Modify

Opened 5 years ago

Last modified 4 years ago

#12053 reopened defect

iptables contains doubled rules

Reported by: dvlom@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

Hi. Trunk (r33212). I have 2 firewall rules for port forwards (created via LuCI). 1 enabled and 1 disabled:

root@router:~# cat /etc/config/firewall 
config redirect
	option _name 'pega_ssh'
	option src 'wan'
	option proto 'tcp'
	option src_dport '41022'
	option dest_ip '192.168.1.9'
	option dest_port '22'
	option target 'DNAT'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '51413'
	option dest_ip '192.168.1.9'
	option dest_port '51413'
	option name 'pega_bt'
	option enabled '0'
..........

Iptables rules corresponding to these case:

root@router:~# iptables -L zone_wan_forward -n
Chain zone_wan_forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.9         tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.9         tcp dpt:22 
forwarding_wan  all  --  0.0.0.0/0            0.0.0.0/0           
zone_wan_DROP  all  --  0.0.0.0/0            0.0.0.0/0           

root@router:~# iptables -L zone_wan_prerouting -t nat -n
Chain zone_wan_prerouting (1 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:41022 to:192.168.1.9:22 
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:41022 to:192.168.1.9:22 
prerouting_wan  all  --  0.0.0.0/0            0.0.0.0/0           

If both firewall rules are enabled, iptables look how should:

root@router:~# iptables -L zone_wan_forward -n
Chain zone_wan_forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.9         tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.9         tcp dpt:51413 
ACCEPT     udp  --  0.0.0.0/0            192.168.1.9         udp dpt:51413 
forwarding_wan  all  --  0.0.0.0/0            0.0.0.0/0           
zone_wan_DROP  all  --  0.0.0.0/0            0.0.0.0/0           

root@router:~# iptables -L zone_wan_prerouting -t nat -n
Chain zone_wan_prerouting (1 references)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:41022 to:192.168.1.9:22 
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:51413 to:192.168.1.9:51413 
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:51413 to:192.168.1.9:51413 
prerouting_wan  all  --  0.0.0.0/0            0.0.0.0/0           

Attachments (0)

Change History (7)

comment:1 Changed 5 years ago by anonymous

Yes. I can confirm this too. Looks like a bug. Same behaviour in OpenWrt Attitude Adjustment 12.09-rc1. When I uncheck "enable" 2 (out of 3) rules in Luci > Firewall > Traffic Rules I see they have "option enabled '0'" in /etc/config/firewall but in iptables listing I see doubled or trippled entries. (e.g. OpenVPN listening on telnet port 23)

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23

comment:2 Changed 5 years ago by nbd

is this still an issue with current versions?

comment:3 Changed 5 years ago by nbd

  • Resolution set to no_response
  • Status changed from new to closed

comment:4 Changed 5 years ago by anonymous

  • Resolution no_response deleted
  • Status changed from closed to reopened

Sorry for not responding earlier. Yes it is still a problem with the latest r36816. I have this in /etc/config/firewall, with the second port 80 redirect rule disabled:

config redirect                                 
        option name 'ssh'                       
        option target 'DNAT'                    
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'tcp'                      
        option src_dport '22'                 
        option dest_ip '192.168.1.30'           
        option dest_port '22'                 
        option reflection '0'                   
                                                
config redirect                                 
        option name 'p2p'                       
        option target 'DNAT'                    
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'tcp'                  
        option src_dport '80'                
        option dest_ip '192.168.1.30'           
        option dest_port '80'                
        option reflection '0'                   
        option enabled '0'                      
                                                
config redirect                                 
        option name 'sftp'                      
        option target 'DNAT'                    
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'tcp'                      
        option src_dport '21'                 
        option dest_ip '192.168.1.80'           
        option dest_port '21'                 
        option reflection '0'                   

And zone_wan_forward shows this, with the first port 22 forwarded rule repeated twice:

Chain zone_wan_forward (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.30        tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.30        tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.80        tcp dpt:21 
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

comment:5 Changed 5 years ago by nbd

Have you tried enabling the firewall3 package instead of the firewall package (the defaults have changed)?

comment:6 Changed 5 years ago by anonymous

Just tried firewall3 and confirmed that the issue is resolved there.

comment:7 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as reopened .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.