Hi,
I'm having problems getting port forwarding to work after a change in network layout. Essentially the network is now: Host: 172.27.1.10 <--172.27.0.1/21--> OpenWRT #1 (No NAT) <--10.24.83.1/24--> OpenWRT #2<-- Public IP (NAT) --> Internet I have some port forwarding rules configured on OpenWRT #2, and from the internet they largely work, I can connect to the public IP on port 25 for instance and get the SMTP server on host 172.27.1.10. I can also connect externally on port 80 and get host 10.24.83.10. The problem is that when I'm on either LAN (172.27.0.1/21 or 10.24.83.1), if I access the external IP address on say port 25 it doesn't work, I get Connection Refused. Oddly if I access on port 80, I get a connection (remember the it maps to something on the 10.24.83.1/24 subnet). As far as I can tell from tcpdumps, OpenWRT #2 is simply rejecting this packet locally, (the SYN packet just gets a reset packet generated locally). I don't know that much about iptables, and I'm hesitant to start adding rules directly, instead of using /etc/config/firewall. Steve >From OpenWRT #2: cat /etc/config/firewall config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' option network 'wan' option output 'ACCEPT' option masq '1' option mtu_fix '1' option forward 'ACCEPT' option input 'ACCEPT' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config include option path '/etc/firewall.user' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option src_dport '25' option dest_port '25' option name '25' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option dest_port '22' option name '22' option src_dport '22' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option dest_ip '10.24.83.11' option name '80' option dest_port '80' option src_dport '80' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option name '443' option dest_port '443' option src_dport '443' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option name '5269' option dest_port '5269' option src_dport '5269' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option dest_port '5222' option name '5222' option src_dport '5222' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp' option dest_port '5223' option name '5223' option src_dport '5223' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp udp' option dest_port '53' option name '53' option src_dport '53' option dest_ip '172.27.1.10' config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp udp' option src_dport '1194' option dest_ip '10.27.83.2' option dest_port '1194' option name 'OpenVPN' Here is the output of iptables-save # Generated by iptables-save v1.4.10 on Thu Jun 19 16:58:25 2014 *nat :PREROUTING ACCEPT [347:27064] :INPUT ACCEPT [247:16614] :OUTPUT ACCEPT [118:8771] :POSTROUTING ACCEPT [24:2224] :nat_reflection_in - [0:0] :nat_reflection_out - [0:0] :postrouting_rule - [0:0] :prerouting_lan - [0:0] :prerouting_rule - [0:0] :prerouting_wan - [0:0] :zone_lan_nat - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_nat - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -j prerouting_rule -A PREROUTING -i br-lan -j zone_lan_prerouting -A PREROUTING -i eth1 -j zone_wan_prerouting -A POSTROUTING -j postrouting_rule -A POSTROUTING -o br-lan -j zone_lan_nat -A POSTROUTING -o eth1 -j zone_wan_nat -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:25 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 22 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:22 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 80 -m comment --comment "wan" -j DNAT --to-destination 10.24.83.11:80 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 443 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:443 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 5269 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:5269 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 5222 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:5222 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 5223 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:5223 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 53 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:53 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p udp -m udp --dport 53 -m comment --comment "wan" -j DNAT --to-destination 172.27.1.10:53 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p tcp -m tcp --dport 1194 -m comment --comment "wan" -j DNAT --to-destination 10.27.83.2:1194 -A nat_reflection_in -s 10.24.83.0/24 -d 70.68.116.61/32 -p udp -m udp --dport 1194 -m comment --comment "wan" -j DNAT --to-destination 10.27.83.2:1194 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 22 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 10.24.83.11/32 -p tcp -m tcp --dport 80 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 443 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5269 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5222 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5223 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 53 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 172.27.1.10/32 -p udp -m udp --dport 53 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 10.27.83.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A nat_reflection_out -s 10.24.83.0/24 -d 10.27.83.2/32 -p udp -m udp --dport 1194 -m comment --comment "wan" -j SNAT --to-source 10.24.83.1 -A postrouting_rule -j nat_reflection_out -A prerouting_rule -j nat_reflection_in -A zone_lan_prerouting -j prerouting_lan -A zone_wan_nat -j MASQUERADE -A zone_wan_prerouting -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.27.1.10:25 -A zone_wan_prerouting -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.27.1.10:22 -A zone_wan_prerouting -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.24.83.11:80 -A zone_wan_prerouting -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.27.1.10:443 -A zone_wan_prerouting -p tcp -m tcp --dport 5269 -j DNAT --to-destination 172.27.1.10:5269 -A zone_wan_prerouting -p tcp -m tcp --dport 5222 -j DNAT --to-destination 172.27.1.10:5222 -A zone_wan_prerouting -p tcp -m tcp --dport 5223 -j DNAT --to-destination 172.27.1.10:5223 -A zone_wan_prerouting -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.27.1.10:53 -A zone_wan_prerouting -p udp -m udp --dport 53 -j DNAT --to-destination 172.27.1.10:53 -A zone_wan_prerouting -p tcp -m tcp --dport 1194 -j DNAT --to-destination 10.27.83.2:1194 -A zone_wan_prerouting -p udp -m udp --dport 1194 -j DNAT --to-destination 10.27.83.2:1194 -A zone_wan_prerouting -j prerouting_wan COMMIT # Completed on Thu Jun 19 16:58:25 2014 # Generated by iptables-save v1.4.10 on Thu Jun 19 16:58:25 2014 *raw :PREROUTING ACCEPT [5297:2311319] :OUTPUT ACCEPT [612:50279] :zone_lan_notrack - [0:0] :zone_wan_notrack - [0:0] -A PREROUTING -i br-lan -j zone_lan_notrack -A PREROUTING -i eth1 -j zone_wan_notrack COMMIT # Completed on Thu Jun 19 16:58:25 2014 # Generated by iptables-save v1.4.10 on Thu Jun 19 16:58:25 2014 *mangle :PREROUTING ACCEPT [5298:2311384] :INPUT ACCEPT [768:67998] :FORWARD ACCEPT [4486:2238228] :OUTPUT ACCEPT [613:50372] :POSTROUTING ACCEPT [5099:2288600] :zone_wan_MSSFIX - [0:0] -A FORWARD -j zone_wan_MSSFIX -A zone_wan_MSSFIX -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Thu Jun 19 16:58:25 2014 # Generated by iptables-save v1.4.10 on Thu Jun 19 16:58:25 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :forward - [0:0] :forwarding_lan - [0:0] :forwarding_rule - [0:0] :forwarding_wan - [0:0] :input - [0:0] :input_lan - [0:0] :input_rule - [0:0] :input_wan - [0:0] :nat_reflection_fwd - [0:0] :output - [0:0] :output_rule - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan - [0:0] :zone_lan_ACCEPT - [0:0] :zone_lan_DROP - [0:0] :zone_lan_REJECT - [0:0] :zone_lan_forward - [0:0] :zone_wan - [0:0] :zone_wan_ACCEPT - [0:0] :zone_wan_DROP - [0:0] :zone_wan_REJECT - [0:0] :zone_wan_forward - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood -A INPUT -j input_rule -A INPUT -j input -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j forwarding_rule -A FORWARD -j forward -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j output_rule -A OUTPUT -j output -A forward -i br-lan -j zone_lan_forward -A forward -i eth1 -j zone_wan_forward -A forwarding_rule -j nat_reflection_fwd -A input -i br-lan -j zone_lan -A input -i eth1 -j zone_wan -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 25 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 22 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 10.24.83.11/32 -p tcp -m tcp --dport 80 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 443 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5269 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5222 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 5223 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p tcp -m tcp --dport 53 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 172.27.1.10/32 -p udp -m udp --dport 53 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 10.27.83.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "wan" -j ACCEPT -A nat_reflection_fwd -s 10.24.83.0/24 -d 10.27.83.2/32 -p udp -m udp --dport 1194 -m comment --comment "wan" -j ACCEPT -A output -j zone_lan_ACCEPT -A output -j zone_wan_ACCEPT -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN -A syn_flood -j DROP -A zone_lan -j input_lan -A zone_lan -j zone_lan_ACCEPT -A zone_lan_ACCEPT -o br-lan -j ACCEPT -A zone_lan_ACCEPT -i br-lan -j ACCEPT -A zone_lan_DROP -o br-lan -j DROP -A zone_lan_DROP -i br-lan -j DROP -A zone_lan_REJECT -o br-lan -j reject -A zone_lan_REJECT -i br-lan -j reject -A zone_lan_forward -j zone_wan_ACCEPT -A zone_lan_forward -j forwarding_lan -A zone_lan_forward -j zone_lan_ACCEPT -A zone_wan -p udp -m udp --dport 68 -j ACCEPT -A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT -A zone_wan -j input_wan -A zone_wan -j zone_wan_ACCEPT -A zone_wan_ACCEPT -o eth1 -j ACCEPT -A zone_wan_ACCEPT -i eth1 -j ACCEPT -A zone_wan_DROP -o eth1 -j DROP -A zone_wan_DROP -i eth1 -j DROP -A zone_wan_REJECT -o eth1 -j reject -A zone_wan_REJECT -i eth1 -j reject -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 25 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 22 -j ACCEPT -A zone_wan_forward -d 10.24.83.11/32 -p tcp -m tcp --dport 80 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 443 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 5269 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 5222 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 5223 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p tcp -m tcp --dport 53 -j ACCEPT -A zone_wan_forward -d 172.27.1.10/32 -p udp -m udp --dport 53 -j ACCEPT -A zone_wan_forward -d 10.27.83.2/32 -p tcp -m tcp --dport 1194 -j ACCEPT -A zone_wan_forward -d 10.27.83.2/32 -p udp -m udp --dport 1194 -j ACCEPT -A zone_wan_forward -j forwarding_wan -A zone_wan_forward -j zone_wan_ACCEPT COMMIT # Completed on Thu Jun 19 16:58:25 2014 root@OpenWrt:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 70.68.116.1 0.0.0.0 UG 0 0 0 eth1 10.24.83.0 * 255.255.255.0 U 0 0 0 br-lan 10.27.83.0 10.24.83.2 255.255.255.0 UG 1 0 0 br-lan 70.68.116.0 * 255.255.252.0 U 0 0 0 eth1 172.27.0.0 10.24.83.2 255.255.248.0 UG 1 0 0 br-lan root@OpenWrt:~#
_______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
