[FS#283] NAT Loopback ("reflections") not working correctly.
LEDE Bugs
lede-bugs at lists.infradead.org
Mon Nov 28 11:40:12 PST 2016
The following task has a new comment added:
FS#283 - NAT Loopback ("reflections") not working correctly.
User who did this - schoerg (schoerg)
----------
# Generated by iptables-save v1.4.21 on Mon Nov 28 20:31:46 2016
*nat
:PREROUTING ACCEPT [119:10903]
:INPUT ACCEPT [29:2353]
:OUTPUT ACCEPT [4:607]
:POSTROUTING ACCEPT [11:1556]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m id --id 0x66773300 -j zone_lan_prerouting
-A PREROUTING -i wwan0 -m id --id 0x66773300 -j zone_wan_prerouting
-A POSTROUTING -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m id --id 0x66773300 -j zone_lan_postrouting
-A POSTROUTING -o wwan0 -m id --id 0x66773300 -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 3002 -j DNAT --to-destination 192.168.0.10:3002
-A MINIUPNPD -p udp -m udp --dport 3002 -j DNAT --to-destination 192.168.0.10:3002
-A MINIUPNPD -p udp -m udp --dport 65061 -j DNAT --to-destination 192.168.0.9:65061
-A zone_lan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m id --id 0x66773300 -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 28960 -m comment --comment mw2 -j DNAT --to-destination 192.168.0.10:28960
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 28960 -m comment --comment mw2 -j DNAT --to-destination 192.168.0.10:28960
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 3074:3076 -m comment --comment mw3 -j DNAT --to-destination 192.168.0.10:3074-3076
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 3074:3076 -m comment --comment mw3 -j DNAT --to-destination 192.168.0.10:3074-3076
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 27000:27800 -m comment --comment steam -j DNAT --to-destination 192.168.0.10:27000-27800
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 27000:27800 -m comment --comment steam -j DNAT --to-destination 192.168.0.10:27000-27800
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 22000 -m comment --comment syncthing -j DNAT --to-destination 192.168.0.9:22000
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 3001 -m comment --comment freenas_torrent -j DNAT --to-destination 192.168.0.9:3001
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 3001 -m comment --comment freenas_torrent -j DNAT --to-destination 192.168.0.9:3001
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 3002 -m comment --comment f_torrent -j DNAT --to-destination 192.168.0.10:3002
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 3002 -m comment --comment f_torrent -j DNAT --to-destination 192.168.0.10:3002
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 443 -m comment --comment nuc_443 -j DNAT --to-destination 192.168.0.6:443
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 7002 -m comment --comment skype_fs -j DNAT --to-destination 192.168.0.10:7002
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 7002 -m comment --comment skype_fs -j DNAT --to-destination 192.168.0.10:7002
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 80 -m comment --comment nuc_80 -j DNAT --to-destination 192.168.0.6:80
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 8920 -m comment --comment emby -j DNAT --to-destination 192.168.0.9:8920
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 5060:5061 -m comment --comment nuc_ast_tls -j DNAT --to-destination 192.168.0.6:5060-5061
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 5060:5061 -m comment --comment nuc_ast_tls -j DNAT --to-destination 192.168.0.6:5060-5061
-A zone_wan_prerouting -p tcp -m id --id 0x66773300 -m tcp --dport 20000:20500 -m comment --comment nuc_ast_udp -j DNAT --to-destination 192.168.0.6:20000-20500
-A zone_wan_prerouting -p udp -m id --id 0x66773300 -m udp --dport 20000:20500 -m comment --comment nuc_ast_udp -j DNAT --to-destination 192.168.0.6:20000-20500
COMMIT
# Completed on Mon Nov 28 20:31:46 2016
# Generated by iptables-save v1.4.21 on Mon Nov 28 20:31:46 2016
*raw
:PREROUTING ACCEPT [11016924:10216374449]
:OUTPUT ACCEPT [36483:13630571]
COMMIT
# Completed on Mon Nov 28 20:31:46 2016
# Generated by iptables-save v1.4.21 on Mon Nov 28 20:31:46 2016
*mangle
:PREROUTING ACCEPT [11016896:10216370909]
:INPUT ACCEPT [34148:9046990]
:FORWARD ACCEPT [10980050:10207152243]
:OUTPUT ACCEPT [36372:13617545]
:POSTROUTING ACCEPT [11015234:10220713083]
:QOS_MARK_wwan0 - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A PREROUTING -i vtun+ -p tcp -j MARK --set-xmark 0x2/0xff
-A PREROUTING -i wwan0 -m mark --mark 0x0/0xff -g QOS_MARK_wwan0
-A FORWARD -o wwan0 -p tcp -m id --id 0x66773300 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -p udp -m multiport --ports 123,53 -j DSCP --set-dscp 0x24
-A POSTROUTING -o wwan0 -m mark --mark 0x0/0xff -g QOS_MARK_wwan0
-A QOS_MARK_wwan0 -j MARK --set-xmark 0x2/0xff
-A QOS_MARK_wwan0 -m dscp --dscp 0x08 -j MARK --set-xmark 0x3/0xff
-A QOS_MARK_wwan0 -m dscp --dscp 0x30 -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_wwan0 -m dscp --dscp 0x2e -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_wwan0 -m dscp --dscp 0x24 -j MARK --set-xmark 0x1/0xff
-A QOS_MARK_wwan0 -m tos --tos 0x10/0x3f -j MARK --set-xmark 0x1/0xff
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Mon Nov 28 20:31:46 2016
# Generated by iptables-save v1.4.21 on Mon Nov 28 20:31:46 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m id --id 0x66773300 -j ACCEPT
-A INPUT -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_rule
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i br-lan -m id --id 0x66773300 -j zone_lan_input
-A INPUT -i wwan0 -m id --id 0x66773300 -j zone_wan_input
-A FORWARD -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_rule
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i br-lan -m id --id 0x66773300 -j zone_lan_forward
-A FORWARD -i wwan0 -m id --id 0x66773300 -j zone_wan_forward
-A FORWARD -m id --id 0x66773300 -j reject
-A OUTPUT -o lo -m id --id 0x66773300 -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_rule
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o br-lan -m id --id 0x66773300 -j zone_lan_output
-A OUTPUT -o wwan0 -m id --id 0x66773300 -j zone_wan_output
-A MINIUPNPD -d 192.168.0.10/32 -p tcp -m tcp --dport 3002 -j ACCEPT
-A MINIUPNPD -d 192.168.0.10/32 -p udp -m udp --dport 3002 -j ACCEPT
-A MINIUPNPD -d 192.168.0.9/32 -p udp -m udp --dport 65061 -j ACCEPT
-A reject -p tcp -m id --id 0x66773300 -j REJECT --reject-with tcp-reset
-A reject -m id --id 0x66773300 -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -m id --id 0x66773300 -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m id --id 0x66773300 -m comment --comment "@rule[9]" -j zone_lan_dest_ACCEPT
-A zone_lan_forward -p udp -m id --id 0x66773300 -m comment --comment "@rule[9]" -j zone_lan_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -m id --id 0x66773300 -j zone_lan_src_ACCEPT
-A zone_lan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_REJECT -o wwan0 -m id --id 0x66773300 -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m id --id 0x66773300 -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m id --id 0x66773300 -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -j zone_wan_dest_REJECT
-A zone_wan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m id --id 0x66773300 -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m id --id 0x66773300 -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m id --id 0x66773300 -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -j zone_wan_src_REJECT
-A zone_wan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -m id --id 0x66773300 -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wwan0 -m id --id 0x66773300 -j reject
COMMIT
# Completed on Mon Nov 28 20:31:46 2016
In this port 80 and 443 are forwarded to the internal host 192.168.0.6.
When I try to use external IP address (77.116.151.26) to access it, the connection fails:
root at raspberrypi:~# openssl s_client -connect 77.116.151.26:443
connect: Connection refused
connect:errno=111
This was tested from inside the network (192.168.0.82 source).
This is the TCP sequence when trying to access it via a webbrowser:
----------
One or more files have been attached.
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=283#comment968
More information about the lede-bugs
mailing list