Hello everybody,
i've now added a firewall-zone called 'vpn' without interface and settings (input: reject, forward:accept, output:accept).
Now my commands outputs show up the mentioned zones for vpn:
root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
128 9952 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ID:66773300
132 22100 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
99 17778 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
2 92 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 tcp flags:0x17/0x02
23 1938 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
10 2384 zone_wan_input all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0.2 * 192.168.20.0/24 192.168.40.0/24 policy match dir in pol ipsec reqid 2 proto 50
99 5940 ACCEPT all -- * eth0.2 192.168.40.0/24 192.168.20.0/24 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth0.2 * 192.168.10.0/24 192.168.40.0/24 policy match dir in pol ipsec reqid 1 proto 50
101 6032 ACCEPT all -- * eth0.2 192.168.40.0/24 192.168.10.0/24 policy match dir out pol ipsec reqid 1 proto 50
603 197K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
587 196K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
16 900 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
0 0 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
128 9952 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 ID:66773300
118 31663 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
94 29715 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
1 328 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
23 1620 zone_wan_output all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain adb-fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */ reject-with icmp-host-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */
Chain adb-out (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */ reject-with icmp-host-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 adb-fwd all -- * * 0.0.0.0/0 198.18.0.1 /* adb-fwd */
Chain forwarding_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 adb-out all -- * * 0.0.0.0/0 198.18.0.1 /* adb-out */
Chain output_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (3 references)
pkts bytes target prot opt in out source destination
5 831 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 reject-with tcp-reset
1 135 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
2 92 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
1 328 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
16 900 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
16 900 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* forwarding lan -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
23 1938 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
23 1938 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
1 328 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
1 328 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
23 1938 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
Chain zone_vpn_forward (0 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_input (0 references)
pkts bytes target prot opt in out source destination
0 0 input_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
0 0 zone_vpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_output (0 references)
pkts bytes target prot opt in out source destination
0 0 output_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
39 2520 ACCEPT all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
10 2384 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
4 1418 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 icmptype 8 /* Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* Allow-IGMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* IPsec ESP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:500 /* IPsec ISAKMP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:4500 /* IPsec NAT-T */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
6 966 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
23 1620 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
23 1620 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
6 966 reject all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
root@OpenWrt:~#
And
root@OpenWrt:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 48 packets, 3774 bytes)
pkts bytes target prot opt in out source destination
62 4679 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
40 2436 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
8 1338 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain INPUT (policy ACCEPT 17 packets, 1613 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 161 packets, 11628 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 124 packets, 8908 bytes)
pkts bytes target prot opt in out source destination
188 13028 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
1 328 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
64 4120 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain adb-dns (1 references)
pkts bytes target prot opt in out source destination
61 3878 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */ udp dpt:53 to:192.168.40.1:53
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */ tcp dpt:53 to:192.168.40.1:53
219 22973 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */
Chain adb-nat (1 references)
pkts bytes target prot opt in out source destination
24 1248 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */ tcp dpt:80 to:192.168.40.1:65534
4 208 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */ tcp dpt:443 to:192.168.40.1:65535
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
280 26851 adb-dns all -- br-lan+ * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */
28 1456 adb-nat all -- * * 0.0.0.0/0 198.18.0.1 /* adb-nat */
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
1 328 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
40 2436 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
Chain zone_vpn_postrouting (0 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
Chain zone_vpn_prerouting (0 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
64 4120 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
64 4120 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
8 1338 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#
Again, no ping possible, tunnel is established.
when I now run the ipsec firewall script the output of iptables is:
root@OpenWrt:~# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
415 48864 zone_vpn_input all -- * * 0.0.0.0/0 0.0.0.0/0
405 41424 zone_vpn_gateway all -- * * 0.0.0.0/0 0.0.0.0/0
461 37312 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ID:66773300
14749 21M input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
14485 21M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
4 192 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 tcp flags:0x17/0x02
247 17110 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
17 4377 zone_wan_input all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2954 1542K zone_vpn_forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0.2 * 192.168.20.0/24 192.168.40.0/24 policy match dir in pol ipsec reqid 2 proto 50
72 4320 ACCEPT all -- * eth0.2 192.168.40.0/24 192.168.20.0/24 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth0.2 * 192.168.20.0/24 192.168.40.0/24 policy match dir in pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- * eth0.2 192.168.40.0/24 192.168.20.0/24 policy match dir out pol ipsec reqid 2 proto 50
0 0 ACCEPT all -- eth0.2 * 192.168.10.0/24 192.168.40.0/24 policy match dir in pol ipsec reqid 1 proto 50
72 4320 ACCEPT all -- * eth0.2 192.168.40.0/24 192.168.10.0/24 policy match dir out pol ipsec reqid 1 proto 50
11895 6312K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
11593 6295K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
302 16788 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
0 0 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
461 37312 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 ID:66773300
6725 427K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
6531 413K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate RELATED,ESTABLISHED
3 984 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
191 12749 zone_wan_output all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain adb-fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */ reject-with icmp-host-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-fwd */
Chain adb-out (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */ reject-with icmp-host-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-out */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 adb-fwd all -- * * 0.0.0.0/0 198.18.0.1 /* adb-fwd */
Chain forwarding_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 adb-out all -- * * 0.0.0.0/0 198.18.0.1 /* adb-out */
Chain output_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (3 references)
pkts bytes target prot opt in out source destination
7 467 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
4 192 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
3 984 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
67 3484 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
67 3484 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* forwarding lan -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
247 17110 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
247 17110 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
3 984 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
3 984 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
247 17110 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
Chain zone_vpn_forward (1 references)
pkts bytes target prot opt in out source destination
2954 1542K forwarding_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
2954 1542K zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_gateway (1 references)
pkts bytes target prot opt in out source destination
Chain zone_vpn_input (1 references)
pkts bytes target prot opt in out source destination
415 48864 input_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
24 8124 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
391 40740 zone_vpn_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_output (0 references)
pkts bytes target prot opt in out source destination
0 0 output_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_vpn_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
493 29537 ACCEPT all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
17 4377 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for input */
9 3217 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:68 /* Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 icmptype 8 /* Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* Allow-IGMP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 policy match dir in pol ipsec proto 51 /* IPSEC AH */
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* IPsec ESP */
1 693 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:500 /* IPsec ISAKMP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 udp dpt:4500 /* IPsec NAT-T */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 ctstate DNAT /* Accept port redirections */
7 467 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
191 12749 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for output */
191 12749 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
7 467 reject all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
root@OpenWrt:~#
and
root@OpenWrt:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 239 packets, 13358 bytes)
pkts bytes target prot opt in out source destination
1140 75175 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
239 13358 zone_vpn_prerouting all -- * * 0.0.0.0/0 0.0.0.0/0
515 36716 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ID:66773300
12 1668 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain INPUT (policy ACCEPT 573 packets, 34649 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 246 packets, 17612 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 168 packets, 11972 bytes)
pkts bytes target prot opt in out source destination
888 55752 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
3 984 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 ID:66773300
597 34860 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain adb-dns (1 references)
pkts bytes target prot opt in out source destination
399 25663 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */ udp dpt:53 to:192.168.40.1:53
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */ tcp dpt:53 to:192.168.40.1:53
696 45828 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */
Chain adb-nat (1 references)
pkts bytes target prot opt in out source destination
2 104 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */ tcp dpt:80 to:192.168.40.1:65534
212 11024 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */ tcp dpt:443 to:192.168.40.1:65535
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* adb-nat */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
1095 71491 adb-dns all -- br-lan+ * 0.0.0.0/0 0.0.0.0/0 /* adb-dns */
214 11128 adb-nat all -- * * 0.0.0.0/0 198.18.0.1 /* adb-nat */
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
3 984 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
515 36716 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
Chain zone_vpn_postrouting (0 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
239 13358 prerouting_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
597 34860 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for postrouting */
597 34860 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
12 1668 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ID:66773300 /* user chain for prerouting */
root@OpenWrt:~#
again, no ping through tunnel is possible.
I've stored the firewall script at /etc/firewall.ipsec which by the way might have some broken commands since it outputs
root@OpenWrt:~# /etc/firewall.ipsec
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables -F zone_lan_forward
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables -F zone_wan_forward
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: Chain already exists.
iptables: Chain already exists.
root@OpenWrt:~#
Do you see any clue where the issue could be?
Thanks an BR
ND