[SOLVED] OpenWrt without IPTables not accepting connections

filimonic · February 25, 2021, 5:49am

I want to setup OpenWRT as a server for single service in "Just works" manner for OrangePi Zero board.
I built image using imagebuilder :
make image PROFILE=xunlong_orangepi-zero PACKAGES="-fstools -logd -partx-utils -mkf2fs -e2fsprogs -dnsmasq -firewall -ip6tables -iptables -odhcp6c -odhcpd-ipv6only -ppp -ppp-mod-pppoe"

After that I logged in through serial console and set lan interface to dhcp client:

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'

As a result, my board has connection to the network and it can ping external google.com, but I can not connect from lan to my board by IP: no pings and no telnet to port 22 accepted.

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
tcp        0      0 :::ssh                  :::*                    LISTEN

Please help where to start from.

vgaetera · February 25, 2021, 6:05am

ip address show; ip route show table all; ip rule show; \
iptables-save; nft list ruleset

filimonic · February 25, 2021, 6:29am

Please look carefully: I want to run this board without iptables.
172.19.21.0/24 is my home network


root@OpenWrt:/# ip address show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 02:42:f3:25:50:e7 brd ff:ff:ff:ff:ff:ff
    inet 172.19.21.120/24 brd 172.19.21.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f3ff:fe25:50e7/64 scope link
       valid_lft forever preferred_lft forever

root@OpenWrt:/# ip route show table all;
default via 172.19.21.1 dev eth0  src 172.19.21.120
172.19.21.0/24 dev eth0 scope link  src 172.19.21.120
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.19.21.0 dev eth0 table local scope link  src 172.19.21.120
local 172.19.21.120 dev eth0 table local scope host  src 172.19.21.120
broadcast 172.19.21.255 dev eth0 table local scope link  src 172.19.21.120
fe80::/64 dev eth0  metric 256
local ::1 dev lo table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
local fe80::42:f3ff:fe25:50e7 dev eth0 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256

root@OpenWrt:/# ip rule show;
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:/#  ^C
root@OpenWrt:/#

vgaetera · February 25, 2021, 6:34am

We need to verify that iptables and nftables are actually disabled.

filimonic · February 25, 2021, 6:35am

Mistyped IP address when trying connect from another PC. Everything works ok.
Sorry again