1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

no portforward from iptables, only from GUI

Discussion in 'Tomato Firmware' started by arnoldus, Apr 1, 2013.

  1. arnoldus

    arnoldus Serious Server Member

    Hi.

    I have a peculiar problem with Tomato. It appears both on Tomato RAF and Tomato Shibby.
    When I ask for a portforward with:

    Code:
    iptables -A wanin --dport 85 -d 192.168.1.10 -j ACCEPT
     
    iptables -t nat -A WANPREROUTING -p tcp --dport 85 -j DNAT --to-destination 192.168.1.10:8000
    I do not get it to work.
    There is no DMZ, there is no connection logging active. These are known to interfere.

    HOWEVER, when I put in a port forward in the web GUI interface, to the same destination port, then my own rule suddenly works (no matter what source port)!
    for instance: I put in port forward port 1111 wan to 192.168.1.10:8000, and then my own port forward with port 85 will also work!


    When I list the Iptables, there is no difference between my rules and the automatic rule set by the web GUI.

    As you can see here (I didn't copy the empty tables and chains):
    Code:
    Chain INPUT (policy DROP 10 packets, 1346 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      63 10180 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
      49  4572 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
     
    Chain FORWARD (policy DROP 1 packets, 52 bytes)
    pkts bytes target    prot opt in    out    source              destination
      140 27055            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      19  980 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
      129 26479 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        3    156 wanin      all  --  vlan1  *      0.0.0.0/0            0.0.0.0/0
      10  524 wanout    all  --  *      vlan1  0.0.0.0/0            0.0.0.0/0
      10  524 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
     
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.10        tcp dpt:1111
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.10        tcp dpt:85
     
    Chain PREROUTING (policy ACCEPT 94 packets, 22914 bytes)
    pkts bytes target    prot opt in    out    source              destination
        3    156 WANPREROUTING  all  --  *      *      0.0.0.0/0            192.168.123.179
        0    0 DROP      all  --  vlan1  *      0.0.0.0/0            192.168.1.0/24
     
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
      15  854 MASQUERADE  all  --  *      vlan1  0.0.0.0/0            0.0.0.0/0
        0    0 SNAT      all  --  *      br0    192.168.1.0/24      192.168.1.0/24      to:192.168.1.1
        0    0 MASQUERADE  all  --  *      vlan1  0.0.0.0/0            0.0.0.0/0
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.1.1
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1111 to:192.168.1.10:8000
        3    156 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:85 to:192.168.1.10:8000 
    The entries are exactly the same, but mine do not get through if I do not have an identical destination port on the same machine listed in the GUI port forward.

    When I do not list the PF in the gui, then I still get packets and bytes listed in iptables (I think this means that something is working), but either they do not reach the destination, or the destination can't reply.


    (The WAN IP is 192.168.123.179. It is not double NAT, I'm having my testing computer switched with it. The problem is exactly the same when I connect directly to my ISP)
     
  2. arnoldus

    arnoldus Serious Server Member

    Why do I not just set the rule on the router GUI, and insist on iptables? Because this is a part of a port knocking script, and the only thing that does not work (tested) is the port forwarding. All the rest works.
     
  3. rhester72

    rhester72 Network Guru Member

    I don't think you should be specifying a destination for the WANIN chain, since (at that time) the packet's destination is your WAN interface, not a local address.

    Rodney
     
  4. arnoldus

    arnoldus Serious Server Member

    That's what I did initially and it didn't work either. I wanted to mimick what the Tomato does on a GUI port forward.
     
  5. koitsu

    koitsu Network Guru Member

    Try looking at /etc/iptables (this file is built from NVRAM variable contents).

    To redirect inbound TCP connections (to the WAN IP) on port 9000, to 192.168.1.20 on TCP port 22, you would do:

    Code:
    iptables -t nat -A WANPREROUTING -p tcp --dport 9000 -j DNAT --to-destination 192.168.1.20:22
    iptables -A wanin -p tcp -m tcp -d 192.168.1.20 --dport 22 -j ACCEPT
    
    The 2nd iptables line affects the filter table (same as if you were to use -t filter). Look very, very carefully at the syntax of these line. I repeat: look very carefully.

    I can assure you this works reliably. Proof:

    Code:
    root@gw:/tmp/home/root# iptables -t nat -L WANPREROUTING -n -v --line-numbers
    Chain WANPREROUTING (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
    1        6  360 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:9000 to:192.168.1.20:22
     
    root@gw:/tmp/home/root# iptables -L wanin -n -v --line-numbers
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
    1        6  360 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.1.20        tcp dpt:22
    
     
  6. arnoldus

    arnoldus Serious Server Member

    Koitsu, I thank you very very much!

    I rearranged the order of commands and options to reflect yours, that did not help.

    But then I noticed that in the "wanin" command, you put the destination port of the local machine, not the wan port. I also did it, and it works!
    Lesson learned!
    For port forwarding, the "wanin" dport is the local destination port, not the wan destination port!
    I've been trying for days to get this to work, and it pains me that it's such a simple thing!
     
  7. koitsu

    koitsu Network Guru Member

    Correct. :) It's because the packet's destination port has already been rewritten by that point in the iptables/netfilter stack.
     

Share This Page