xize
December 13, 2023, 6:40am
1
Hello!,
Currently I have created a nginx-server-manager docker image with a bridge network and configurated the bridge in its own firewall zone and unmanaged interface in luci.
basicly what i want is having port 81 being exposed to wan, i would think that being easy by just doing it via a portforward.
But my results are im timing out, well i can 'cheat' by routing it over a vlan but i feel that is more of a one point of failure when theoretical a portforward should be a better use.
Could somebody help me figuring this out?, i kinda configurated my mochabin as a dumbap the firewall is not super important but maybe only for nat translation, open wan is fine for me.
Heres my firewall:
click to expand
root@Mochabin:/opt/nginx-proxy-manager# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='aria'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='aria_docker' 'aria_wan'
firewall.@zone[1]=zone
firewall.@zone[1].name='steamcache'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].network='steamcache'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='aria'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='steamcache'
firewall.@forwarding[1].dest='wan'
firewall.@zone[2]=zone
firewall.@zone[2].name='wan'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='wan'
firewall.pbr=include
firewall.pbr.fw4_compatible='1'
firewall.pbr.type='script'
firewall.pbr.path='/usr/share/pbr/pbr.firewall.include'
firewall.@zone[3]=zone
firewall.@zone[3].name='nginx'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].network='nginx_mgmnt'
firewall.@zone[3].masq='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='nginx'
firewall.@forwarding[2].dest='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='nginx'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].family='ipv4'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='81'
firewall.@redirect[0].dest_port='81'
firewall.@redirect[0].dest_ip='172.23.0.2'
Also on reload i see this:
Section @redirect[0] internal rewrite IP cannot be determined, disabling reflection
Which is this code:
root@Mochabin:/opt/nginx-proxy-manager# uci show firewall.@redirect[0]
firewall.cfg0a3837=redirect
firewall.cfg0a3837.dest='nginx'
firewall.cfg0a3837.target='DNAT'
firewall.cfg0a3837.family='ipv4'
firewall.cfg0a3837.src='wan'
firewall.cfg0a3837.src_dport='81'
firewall.cfg0a3837.dest_port='81' <- tried also empty
firewall.cfg0a3837.dest_ip='172.23.0.2'
Many thanks👍
trendy
December 13, 2023, 8:42am
2
Do you see the hits on the firewall rules?nft list ruleset
1 Like
xize
December 13, 2023, 10:43am
3
this is what I see as result:
click to expand
root@Mochabin:~# nft list ruleset
table inet fw4 {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname { "eth2.6", "br-d88f1ca484a6" } jump input_aria comment "!fw4: Handle aria IPv4/IPv6 input traffic"
iifname "eth2.5" jump input_steamcache comment "!fw4: Handle steamcache IPv4/IPv6 input traffic"
iifname "br-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "br-90c5345884a5" jump input_nginx comment "!fw4: Handle nginx IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname { "eth2.6", "br-d88f1ca484a6" } jump forward_aria comment "!fw4: Handle aria IPv4/IPv6 forward traffic"
iifname "eth2.5" jump forward_steamcache comment "!fw4: Handle steamcache IPv4/IPv6 forward traffic"
iifname "br-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "br-90c5345884a5" jump forward_nginx comment "!fw4: Handle nginx IPv4/IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname { "eth2.6", "br-d88f1ca484a6" } jump output_aria comment "!fw4: Handle aria IPv4/IPv6 output traffic"
oifname "eth2.5" jump output_steamcache comment "!fw4: Handle steamcache IPv4/IPv6 output traffic"
oifname "br-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "br-90c5345884a5" jump output_nginx comment "!fw4: Handle nginx IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname { "eth2.6", "br-d88f1ca484a6" } jump helper_aria comment "!fw4: Handle aria IPv4/IPv6 helper assignment"
iifname "eth2.5" jump helper_steamcache comment "!fw4: Handle steamcache IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_aria {
jump accept_from_aria
}
chain output_aria {
jump accept_to_aria
}
chain forward_aria {
jump accept_to_wan comment "!fw4: Accept aria to wan forwarding"
jump accept_to_aria
}
chain helper_aria {
}
chain accept_from_aria {
iifname { "eth2.6", "br-d88f1ca484a6" } counter packets 66 bytes 15742 accept comment "!fw4: accept aria IPv4/IPv6 traffic"
}
chain accept_to_aria {
oifname { "eth2.6", "br-d88f1ca484a6" } counter packets 64 bytes 15484 accept comment "!fw4: accept aria IPv4/IPv6 traffic"
}
chain input_steamcache {
jump accept_from_steamcache
}
chain output_steamcache {
jump accept_to_steamcache
}
chain forward_steamcache {
jump accept_to_wan comment "!fw4: Accept steamcache to wan forwarding"
jump accept_to_steamcache
}
chain helper_steamcache {
}
chain accept_from_steamcache {
iifname "eth2.5" counter packets 34 bytes 8000 accept comment "!fw4: accept steamcache IPv4/IPv6 traffic"
}
chain accept_to_steamcache {
oifname "eth2.5" counter packets 32 bytes 7742 accept comment "!fw4: accept steamcache IPv4/IPv6 traffic"
}
chain input_wan {
jump accept_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
jump accept_to_wan
}
chain accept_from_wan {
iifname "br-wan" counter packets 219 bytes 23608 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain accept_to_wan {
meta nfproto ipv4 oifname "br-wan" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname "br-wan" counter packets 66 bytes 7812 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain input_nginx {
jump accept_from_nginx
}
chain output_nginx {
jump accept_to_nginx
}
chain forward_nginx {
jump accept_to_wan comment "!fw4: Accept nginx to wan forwarding"
jump accept_to_nginx
}
chain helper_nginx {
}
chain accept_from_nginx {
iifname "br-90c5345884a5" counter packets 1 bytes 302 accept comment "!fw4: accept nginx IPv4/IPv6 traffic"
}
chain accept_to_nginx {
meta nfproto ipv4 oifname "br-90c5345884a5" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
oifname "br-90c5345884a5" counter packets 1 bytes 302 accept comment "!fw4: accept nginx IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "br-90c5345884a5" jump srcnat_nginx comment "!fw4: Handle nginx IPv4/IPv6 srcnat traffic"
}
chain dstnat_wan {
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain dstnat_nginx {
}
chain srcnat_nginx {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 nginx traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
jump pbr_prerouting comment "Jump into pbr prerouting chain"
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
jump pbr_postrouting comment "Jump into pbr postrouting chain" }
chain mangle_input {
type filter hook input priority mangle; policy accept;
jump pbr_input comment "Jump into pbr input chain"
}
chain mangle_output {
type route hook output priority mangle; policy accept;
jump pbr_output comment "Jump into pbr output chain"
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
jump pbr_forward comment "Jump into pbr forward chain"
}
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
}
chain pbr_postrouting {
}
}
The interface name is nginx_mgmnt and device bridge: br-90c5345884a5
edit
after I noticed the port forward was disabled I enabled it again and saw this when grepping:
root@Mochabin:~# nft list ruleset | grep 81
meta nfproto ipv4 tcp dport 81 counter packets 0 bytes 0 dnat ip to 172.23.0.2:81 comment "!fw4: @redirect[0]"
meta nfproto ipv4 udp dport 81 counter packets 0 bytes 0 dnat ip to 172.23.0.2:81 comment "!fw4: @redirect[0]"
now the error is refusing this could be pbr or something else
another edit:
I got it working now !
1 Like
system
December 23, 2023, 10:43am
4
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
, all I had to do after enabling my port forwarding is setting in pbr 172.23.0.2/32 over wan as prerouting and then restart the Mochabin I forgot sometimes it is crucial to restart my router because docker can sometimes bug with routing.