.232:8080 webpage ...
d368
November 18, 2020, 5:40pm
26
I'm sorry, this is not possible:
Collected errors:
* verify_pkg_installable: Only have 72kb available on filesystem /overlay, pkg tcpdump needs 284
* opkg_install_cmd: Cannot install package tcpdump.
1 Like
trendy
November 18, 2020, 7:18pm
27
Post this to see if there are hits:iptables-save -c -t nat