1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem in my iptables???

Discussion in 'Tomato Firmware' started by dpa078, Sep 21, 2008.

  1. dpa078

    dpa078 Guest

    Hi, i get the following error when trying to connect to my router externally by https port 8080, also get same for VNC 5800. I have enabled the remote web access in the Tomato console admin section and set up the port forwarding for the VNC - but neither seem to work.

    Is there something i'm missing?? iptables rules from router are pasted below. Get same error if i use external ip address of router, can anybody spot what's wrong here? i am using Tomato Firmware v1.21.1515.

    thanks




    Failed to Connect

    The connection was refused when attempting to contact xxxxxx.dyndns.org:8080.


    Though the site seems valid, the browser was unable to establish a connection.
    * Could the site be temporarily unavailable? Try again later.
    * Are you unable to browse other sites? Check the computer's network connection.
    * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.






    *mangle
    :pREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :QOSO - [0:0]
    -A QOSO -j CONNMARK --restore-mark --mask 0xff
    -A QOSO -m connmark ! --mark 0/0xff00 -j RETURN
    -A QOSO -p tcp -m mport --dports 80,443 -m bcount --range 0x0-0x7ffff -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p tcp -m mport --dports 80,443 -m bcount --range 0x80000 -j CONNMARK --set-return 0x4/0xFF
    -A QOSO -p udp --dport 53 -m bcount --range 0x0-0x7ff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -p tcp --dport 53 -m bcount --range 0x0-0x7ff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -p udp --dport 53 -m bcount --range 0x800 -j CONNMARK --set-return 0x5/0xFF
    -A QOSO -p tcp --dport 53 -m bcount --range 0x800 -j CONNMARK --set-return 0x5/0xFF
    -A QOSO -p udp --dport 1024:65535 -j CONNMARK --set-return 0x5/0xFF
    -A QOSO -p tcp --dport 1024:65535 -j CONNMARK --set-return 0x5/0xFF
    -I QOSO -j BCOUNT
    -A QOSO -j CONNMARK --set-return 0x4
    -A FORWARD -o vlan1 -j QOSO
    -A OUTPUT -o vlan1 -j QOSO
    COMMIT
    *nat
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d 192.168.1.1/255.255.255.0 -j DROP
    -A PREROUTING -p icmp -d 169.254.1.3 -j DNAT --to-destination 192.168.1.1
    -A PREROUTING -p tcp -m tcp -d 169.254.1.3 --dport 8080 -j DNAT --to-destination 192.168.1.1:443
    -A PREROUTING -p tcp -m tcp -d 169.254.1.3 --dport 2222 -j DNAT --to-destination 192.168.1.1:22
    -A PREROUTING -p tcp -d 169.254.1.3 --dport 52574 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p tcp --dport 52574 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p udp -d 169.254.1.3 --dport 52574 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p udp --dport 52574 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p tcp -d 169.254.1.3 --dport 4662 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p tcp --dport 4662 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p udp -d 169.254.1.3 --dport 4662 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p udp --dport 4662 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p tcp -d 169.254.1.3 --dport 4672 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p tcp --dport 4672 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p udp -d 169.254.1.3 --dport 4672 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p udp --dport 4672 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p tcp -d 169.254.1.3 --dport 5500:5999 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p tcp --dport 5500:5999 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    -A PREROUTING -p udp -d 169.254.1.3 --dport 5500:5999 -j DNAT --to-destination 192.168.1.95
    -A POSTROUTING -p udp --dport 5500:5999 -s 192.168.1.1/255.255.255.0 -d 192.168.1.95 -j SNAT --to-source 192.168.1.1
    :upnp - [0:0]
    -A PREROUTING -i vlan1 -j upnp
    -A PREROUTING -d 169.254.1.3 -j DNAT --to-destination 192.168.1.100
    -A POSTROUTING -o vlan1 -j MASQUERADE
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i br0 -d 169.254.1.3 -j DROP
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 22 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan1 -j wanin
    -A FORWARD -o vlan1 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    :upnp - [0:0]
    -A FORWARD -i vlan1 -j upnp
    -A wanin -p tcp -m tcp -d 192.168.1.95 --dport 52574 -j ACCEPT
    -A wanin -p udp -m udp -d 192.168.1.95 --dport 52574 -j ACCEPT
    -A wanin -p tcp -m tcp -d 192.168.1.95 --dport 4662 -j ACCEPT
    -A wanin -p udp -m udp -d 192.168.1.95 --dport 4662 -j ACCEPT
    -A wanin -p tcp -m tcp -d 192.168.1.95 --dport 4672 -j ACCEPT
    -A wanin -p udp -m udp -d 192.168.1.95 --dport 4672 -j ACCEPT
    -A wanin -p tcp -m tcp -d 192.168.1.95 --dport 5500:5999 -j ACCEPT
    -A wanin -p udp -m udp -d 192.168.1.95 --dport 5500:5999 -j ACCEPT
    -A FORWARD -o br0 -d 192.168.1.100 -j ACCEPT
    COMMIT
     
  2. rhester72

    rhester72 Network Guru Member

    SSL doesn't work this way - your browser will not attempt to handshake via SSL like this (without some serious gyrations on both the browser and web server's part, and the certificates will never work properly).

    Stick to port 443 on both source and destination and things should work fine. If your ISP is blocking 443 inbound - well, there's not a lot you're going to be able to do about that, unfortunately. 80 is easy to circumvent, 443 much less so.

    Rodney
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I use port 8428 for my https connection to Tomato's web gui just fine...
     
  4. mstombs

    mstombs Network Guru Member

    What format are those iptables commands in?

    Check the output of

    Code:
    iptables -L -vn
    iptables -L -vn -t nat
    To check what is actually running and what order they end up in!
     
  5. kevanj

    kevanj LI Guru Member

    To the OP.....

    You said "Get same error if i use external ip address of router"...what does that mean?

    If you set up port 8080 as the SSL port for your router for remote access, you should ONLY be able to use it on the external IP...it will not work on the LAN IP. 8080 is another favorite port for ISP's to block...try another...I, like SgtPepperKSU use an alternate port for https connectivity with complete success.

    With respect to VNC....does it work when you access the VNC server machine from a host withinh your network using the private IP?
     

Share This Page