Modify

Opened 3 years ago

Last modified 3 years ago

#18787 new defect

iptables AA ans iptables on BB

Reported by: gsustek@… Owned by: developers
Priority: response-needed Milestone:
Component: packages Version: Trunk
Keywords: Cc:

Description

Hi, there is huge difference in iptables on AA and BB. On same entry in /etc/config/firewall:
config redirect

option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.168.1'
option name 'ovpn'
option dest_port '1194'
option src_dport '80'

So for the same rule above, in AA i can telnet from LAN to WAN-ip p80 and Forward rule is trigger to LAN-ip p1194 , so iptables added "Chain nat_reflection_out (References: 1)" witch i did not specify.

Why on BB i can not do the telnet from LAN throuhg WAN to LAN eith portforward, and in AA i can.

Here is iptables on AA:
1 12963 934.60 KB prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 ###hyperlink_

Chain prerouting_rule (References: 1)
1 12937 933.33 KB nat_reflection_in all -- * * 0.0.0.0/0 0.0.0.0/0 -

Chain nat_reflection_in (References: 1)
4 0 0.00 B DNAT tcp -- * * 192.168.1.0/24 109.60.73.14 tcp dpt:80 /* wan */ to:192.168.1.1:1194

Chain zone_wan_prerouting (References: 1)
4 0 0.00 B SNAT tcp -- * * 192.168.1.0/24 192.168.1.1 tcp dpt:1194 /* wan */ to:192.168.1.1

Chain zone_wan_prerouting (References: 1)

EXTRA ENTRY; Chain nat_reflection_out (References: 1)
4 0 0.00 B SNAT tcp -- * * 192.168.1.0/24 192.168.1.1 tcp dpt:1194 /* wan */ to:192.168.1.1

IPTABLES on BB_latest_trunk for same rule above:

Chain delegate_prerouting ###is not hyperlink##can not edit

1 12307 807.05 KB prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */

Chain nat_reflection_in (References: 1)
MISSING
Chain nat_reflection_out (References: 1)
MISSING

Chain zone_wan_prerouting (References: 1)

5 0 0.00 B REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* ovpn */ redir ports 1194

Attachments (5)

Archive.zip (2.5 KB) - added by gsustek@… 3 years ago.
network-firewall files: sx763 on AA, archer c5 on BB trunk
stari_router_firewall.tar.gz (9.2 KB) - added by gsustek@… 3 years ago.
htm file of Luci firewall status on sx763 AA
luciFirewallStatus-BB.webarchive (123.0 KB) - added by gsustek@… 3 years ago.
Luci html archive of Firewall Status on archer C5
iptables-save-AA.txt (6.9 KB) - added by gsustek@… 3 years ago.
iptables-save from SX763- all works
iptables-save-BB.txt (7.1 KB) - added by gsustek@… 3 years ago.
iptables-save on archer c5

Download all attachments as: .zip

Change History (8)

comment:1 Changed 3 years ago by jow

  • Priority changed from normal to response-needed

Attach your network and firewall configuration files please.

Changed 3 years ago by gsustek@…

network-firewall files: sx763 on AA, archer c5 on BB trunk

Changed 3 years ago by gsustek@…

htm file of Luci firewall status on sx763 AA

Changed 3 years ago by gsustek@…

Luci html archive of Firewall Status on archer C5

Changed 3 years ago by gsustek@…

iptables-save from SX763- all works

Changed 3 years ago by gsustek@…

iptables-save on archer c5

comment:2 Changed 3 years ago by gsustek

Hi, so on AA, when i try to telnet from lan to gmgt.noip.me 80 i got 192.168.1.1:1194 and in my openvpn log is 192.168.1.155 for my clients address.
This is not happening with BB even i have the same firewall entry's for forwarding. It is the same behavior for any forwarding rule witch i add.

Regards,Goran.

comment:3 Changed 3 years ago by gsustek

anyone?

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.