[FS#1497] Port Forwarding /etc/config/firewal does not work

LEDE Bugs lede-bugs at lists.infradead.org
Sun Apr 15 21:52:58 PDT 2018 

A new Flyspray task has been opened.  Details are below. 

User who did this - Bento Alves Cerqueira Cesar Neto (BentoAlves) 

Attached to Project - OpenWrt/LEDE Project
Summary - Port Forwarding /etc/config/firewal does not work
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Média
Priority - Normal
Reported Version - lede-17.01
Due in Version - Undecided
Due Date - Undecided
Details - Supply the following if possible:
 - Device problem occurs on
TP-Link TL-WR1043N/ND v2
 - Software versions of OpenWrt/LEDE release, packages, etc.
LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)
 - Steps to reproduce

* add redirect rules in file /etc/config/firewall
//config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '808'
        option dest_ip '192.168.10.6'
        option dest_port '80'
        option name 'ZoneMinder'//

* save and restart the firewall
///etc/init.d/firewall restart//

* redirect is not applied on iptables
//Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:00:00:00:08:35 /* !fw3: QuartoPapaiMamae */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC E0:62:90:17:10:3E /* !fw3: HarexGaragem */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 78:A5:DD:13:61:FE /* !fw3: BabaHD */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:12:12:1E:CC:C8 /* !fw3: YanTime */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:12:12:38:16:CB /* !fw3: Kavass */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 4A:FB:2B:F5:81:23 /* !fw3: AstroCamera */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC E0:62:90:EC:8A:DC /* !fw3: NVR */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC 00:9A:03:72:AD:92 /* !fw3: Camera360 */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             MAC E0:62:90:E9:D6:0D /* !fw3: Calcada1 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: user chain for forwarding */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: forwarding wan -> lan */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 *//

* however in fw3 print the rules are being mounted to be placed on iptables
//iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 808 -m comment --comment "!fw3: ZoneMinder" -j DNAT --to-destination 192.168.10.6:80
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 177.148.206.70/255.255.255.255 -m tcp --dport 808 -m comment --comment "!fw3: ZoneMinder (reflection)" -j DNAT --to-destination 192.168.10.6:80
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 177.148.206.70/255.255.255.255 -m tcp --dport 808 -m comment --comment "!fw3: ZoneMinder (reflection)" -j DNAT --to-destination 192.168.10.6:80
iptables -t nat -D zone_lan_postrouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.10.6/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: ZoneMinder (reflection)" -j SNAT --to-source 192.168.10.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.10.6/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: ZoneMinder (reflection)" -j SNAT --to-source 192.168.10.1
//

* did not get success by adding port forwarding manually on iptables

 

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=1497

More information about the lede-bugs mailing list