Modify

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#9279 closed defect (worksforme)

port redirect behaves catastrophically in olsr/freifunk/funkfeuer networks

Reported by: xro@… Owned by: developers
Priority: high Milestone: Backfire 10.03.1
Component: base system Version: Trunk
Keywords: firewall Cc:

Description

Problem:

  • PREROUTING rules have no set destination address
  • thus, they work and redirect all incoming traffic that passes the router
  • in olsr networks, where traffic may just be forwarded, ports which are set to redirect from WAN (olsr) to LAN are redirected to local LAN, EVEN IF they are intended for ANOTHER router.

e.g.

  • Node 1 redirects port 20022 to local LAN 192.168.1.200:22
  • Node 2 redirects port 20022 to it's local LAN 192.168.2.200:22
  • all packets to Node 2 have to pass Node 1 (forwarding)
  • port 20022 on Node 2 can _never_ be reached

Solution:
add the local interface IP as destination (-d) argument to prerouting iptable rules:

e.g.
fw add $mode $natchain $redirect_target $pos ...
...
-d $(uci get network.${redirect_src}.ipaddr) \
...
(or your prefered equivalent)

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by jow

  • Resolution set to worksforme
  • Status changed from new to closed

Thats what the "src_dip" option is for. The above solution is not going to work as it invalidates rules when the ip changes. Might work for your lan, does not work for wan which is 90% of the use cases.

comment:2 Changed 7 years ago by anonymous

true, but if you have several interfaces mapped to one firewall zone, you have to set up a redicret rule for each interfaces IP and if you change IP's you have to remember to change all redirect rule's IP's (and that can be many)
Sure I'm writing a script for that, but for other's it will mean lot's of clicking

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.