Question on correct port forward between Wan -> Lan and back

jeef · January 18, 2022, 8:12pm

Problem

I'm pretty confused about what Im missing on my port forwarding issue.

My goal is to have incoming requests from my wifi network to: 192.168.1.62:8080 foward to the lan address of: 172.27.153.1:80

Router Lan IP: 172.27.153.10
Router Wan (wifi) IP: 192.168.1.62

Config Script

I have a couple scripts which I've been using to prototype this - starting from a factory reset.

Configure the Device IP & wait until its ready

#!/bin/bash

# ASSUME ROUTER IS FACTORY RESET @ 192.168.1.1

ROUTER_IP=172.27.153.10


echo "  > Waiting on ROUTER @ 192.168.1.1"
until ping -c1 192.168.1.1 >/dev/null 2>&1; do sleep 1; done
echo "  > Router up"


EXIT_CODE=255

while [[ $EXIT_CODE -ne 0 ]]; do
sleep 5
ssh -o StrictHostKeyChecking=no root@192.168.1.1 ls
EXIT_CODE=$?
echo "  > Waiting for SSHD to start"
done

echo "  > SSH Is up and running..."

timeout 5s ssh -o StrictHostKeyChecking=no root@192.168.1.1 "
    echo uci set network.lan.ipaddr="$ROUTER_IP"
    uci set network.lan.ipaddr="$ROUTER_IP"
    uci commit network 
    /etc/init.d/network restart;
"

echo "  > Waiting on ROUTER @ $ROUTER_IP"
echo "until ping -c1 $ROUTER_IP >/dev/null 2>&1; do :; done"
until ping -c1 $ROUTER_IP >/dev/null 2>&1; do sleep 1; done
echo "  > Router up"

Modify device Name

#!/bin/bash

ROUTER_IP=172.27.153.10

ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "
    echo setting name
    uci set system.@system[0].hostname='SolarMonitor'
    uci set system.@system[0].description='PV6 SunPower Monitor'
    uci set system.@system[0].timezone='America/Denver'
    uci commit system
    echo restarting
    /etc/init.d/system reload
"

Setup the WiFi Connection

#!/bin/bash

ROUTER_IP=172.27.153.10
WIFI=<WIFI_SSID>
WIFI_PASS=<WIFI_PASS>
echo Updating /etc/config/firewall

ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "
echo Updating /etc/config/firewall
uci del firewall.cfg02dc81.network
uci add_list firewall.cfg02dc81.network='lan'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci add_list firewall.cfg03dc81.network='wwan'
echo Updating /etc/config/network
uci set network.wwan=interface
uci set network.wwan.proto='dhcp'
echo Updating /etc/config/wireless
uci del wireless.radio0.disabled
uci set wireless.wifinet2=wifi-iface
uci set wireless.wifinet2.device='radio0'
uci set wireless.wifinet2.mode='sta'
uci set wireless.wifinet2.network='wwan'
uci set wireless.wifinet2.ssid=$WIFI
uci set wireless.wifinet2.encryption='psk2'
uci set wireless.wifinet2.key=$WIFI_PASS
uci set wireless.default_radio0.disabled='1'
uci set wireless.radio0.cell_density='0'
echo Reloading Network
/etc/init.d/network reload
"

Configure the Firewall

(this is probably where the error is)

ROUTER_IP=172.27.153.10
PVS_IP=172.27.153.1

ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "

echo Opening Port 80
    uci add firewall redirect 
    uci set firewall.@redirect[-1].target='DNAT'
    uci set firewall.@redirect[-1].name='GUI Access'
    uci set firewall.@redirect[-1].src='wan'
    uci set firewall.@redirect[-1].src_dport='80'
    uci set firewall.@redirect[-1].dest='lan'
    uci set firewall.@redirect[-1].dest_ip=$ROUTER_IP
    uci set firewall.@redirect[-1].dest_port='80'
    uci add_list firewall.@redirect[-1].proto='tcp'


echo Opening Port 22
    uci add firewall redirect 
    uci set firewall.@redirect[-1].target='DNAT'
    uci set firewall.@redirect[-1].name='SSH Access'
    uci set firewall.@redirect[-1].src='wan'
    uci set firewall.@redirect[-1].src_dport='22'
    uci set firewall.@redirect[-1].dest='lan'
    uci set firewall.@redirect[-1].dest_ip=$ROUTER_IP
    uci set firewall.@redirect[-1].dest_port='22'
    uci add_list firewall.@redirect[-1].proto='tcp'

echo Opening 8080
    uci add firewall redirect 
    uci set firewall.@redirect[-1].target='DNAT'
    uci set firewall.@redirect[-1].name='SunPower API'
    uci set firewall.@redirect[-1].src='wan'
    uci set firewall.@redirect[-1].src_dport='8080'
    uci set firewall.@redirect[-1].dest='lan'
    uci set firewall.@redirect[-1].dest_ip=$PVS_IP
    uci set firewall.@redirect[-1].dest_port='80'
    uci add_list firewall.@redirect[-1].proto='tcp'

echo Adding default route
    uci add firewall nat
    uci set firewall.@nat[-1].dest_port='8080'
    uci set firewall.@nat[-1].src='lan'
    uci set firewall.@nat[-1].name='test'
    uci set firewall.@nat[-1].target='SNAT'
    uci set firewall.@nat[-1].dest_ip=$PVS_IP
    uci set firewall.@nat[-1].snat_ip=$ROUTER_IP
    uci add_list firewall.@nat[-1].proto='tcp'
    uci commit firewall
    
echo Save & Restart
    uci commit firewall
    fw3 reload
"

Disable DHCP server on Ethernet Port

#!/bin/bash

ROUTER_IP=172.27.153.10

echo "Disabling DHCP Server"
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP /etc/init.d/dnsmasq disable
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP /etc/init.d/dnsmasq stop

In my initial testing I configured a computer with the ip of

172.27.153.1 and ran a docker container to mock the API i was trying to connect to. I was able to hit curl http://192.168.1.62:8080/poll and it would pass through correctly. Once I got out of testing I found things weren't working as expected.

What does Work

SSH Port Forwarding: ssh -L 8080:172.27.153.1:80 root@192.168.1.62
Curl from the Router ssh root@192.168.1.62 curl 172.27.153.1
SSH Access to router ssh root@192.168.1.62
LuCI access from web curl http://192.168.1.62

What does Not work

My port forware: curl http://192.168.1.62:8080

What I've done so far

I installed tcpdump on the system and am struggling to understand whats going on:

curl http://192.168.1.62:8080

NOTE: sunpowerconsole.net maps to 172.27.153.1

root@SolarMonitor:~# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
20:07:02.659891 ARP, Request who-has sunpowerconsole.net tell 172.27.153.10, length 28
20:07:02.661317 ARP, Reply sunpowerconsole.net is-at e2:e9:b4:2a:f2:13 (oui Unknown), length 46
20:07:03.162402 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970748062 ecr 0,sackOK,eol], length 0
20:07:04.177553 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970749062 ecr 0,sackOK,eol], length 0
20:07:05.191531 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970750062 ecr 0,sackOK,eol], length 0
20:07:06.206191 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970751063 ecr 0,sackOK,eol], length 0
20:07:07.217159 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970752063 ecr 0,sackOK,eol], length 0
20:07:08.227595 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970753063 ecr 0,sackOK,eol], length 0
20:07:10.262349 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970755063 ecr 0,sackOK,eol], length 0
20:07:14.318508 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970759063 ecr 0,sackOK,eol], length 0
20:07:22.376989 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970767063 ecr 0,sackOK,eol], length 0
20:07:38.520396 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970783063 ecr 0,sackOK,eol], length 0
20:07:43.619855 ARP, Request who-has sunpowerconsole.net tell 172.27.153.10, length 28
20:07:43.621323 ARP, Reply sunpowerconsole.net is-at e2:e9:b4:2a:f2:13 (oui Unknown), length 46

I see that the incoming requests are coming from 192.168.1.76 where as when I hit it from the router itself (where it works)

20:08:23.233958 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [S], seq 386560607, win 64240, options [mss 1460,sackOK,TS val 722566016 ecr 0,nop,wscale 3], length 0
20:08:23.234738 IP 172.27.153.10.45090 > sunpowerconsole.net.53: 48178+ PTR? 10.153.27.172.in-addr.arpa. (44)
20:08:23.236024 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [S.], seq 2536045490, ack 386560608, win 28960, options [mss 1460,sackOK,TS val 4359233 ecr 722566016,nop,wscale 7], length 0
20:08:23.236248 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 1, win 8030, options [nop,nop,TS val 722566019 ecr 4359233], length 0
20:08:23.237286 IP sunpowerconsole.net.53 > 172.27.153.10.45090: 48178 NXDomain* 0/0/0 (44)
20:08:23.238728 IP 172.27.153.10.42176 > sunpowerconsole.net.53: 43182+ PTR? 1.153.27.172.in-addr.arpa. (43)
20:08:23.241044 IP sunpowerconsole.net.53 > 172.27.153.10.42176: 43182* 1/0/0 PTR sunpowerconsole.net. (76)
20:08:23.246200 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [P.], seq 1:77, ack 1, win 8030, options [nop,nop,TS val 722566029 ecr 4359233], length 76: HTTP: GET / HTTP/1.1
20:08:23.247707 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [.], ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 0
20:08:23.248921 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [.], seq 1:1449, ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 1448: HTTP: HTTP/1.1 200 OK
20:08:23.249050 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 1449, win 8011, options [nop,nop,TS val 722566032 ecr 4359235], length 0
20:08:23.250209 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [P.], seq 1449:4212, ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 2763: HTTP
20:08:23.250344 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 4212, win 7826, options [nop,nop,TS val 722566033 ecr 4359235], length 0
20:08:23.252763 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [F.], seq 77, ack 4212, win 8011, options [nop,nop,TS val 722566035 ecr 4359235], length 0
20:08:23.254487 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [F.], seq 4212, ack 78, win 227, options [nop,nop,TS val 4359235 ecr 722566035], length 0
20:08:23.254684 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 4213, win 8011, options [nop,nop,TS val 722566037 ecr 4359235], length 0

So in this case i see the reuest is coming from 172.27.153.10 which I'm assuming is perhaps the problem. I "thought" i had a NAT rule to help fix this but its very clear I'm not really sure what I'm doing. I'm hoping there is a clear and easy fix for this.

Thanks!!

CONFIG FILES

I've been messing around in the gui so these may not fully match the install scripts

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'SunPower API'
	option src 'wan'
	option src_dport '8080'
	option dest 'lan'
	option dest_ip '172.27.153.1'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option name 'GUI Access'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '172.27.153.10'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option name 'SSH Access'
	option src 'wan'
	option src_dport '22'
	option dest 'lan'
	option dest_ip '172.27.153.10'
	option dest_port '22'
	list proto 'tcp'

config nat
	option dest_port '8080'
	option name 'test'
	option target 'SNAT'
	option snat_ip '172.27.153.10'
	list proto 'tcp'
	option src_port '8080'
	option src '*'
	option snat_port '80'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'xxxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxx'

jeef · January 18, 2022, 8:18pm

Additional Info

iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

# Generated by iptables-save v1.8.7 on Tue Jan 18 20:15:41 2022
*nat
:PREROUTING ACCEPT [10227:3693863]
:INPUT ACCEPT [1211:214770]
:OUTPUT ACCEPT [172:13050]
:POSTROUTING ACCEPT [11:817]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[10266:3696563] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[10266:3696563] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[174:13178] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -p tcp -m tcp --sport 8080 --dport 8080 -m comment --comment "!fw3: test" -j SNAT --to-source 172.27.153.10:80
[13:937] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[161:12241] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[13:937] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2:120] -A zone_lan_postrouting -s 172.27.153.0/24 -d 172.27.153.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: SunPower API (reflection)" -j SNAT --to-source 172.27.153.10
[0:0] -A zone_lan_postrouting -s 172.27.153.0/24 -d 172.27.153.10/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: GUI Access (reflection)" -j SNAT --to-source 172.27.153.10
[0:0] -A zone_lan_postrouting -s 172.27.153.0/24 -d 172.27.153.10/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Access (reflection)" -j SNAT --to-source 172.27.153.10
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 172.27.153.0/24 -d 192.168.1.62/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: SunPower API (reflection)" -j DNAT --to-destination 172.27.153.1:80
[0:0] -A zone_lan_prerouting -s 172.27.153.0/24 -d 192.168.1.62/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: GUI Access (reflection)" -j DNAT --to-destination 172.27.153.10:80
[0:0] -A zone_lan_prerouting -s 172.27.153.0/24 -d 192.168.1.62/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Access (reflection)" -j DNAT --to-destination 172.27.153.10:22
[161:12241] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[161:12241] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[10266:3696563] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2:128] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: SunPower API" -j DNAT --to-destination 172.27.153.1:80
[30:1920] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: GUI Access" -j DNAT --to-destination 172.27.153.10:80
[7:652] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Access" -j DNAT --to-destination 172.27.153.10:22
COMMIT
# Completed on Tue Jan 18 20:15:41 2022
# Generated by iptables-save v1.8.7 on Tue Jan 18 20:15:41 2022
*mangle
:PREROUTING ACCEPT [12228:4107036]
:INPUT ACCEPT [3153:623995]
:FORWARD ACCEPT [22:1376]
:OUTPUT ACCEPT [957:408684]
:POSTROUTING ACCEPT [979:410060]
[0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[22:1376] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jan 18 20:15:41 2022
# Generated by iptables-save v1.8.7 on Tue Jan 18 20:15:41 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3153:623995] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1118:103241] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[37:2368] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2035:520754] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[22:1376] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[22:1376] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[957:408684] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[785:395634] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[11:809] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[161:12241] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[37:2368] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[11:809] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[11:809] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[11:809] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[161:12241] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[22:1376] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[22:1376] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[2035:520754] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[74:24272] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[37:2572] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1924:493910] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[161:12241] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[161:12241] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1924:493910] -A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Tue Jan 18 20:15:41 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 172.27.153.10/24 brd 172.27.153.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.62/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlan0  src 192.168.1.62 
172.27.153.0/24 dev br-lan scope link  src 172.27.153.10 
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.62 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 172.27.153.0 dev br-lan table local scope link  src 172.27.153.10 
local 172.27.153.10 dev br-lan table local scope host  src 172.27.153.10 
broadcast 172.27.153.255 dev br-lan table local scope link  src 172.27.153.10 
broadcast 192.168.1.0 dev wlan0 table local scope link  src 192.168.1.62 
local 192.168.1.62 dev wlan0 table local scope host  src 192.168.1.62 
broadcast 192.168.1.255 dev wlan0 table local scope link  src 192.168.1.62 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default