Modify

Opened 20 months ago

Last modified 20 months ago

#22519 new defect

Firewall: LAN to LAN REDIRECT is invalid

Reported by: puchuu Owned by: developers
Priority: normal Milestone:
Component: base system Version: Chaos Calmer 15.05
Keywords: Cc:

Description

I have an ssh server working on port 6322, I want to make it available from lan using REDIRECT iptables rule.

config redirect                               
        option target    'REDIRECT'           
        option src       'lan'                 
        option dest      'lan'                
        option proto     'tcp'            
        option src_dport '22'                 
        option dest_port '6322'               
        option name      'router ssh for lan'

This doesn't work: no rules were generated.

config redirect                               
        option target    'DNAT'           
        option src       'lan'                 
        option dest      'lan'                
        option proto     'tcp'            
        option src_dport '22'                 
        option dest_port '6322'               
        option name      'router ssh for lan'

This works but the rule is invalid:

REDIRECT  tcp  --  anywhere  anywhere  tcp dpt:ssh /* router ssh for lan */ redir ports 6322

These 2 "anywhere" words made me to create an invalid ticket /ticket/22518.html. All traffic to 22 port was redirected to 6322.

So I have to use custom iptables rule:

config include                
        option path   '/etc/firewall.user'
        option reload '1'
iptables -t nat -A zone_lan_prerouting --src OpenWrt.lan/24 --dst OpenWrt.lan -p tcp --dport 22 -j REDIRECT --to-ports 6322

Please fix REDIRECT generator.

Attachments (0)

Change History (6)

comment:1 Changed 20 months ago by anonymous

It is doing exactly what you configured, map any tcp traffic destined to port 22 to the local port 6322. You forgot to add "option src_ip 192.168.1.0/24" or something equivalent.

comment:2 Changed 20 months ago by anonymous

More importantly you need "option dest_ip 192.168.1.0/24".

comment:3 Changed 20 months ago by puchuu

config redirect                    
	option target    'DNAT'
	option src       'lan'
	option src_ip    '192.168.0.1/24'
	option dest      'lan'
	option dest_ip   '192.168.0.1'
	option proto     'tcp udp'
	option src_dport '22'
	option dest_port '6322'
	option name      'router ssh for lan'

This generates:

REDIRECT  tcp  --  192.168.0.0/24  anywhere tcp dpt:ssh /* router ssh for lan */ redir ports 6322

The destination is "anywhere" and my router grabs all my ssh requests again.

But the problem is not just a destination. I am expecting that REDIRECT will work the same as DNAT (will all default values):

config redirect                               
        option target    'REDIRECT'           
        option src       'lan'                 
        option dest      'lan'                
        option proto     'tcp'            
        option src_dport '22'                 
        option dest_port '6322'               
        option name      'router ssh for lan'

I think it should generate:

REDIRECT  tcp  --  OpenWrt.lan/24  OpenWrt.lan tcp dpt:ssh /* router ssh for lan */ redir ports 6322

Thank you.

comment:4 Changed 20 months ago by anonymous

Use src_dip not dest_ip.

comment:5 Changed 20 months ago by puchuu

config redirect                               
        option target    'DNAT'               
        option src       'lan'                
        option dest      'lan'                
        option src_ip    '192.168.0.0/24'     
        option src_dip   '192.168.0.1'        
        option src_dport '22'                
        option dest_port '6322'                 
        option proto     'tcp udp'            
        option name      'router ssh for lan'

This works perfect. Thank you.

But in this case I should remember that I can't simply change network address from 192.168.0.0 to 192.168.1.0 and /24 to /16 in /etc/config/network.

For example:

config redirect               
        option target    'DNAT'
        option src       'vpn2'
        option dest      'lan' 
        option src_ip    '10.0.3.0/24'
        option src_dip   '10.0.3.6'
        option src_dport '22'
        option dest_port '6322'            
        option proto     'tcp udp'
        option name      'router ssh for vpn2'

This generates REDIRECT too. Ip of machine can be changed by vpn server and this is bad.

config redirect                        
        option target    'DNAT'               
        option src       'wan'              
        option dest      'lan'              
        option proto     'tcp'
        option src_dport '51000'            
        option dest_ip   '192.168.0.3'
        option dest_port '51000'      
        option name      'app'

This generates:

DNAT  tcp  --  192.168.0.0/24  valid-dynamic-adddress.com  tcp dpt:51000 /* app (reflection) */ to:192.168.0.3:51000

This result is perfect. I think REDIRECT should work the same way. Thank you.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.