OpenWrt Forum Archive

Topic: iptables forwarding and pppoe problem

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
GNUtoo
21 Nov 2007, 20:39

hello, i need pppoe to be directly connected to the internet but this rules in my config file of Openwrt 7.09 doesn't do anything:
more precisely the ssh from 192.168.1.106:443 doesn't get forwarded
but dropbear ssh of Openwrt works fine on port 80(i can get acess to it from outside)
and i've got dyndns...

here my config file:

#ssh
#forward:dport=80:192.168.1.106:80
accept:proto=tcp dport=80
accept:proto=tcp dport=443
forward:dport=443:192.168.1.106:443
#sempron bit torrent for jamendo
forward:dport=6881:192.168.1.105:6881
forward:dport=6882:192.168.1.105:6882
#msn
forward:dport=6891:192.168.1.107:6891
forward:dport=6892:192.168.1.107:6892
# iptables -L -nv --line-number -t nat
Chain PREROUTING (policy ACCEPT 62 packets, 3039 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       35  1740 NEW        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW
2       66  3255 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       40  1961 prerouting_wan  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 4 packets, 216 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       39  1830 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       35  1614 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain NEW (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       35  1740 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 50/sec burst 100
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain postrouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443
3        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443 to:192.168.1.106:443
4        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443 to:192.168.1.106:443
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6881 to:192.168.1.105:6881
6        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6881 to:192.168.1.105:6881
7        4   216 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6882 to:192.168.1.105:6882
8        0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6882 to:192.168.1.105:6882
9        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6891 to:192.168.1.107:6891
10       0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6891 to:192.168.1.107:6891
11       0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6892 to:192.168.1.107:6892
12       0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 6892 to:192.168.1.107:6892
# iptables -L -nv --line-number
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2      270 14006 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=!2 flags:0x02/0x02
4       59  3048 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
5       56  2699 input_wan  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
6       59  3048 LAN_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0
9       13   636 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
10      43  2063 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2       63  3240 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
3     1706 1041K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4       52  2740 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
5        7   407 forwarding_wan  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  br-lan br-lan  0.0.0.0/0            0.0.0.0/0
7       45  2333 ACCEPT     all  --  br-lan ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
2      282 39673 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
5        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
6        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain LAN_ACCEPT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       56  2699 RETURN     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
2        0     0 RETURN     all  --  eth0.1 *       0.0.0.0/0            0.0.0.0/0
3        3   349 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain forwarding_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.106       tcp dpt:443
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.106       udp dpt:443
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.105       tcp dpt:6881
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.105       udp dpt:6881
5        6   312 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.105       tcp dpt:6882
6        1    95 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.105       udp dpt:6882
7        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:6891
8        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.107       udp dpt:6891
9        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.107       tcp dpt:6892
10       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.107       udp dpt:6892

Chain input_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain input_wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 443

Chain output_rule (1 references)
num   pkts bytes target     prot opt in     out     source               destination
# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
input_wan  all  --  anywhere             anywhere
LAN_ACCEPT  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             Ralink              tcp dpt:443
ACCEPT     udp  --  anywhere             Ralink              udp dpt:443
ACCEPT     tcp  --  anywhere             sempron             tcp dpt:6881
ACCEPT     udp  --  anywhere             sempron             udp dpt:6881
ACCEPT     tcp  --  anywhere             sempron             tcp dpt:6882
ACCEPT     udp  --  anywhere             sempron             udp dpt:6882
ACCEPT     tcp  --  anywhere             port4               tcp dpt:6891
ACCEPT     udp  --  anywhere             port4               udp dpt:6891
ACCEPT     tcp  --  anywhere             port4               tcp dpt:6892
ACCEPT     udp  --  anywhere             port4               udp dpt:6892

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 80
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 443

Chain output_rule (1 references)
target     prot opt source               destination
# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:14:BF:E1:DA:DD
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:328040 errors:0 dropped:0 overruns:0 frame:0
          TX packets:265091 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:226178378 (215.7 MiB)  TX bytes:58158144 (55.4 MiB)

eth0      Link encap:Ethernet  HWaddr 00:14:BF:E1:DA:DD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:264525 errors:0 dropped:0 overruns:0 frame:0
          TX packets:323256 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61827300 (58.9 MiB)  TX bytes:235326651 (224.4 MiB)
          Interrupt:4

eth0.0    Link encap:Ethernet  HWaddr 00:14:BF:E1:DA:DD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:66599 (65.0 KiB)

eth0.1    Link encap:Ethernet  HWaddr 00:14:BF:E1:DA:DD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:264530 errors:0 dropped:0 overruns:0 frame:0
          TX packets:322170 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:57072871 (54.4 MiB)  TX bytes:233946809 (223.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2034 (1.9 KiB)  TX bytes:2034 (1.9 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:79.11.205.5  P-t-P:192.168.100.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:264113 errors:0 dropped:0 overruns:0 frame:0
          TX packets:321924 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:53882662 (51.3 MiB)  TX bytes:225567405 (215.1 MiB)

wl0       Link encap:Ethernet  HWaddr 00:14:BF:E1:DA:DF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:329452 errors:0 dropped:0 overruns:0 frame:40888
          TX packets:267578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:230960702 (220.2 MiB)  TX bytes:60548031 (57.7 MiB)
          Interrupt:2 Base address:0x5000
Post #2
eleon216
21 Nov 2007, 21:31

you only need the forward-line, not the accept-line

accept:proto=tcp dport=443 means that the port 443 of your openwrtbox is reachable from the wan-side, you need this if you want to make a service that is running on openwrtbox and listen on port 443 accessible from the wan. 
so just comment this line out and the fowarding rule should work.

if you need both ports available than you have to change one of them, or redirekt one to (from?) another port.
you have only one ip on the wanside, so you have only one port 443 on the wanside

Post #3
GNUtoo
21 Nov 2007, 22:51

it still doesn't work:

$ ssh root@gnutoo.homelinux.org -p 80
The authenticity of host '[gnutoo.homelinux.org]:80 ([79.17.130.119]:80)' can't be established.
RSA key fingerprint is bd:7c:0b:c7:0b:9f:f4:e6:f5:8d:32:69:b4:c9:7b:9e.
Are you sure you want to continue connecting (yes/no)?
$ ssh something@gnutoo.homelinux.org -p 443
ssh: connect to host gnutoo.homelinux.org port 443: Connection refused

and:

#ssh
#forward:dport=80:192.168.1.106:80
accept:proto=tcp dport=80
#accept:proto=tcp dport=443
forward:dport=443:192.168.1.106:443

and i restarted the router

and i can connect to ssh to 192.168.1.106:

$ ssh somebody@192.168.1.106 -p 443
The authenticity of host '[192.168.1.106]:443 ([192.168.1.106]:443)' can't be established.
RSA key fingerprint is d9:54:9d:74:ce:16:75:14:86:b3:cf:08:0b:3b:7b:70.
Are you sure you want to continue connecting (yes/no)?

(Last edited by GNUtoo on 21 Nov 2007, 23:03)

Post #4
frostschutz
22 Nov 2007, 02:39

Check if it's being forwarded to port+1, I had an issue like that earlier.

And what's this config file you quoted? Where is this? I put forwarding rules as actual iptables rules in /etc/firewall.user since there is an example for it. However you mustn't specify the forwarded ip port, if it's to be the same as the port incoming on the external ip, cause otherwise for some mysterious reason, it all gets forwarded to the port+1 port (ie 81 instead of 80).

Also you do need the accept line cause the default policy is drop.

Post #5
eleon216
22 Nov 2007, 09:39

@frostschutz:

the file is /etc/config/firewall
and you can easily make firewallrules without knowing anything about iptables. I think also the webif2 use this configfile for the firewall configuration (but i dont use a webinterface so I´m not sure).

you don´t put classic iptables-commands in this file so you don´t need to make an accept-rule yourself. the firewallscript generates all needed iptables-commands and you don´t have to care about it. 

I remember reading something about the issue with the port+1, but I don´t use port-redirections (only forwardings) so there was no need to specify destinationports.




with this problem in mind the /etc/config/firewall for GNUtoo should look like this:

accept:proto=tcp dport=80
forward:dport=443:192.168.1.106
#sempron bit torrent for jamendo
forward:dport=6881-6882:192.168.1.105
#msn
forward:dport=6891-6892:192.168.1.107

I have a similar confiuration running myself, and you don´t need separate line for different port you can use something like that forward:dport=80,20,21,22,5000-600:192.168.1.105 to forward multiple ports (in this example 80, 20-22, and 5000-6000) to your host.

Post #6
GNUtoo
22 Nov 2007, 16:25

i changed my config file to:

#ssh
#forward:dport=80:192.168.1.106:80
#accept:proto=tcp dport=80
#accept:proto=tcp dport=443
#forward:dport=443:192.168.1.106:443
#sempron bit torrent for jamendo
#forward:dport=6881:192.168.1.105:6881
#forward:dport=6882:192.168.1.105:6882
#msn
#forward:dport=6891:192.168.1.107:6891
#forward:dport=6892:192.168.1.107:6892
accept:proto=tcp dport=80
forward:proto=tcp dport=443:192.168.1.106
#sempron bit torrent for jamendo
forward:dport=6881-6882:192.168.1.105
#msn
forward:dport=6891-6892:192.168.1.107

i rebooted my router to be shure...
and i have the following result:

$ ssh user@gnutoo.homelinux.org -p 80
The authenticity of host '[gnutoo.homelinux.org]:80 ([79.11.211.205]:80)' can't be established.
RSA key fingerprint is bd:7c:0b:c7:0b:9f:f4:e6:f5:8d:32:69:b4:c9:7b:9e.
Are you sure you want to continue connecting (yes/no)?
$ ssh user@gnutoo.homelinux.org -p 443
ssh: connect to host gnutoo.homelinux.org port 443: Connection refused

mabe that's because of ppp...

(Last edited by GNUtoo on 22 Nov 2007, 16:25)

Post #7
eleon216
22 Nov 2007, 18:18

do you try to connect from inside the lan or from the wan-side?
the forwarding-rules only work if you try to connect from the wan-side

I tried it, and you can connect from the wan-side

ssh user@gnutoo.homelinux.org -p 443
The authenticity of host '[gnutoo.homelinux.org]:443 ([79.11.211.205]:443)' can't be established.
RSA key fingerprint is d9:54:9d:74:ce:16:75:14:86:b3:cf:08:0b:3b:7b:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[gnutoo.homelinux.org]:443,[79.11.211.205]:443' (RSA) to the list of known hosts.
Password: .....


btw. you shouldn´t post your real url and ip-address smile

and next time maybe try common mistakes ( http://forum.openwrt.org/viewtopic.php?id=3474 ) and faq first.

Post #8
GNUtoo
22 Nov 2007, 21:05

thanks a lot...i'll try from outside...

The discussion might have continued from here.