Modify

Opened 5 years ago

Last modified 5 years ago

#13238 new defect

NAT loopback not working after reboot

Reported by: anonymous Owned by: developers
Priority: response-needed Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: nat loopback firewall Cc:

Description

NAT loopback not working on r36114.
After disabling and re-enabling NAT loopback in port forward it does work, but after full reboot again unable to connect to public address from inside LAN.

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by jow

  • Priority changed from normal to response-needed

Attach the output of /etc/config/firewall and iptables -S

comment:2 Changed 5 years ago by anonymous

I found that NAT loopback doesn't work at random times.
Sometimes it works after reboot, but sometimes it doesn't.

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Enforce-ULA-Border-Src'
        option src '*'
        option dest 'wan'
        option proto 'all'
        option src_ip 'fc00::/7'
        option family 'ipv6'

        option target 'REJECT'

config rule
        option name 'Enforce-ULA-Border-Dest'
        option src '*'
        option dest 'wan'
        option proto 'all'
        option dest_ip 'fc00::/7'
        option family 'ipv6'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'IPv4'
        option reload '1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.200'
        option dest_port '8080'
        option name 'Server WebGUI'
        option src_dport '8080'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.200'
        option dest_port '9091'
        option name 'Server Bittorrent'
        option src_dport '9091'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.1.200'
        option dest_port '22'
        option name 'Server SFTP'
        option src_dport '22'

iptables -S

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N delegate_forward
-N delegate_input
-N delegate_output
-N forwarding_rule
-N input_rule
-N nat_reflection_fwd
-N output_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_dest_DROP
-N zone_lan_dest_REJECT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_lan_src_DROP
-N zone_lan_src_REJECT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_DROP
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_ACCEPT
-N zone_wan_src_DROP
-N zone_wan_src_REJECT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j delegate_input
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j delegate_forward
-A FORWARD -j reject
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j delegate_output
-A MINIUPNPD -d 192.168.1.114/32 -p tcp -m tcp --dport 30627 -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A forwarding_rule -j nat_reflection_fwd
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -m comment --comment wan -j ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_DROP -o br-lan -j DROP
-A zone_lan_dest_REJECT -o br-lan -j reject
-A zone_lan_forward -j zone_wan_dest_ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_src_DROP -i br-lan -j DROP
-A zone_lan_src_REJECT -i br-lan -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_DROP -o eth0.2 -j DROP
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -j ACCEPT
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0.2 -j ACCEPT
-A zone_wan_src_DROP -i eth0.2 -j DROP
-A zone_wan_src_REJECT -i eth0.2 -j reject

comment:3 Changed 5 years ago by anonymous

The iptables in the comment above are from a working NAT loopback.
Now, after a reboot for testing, NAT loopback stopped working again.

The iptables in this comment are from after a reboot when NAT loopback stops working.

The differences between the working and non-working NAT loopback can be seen here:
http://diffchecker.com/6mn9bw5t

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N delegate_forward
-N delegate_input
-N delegate_output
-N forwarding_rule
-N input_rule
-N nat_reflection_fwd
-N output_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_dest_DROP
-N zone_lan_dest_REJECT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_lan_src_DROP
-N zone_lan_src_REJECT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_DROP
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_ACCEPT
-N zone_wan_src_DROP
-N zone_wan_src_REJECT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j delegate_input
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j delegate_input
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j delegate_forward
-A FORWARD -j forwarding_rule
-A FORWARD -j delegate_forward
-A FORWARD -j reject
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j delegate_output
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j delegate_output
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A forwarding_rule -j nat_reflection_fwd
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -m comment --comment wan -j ACCEPT
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -m comment --comment wan -j ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_DROP -o br-lan -j DROP
-A zone_lan_dest_REJECT -o br-lan -j reject
-A zone_lan_dest_REJECT -o br-lan -j reject
-A zone_lan_forward -j zone_wan_dest_ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_src_DROP -i br-lan -j DROP
-A zone_lan_src_REJECT -i br-lan -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_dest_DROP -o eth0.2 -j DROP
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_dest_REJECT -o eth0.2 -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 9091 -j ACCEPT
-A zone_wan_forward -d 192.168.1.200/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth0.2 -j ACCEPT
-A zone_wan_src_DROP -i eth0.2 -j DROP
-A zone_wan_src_REJECT -i eth0.2 -j reject
-A zone_wan_src_REJECT -i eth0.2 -j reject

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.