Hello everyone.
This is my first experience with Open-WRT, but I have intermediate *nix skills and Google fu.
I just cannot figure out why I can not get this damn router to port forward.
Here are the details:
Linksys EA8300 router running OpenWrt 19.07.4 r11208-ce6496d796
I'm trying to forward port 8080.
My first set of checks:
1.) Is the web server running and can I access from inside the lan? yes.
The server is running Ubuntu 20.04, nginx, and firewall is disabled.
2.) Is the router even getting packets from the internet? tcpdump on the router says yes.
3.) Is the server getting these packets from the router? tcpdump on the server says no.
tcpdump from the router:
What is interesting. The packet dump shows the forwarded packets with the destination ip of the server (192.168.2.57)
But they never get there!
$ tcpdump -n -i any port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:15:23.169591 IP 9999.xxxx.yyyy.zzzz.48665 > 9999.ffff.gggg.hhhh.8080: Flags [S], seq 601415774, win 65535, length 0
17:15:23.169740 IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:23.169761 IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:23.169776 ethertype IPv4, IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:32.061870 IP 1111.aaaa.bbbb.cccc.25323 > 9999.ffff.gggg.hhhh.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062044 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062064 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062076 ethertype IPv4, IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:33.063902 IP 1111.aaaa.bbbb.cccc.25323 > 999.ffff.gggg.hhhh.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064030 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064049 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064060 ethertype IPv4, IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:35.133753 IP 1111.aaaa.bbbb.cccc.25700 > 9999.ffff.gggg.hhhh.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
17:15:35.133924 IP 11111.aaaa.bbbb.cccc.25700 > 192.168.2.57.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
17:15:35.133945 IP 11111.aaaa.bbbb.cccc.25700 > 192.168.2.57.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
<ommitting the rest of the packets for brevity>
^C
48 packets captured
48 packets received by filter
0 packets dropped by kernel
My config:
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option mtu_fix '1'
option output 'ACCEPT'
option masq '1'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option name 'http'
option target 'DNAT'
option dest 'lan'
option dest_port '8080'
option dest_ip '192.168.2.57'
option reflection '0'
option src_dport '8080'
list proto 'tcp'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'wan'
option src 'lan'
iptables:
$ iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postrouting_lan_rule
-N postrouting_rule
-N postrouting_wan_rule
-N prerouting_lan_rule
-N prerouting_rule
-N prerouting_wan_rule
-N zone_lan_postrouting
-N zone_lan_prerouting
-N zone_wan_postrouting
-N zone_wan_prerouting
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: http" -j DNAT --to-destination 192.168.2.57:8080
# Generated by iptables-save v1.8.3 on Sat Sep 4 10:51:33 2021
*nat
:PREROUTING ACCEPT [646:180093]
:INPUT ACCEPT [134:11162]
:OUTPUT ACCEPT [163:10447]
:POSTROUTING ACCEPT [19:1129]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[648:180173] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[605:177438] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[43:2735] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[459:121235] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:88] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[440:120106] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:88] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[605:177438] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[440:120106] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[440:120106] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[43:2735] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2:80] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: http" -j DNAT --to-destination 192.168.2.57:8080
COMMIT
# Completed on Sat Sep 4 10:51:33 2021
# Generated by iptables-save v1.8.3 on Sat Sep 4 10:51:33 2021
*mangle
:PREROUTING ACCEPT [11354:2665784]
:INPUT ACCEPT [1643:168658]
:FORWARD ACCEPT [9494:2438996]
:OUTPUT ACCEPT [1221:285770]
:POSTROUTING ACCEPT [10715:2724766]
[771:40156] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[105:5444] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Sep 4 10:51:33 2021
# Generated by iptables-save v1.8.3 on Sat Sep 4 10:51:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[208:18528] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1435:150130] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[878:92801] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[38:1568] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[490:52976] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[67:4353] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[9494:2438996] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[8558:2283673] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[934:155235] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[2:88] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[208:18528] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1013:267242] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[861:257462] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[152:9780] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[61:2476] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:57] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[38:1568] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:88] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[934:155235] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[934:155235] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[490:52976] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[490:52976] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[490:52976] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1086:165015] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[2:88] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[2:88] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[67:4353] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[5:1820] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[62:2533] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[152:9780] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[152:9780] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[62:2533] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 4 10:51:33 2021
Interface info for reference:
$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet wwww.xxxx.yyyy.zzzz/23 brd wwww.xxxx.yyyy.zzzz scope global eth1
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
$ ip -4 ro li tab all
default via wwww.xxxx.yyyy.zzzz dev eth1 src wwww.xxxx.yyyy.zzzz
wwww.xxxx.yyyy.zzzz/23 dev eth1 scope link src wwww.xxxx.yyyy.zzzz
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
broadcast wwww.xxxx.yyyy.zzzz dev eth1 table local scope link src wwww.xxxx.yyyy.zzzz
local wwww.xxxx.yyyy.zzzz dev eth1 table local scope host src wwww.xxxx.yyyy.zzzz
broadcast wwww.xxxx.yyyy.zzzz dev eth1 table local scope link src wwww.xxxx.yyyy.zzzz
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
$ ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Thank you in advance for any help!