1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

my NAT went bad for no apparent reason, plz help

Discussion in 'Tomato Firmware' started by zgep, Jun 23, 2010.

  1. zgep

    zgep Addicted to LI Member

    hello everyone,

    my buffalo whr hp g54 stopped doing NAT for no apparent reason yesterday at approx 2:30 am. I had Peppers mod based on 1.25 running.
    as I dont need the vpn feature any more (a server is doing ipsec for me now) i thought no problem, I wanted to upgrade to 1.27 anyway.
    did a 30/30/30, upgraded, reconfigured.

    still no joy, nothing reaches the hosts behind the router, and I have no idea why.
    only things that are working from remote are ping, https-webinterface, ssh. everything else seems to get dropped. i can't even ssh into my server (I have to ssh into the router and ssh to the server from there).

    the issue not only exists for my server but also for my other machines, so i figure its a problem with the router.
    unfortunately i dont have another one at hand so i cant confirm that by switching the device.

    heres my iptables -L and -t nat -L:
    Code:
    login as: root
    root@zgep's password:
    
    
    Tomato v1.27.1798
    
    
    BusyBox v1.14.4 (2009-11-29 06:50:47 PST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
    # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:telnet state NEW
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             zgep.lan            tcp dpt:https
    ACCEPT     tcp  --  anywhere             zgep.lan            tcp dpt:ssh
    ACCEPT     igmp --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     0    --  anywhere             anywhere
    DROP       0    --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    wanin      0    --  anywhere             anywhere
    wanout     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain shlimit (2 references)
    target     prot opt source               destination
               0    --  anywhere             anywhere            recent: SET name: shlimit side: source
    DROP       0    --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 3 name: shlimit side: source
    
    Chain wanin (1 references)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             BASE-ADDRESS.MCAST.NET/4 udp
    ACCEPT     tcp  --  10.17.1.0/24         10.123.46.6         tcp dpt:ftp
    ACCEPT     tcp  --  10.17.1.0/24         hal.lan             tcp dpt:ftp
    ACCEPT     tcp  --  10.17.1.0/24         10.123.46.6         tcp dpt:4110
    ACCEPT     tcp  --  10.17.1.0/24         hal.lan             tcp dpt:4110
    ACCEPT     tcp  --  10.17.1.0/24         10.123.46.6         tcp dpt:ircd
    ACCEPT     tcp  --  10.17.1.0/24         hal.lan             tcp dpt:ircd
    ACCEPT     tcp  --  10.17.1.0/24         10.123.46.6         tcp dpt:www
    ACCEPT     tcp  --  10.17.1.0/24         hal.lan             tcp dpt:www
    ACCEPT     tcp  --  10.17.1.0/24         10.123.46.6         tcp dpt:nntp
    ACCEPT     tcp  --  10.17.1.0/24         hal.lan             tcp dpt:nntp
    ACCEPT     tcp  --  anywhere             10.123.46.6         tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             10.123.46.6         tcp dpt:33397
    ACCEPT     udp  --  anywhere             10.123.46.6         udp dpt:33397
    ACCEPT     udp  --  anywhere             10.123.46.6         udp dpt:500
    ACCEPT     udp  --  anywhere             10.123.46.6         udp dpt:4500
    ACCEPT     udp  --  anywhere             10.123.46.6         udp dpt:1701
    ACCEPT     udp  --  anywhere             hal.lan             udp dpt:500
    ACCEPT     udp  --  anywhere             hal.lan             udp dpt:4500
    ACCEPT     tcp  --  anywhere             redqueen.lan        tcp dpt:33398
    ACCEPT     udp  --  anywhere             redqueen.lan        udp dpt:33398
    
    Chain wanout (1 references)
    target     prot opt source               destination
    # iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DROP       0    --  anywhere             10.123.46.0/24
    DNAT       icmp --  anywhere             10.17.1.55          to:10.123.46.1
    DNAT       tcp  --  anywhere             10.17.1.55          tcp dpt:33394 to:10.123.46.1:443
    DNAT       tcp  --  anywhere             10.17.1.55          tcp dpt:33395 to:10.123.46.1:22
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:ftp to:10.123.46.6:21
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:50021 to:10.123.46.4:21
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:411 to:10.123.46.6:4110
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:50411 to:10.123.46.4:4110
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:ircd to:10.123.46.6:6667
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:56667 to:10.123.46.4:6667
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:www to:10.123.46.6:80
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:50080 to:10.123.46.4:80
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:nntp to:10.123.46.6:119
    DNAT       tcp  --  10.17.1.0/24         10.17.1.55          tcp dpt:50119 to:10.123.46.4:119
    DNAT       tcp  --  anywhere             10.17.1.55          tcp dpt:33396 to:10.123.46.6:22
    DNAT       tcp  --  anywhere             10.17.1.55          tcp dpt:33397 to:10.123.46.6:33397
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33397 to:10.123.46.6:33397
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33394 to:10.123.46.6:500
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33395 to:10.123.46.6:4500
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33396 to:10.123.46.6:1701
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33399 to:10.123.46.4:500
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33400 to:10.123.46.4:4500
    DNAT       tcp  --  anywhere             10.17.1.55          tcp dpt:33398 to:10.123.46.3:33398
    DNAT       udp  --  anywhere             10.17.1.55          udp dpt:33398 to:10.123.46.3:33398
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  0    --  anywhere             anywhere
    MASQUERADE  0    --  10.123.46.0/24       10.123.46.0/24
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    #
    im not to familiar with iptables (lazy me uses ufw) but everything seems to be in order. so why doesn't it work any more?

    plz help, im desperate!

    yours,
    alex
     

Share This Page