New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

Firewall problems

Got problems with your B2 or B3? Share and get helped!
Post Reply
86ivar
Posts: 148
Joined: 02 Oct 2010, 11:08

Firewall problems

Post by 86ivar »

Hi

I wanted to port forward all ip's to 2302 192.168.10.85.
But what happened is that this port forward entry got stuck in the firewall settings.
I added it, then I removed it. But when I want to add it once again it says "conflicting with existing rules" even I can not see the entry in the web interface.

I looked into firewall.conf and find the entry:
-A POSTROUTING -s 192.168.10.0/24 -d 192.168.10.85/32 -p tcp -m tcp --dport 2302 -j SNAT --to-source, When I remove it it comes back agin when I update/restart the firewall settings. It seems that the web interface creates the firewall.conf settings, but maybe it got stuck or something.

Also looking in iptables, I con not see the entry.

Code: Select all

root@b2:/etc/network# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000:14000 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
root@b2:/etc/network# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:webmin:14000

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



firewall.conf, the entrty "-A POSTROUTING -s 192.168.10.0/24 -d 192.168.10.85/32 -p tcp -m tcp --dport 2302 -j" is here.

Code: Select all

root@b2:/etc/network# nano firewall.conf
  GNU nano 2.2.4                        File: firewall.conf

# Generated by iptables-save v1.4.8 on Sun Nov  2 16:14:00 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000:14000 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
COMMIT
# Completed on Sun Nov  2 16:14:00 2014
# Generated by iptables-save v1.4.8 on Sun Nov  2 16:14:00 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/24 -d 192.168.10.85/32 -p tcp -m tcp --dport 2302 -j SNAT --to-source 192.168.10.1
COMMIT
# Completed on Sun Nov  2 16:14:00 2014
rog
Posts: 22
Joined: 22 Sep 2011, 00:19

Re: Firewall problems

Post by rog »

What does iptables -L -nv show?
86ivar
Posts: 148
Joined: 02 Oct 2010, 11:08

Re: Firewall problems

Post by 86ivar »

rog wrote:What does iptables -L -nv show?

Code: Select all

root@b2:/home/ksn# iptables -L -nv
Chain INPUT (policy DROP 15707 packets, 1874K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp flags:0x12/0x12 state NEW reject-with tcp-reset
   33  3618 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp flags:!0x17/0x02 state NEW
 2553  429K ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  state RELATED,ESTABLISHED
32632 2972K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                          
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                          
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  icmp type 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  icmp type 3 code 4
   43  2568 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:22
    2   112 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:80
    1    52 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:443
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:143
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:993
    1    40 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpt:21
    2    92 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  icmp type 8
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                                  tcp dpts:10000:14000

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                        
 497K  666M ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                          
 323K   32M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  icmp type 3 code 4

Chain OUTPUT (policy ACCEPT 2968 packets, 418K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                        
root@b2:/home/ksn#
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Firewall problems

Post by Gordon »

You're reading the wrong table. You need to specify `-t nat` to view/delete/add prerouting and postrouting entries.

Also, I'm kind of missing the point of this rule. It says you want to masquerade all traffic that has the origin 192.168.10.0/24 and wants to access 192.168.10.85:2302. But no machine in that segment will ever use your B2 as a router to access that target - they'll go straight to it themselves. Can you tell what it is exactly that you're trying to accomplish?
86ivar
Posts: 148
Joined: 02 Oct 2010, 11:08

Re: Firewall problems

Post by 86ivar »

I used the we interface to direct all ip's at port 2302 to my computers lan ip at port 2302 so I could play a game with my friend over the internet. But it did not work anyway. Probably end up just plugging the computer directly to internet to avoid the b2 firewall.
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Firewall problems

Post by Gordon »

You need DNAT for that and the source of the packet should be 0.0.0.0/0 because you want packages from the internet to be forwarded to your computer, not other computers on your own LAN.

And you'll need a second rule as well, to allow the FORWARD chain to accept that traffic. You can create both of these rules in a single line through the web interface. Just click the 'advanced firewall settings' bar and create a 'port forward rule'. But first get rid of this masquerading (SNAT) rule.
86ivar
Posts: 148
Joined: 02 Oct 2010, 11:08

Re: Firewall problems

Post by 86ivar »

Gordon wrote:You need DNAT for that and the source of the packet should be 0.0.0.0/0 because you want packages from the internet to be forwarded to your computer, not other computers on your own LAN.

And you'll need a second rule as well, to allow the FORWARD chain to accept that traffic. You can create both of these rules in a single line through the web interface. Just click the 'advanced firewall settings' bar and create a 'port forward rule'. But first get rid of this masquerading (SNAT) rule.
Thanks for the tip, still learning new stuff. I found the SNAT entry in the nat table and deleted it.. Is "MASQUERADE all -- anywhere anywhere" supposed to be there by default?

Code: Select all

root@b2:/home/ksn# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
SNAT       tcp  --  192.168.10.0/24      192.168.10.85       tcp dpt:2302 to:192.168.10.1
root@b2:/home/ksn#
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Re: Firewall problems

Post by Gordon »

Yes. That is how computers on your LAN get internet access.

More specific: masquerading (Source NAT) allows services on the web to get their responses back to the computer on your LAN, which would otherwise not be possible because addresses used on LANs are not unique and the only router that can properly identify the correct source is your own router. By rewriting the return address on the envelope, your router will receive the response from e.g. a webserver and since it knows the original return address then forward it to the correct computer on the LAN.
Post Reply