Closed GoogleCodeExporter closed 9 years ago
1. Which WAN connection type you have ?
2. Is UPNP turned on ?
3. Have you any custom firewall rules in /usr/local/sbin/post-firewall ?
4. Please provide output of "iptables -L -t nat" command after forwarding stops
Original comment by lly.dev
on 30 Jun 2009 at 3:50
I found the same problem.
WAN conenction type - automatic
UPNP - turned ON
Custom firewall rules (missing after some time): Prerouting ...
Example:
iptables -A INPUT -p tcp --dport 809 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 809 -j DNAT --to-destination
192.168.1.9:809
After few days the functionality of prerouting is missing. Now I'm after
reboot, so
now the system works fine.
Original comment by molnarjo...@gmail.com
on 1 Jul 2009 at 4:48
Without result of "iptables -L -t nat" we can't determine - was rules deleted or
something broken in netfilter.
Original comment by lly.dev
on 1 Jul 2009 at 5:10
Ok, now the PREROUTING stops to work. The iptables list is here:
[root@Main root]$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 11.22.com
DNAT tcp -- anywhere anywhere tcp dpt:809
to:192.168.1.9:809
DNAT tcp -- anywhere anywhere tcp dpt:818
to:192.168.1.118:80
DNAT tcp -- anywhere anywhere MAC
00:57:C9:46:E5:4A
tcp dpt:www to:192.168.1.1:82
DNAT tcp -- anywhere anywhere MAC
00:53:F7:14:4A:44
tcp dpt:www to:192.168.1.1:82
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !11.22.com anywhere
SNAT all -- 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain VSERVER (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:809
to:192.168.1.9:809
DNAT udp -- anywhere anywhere udp dpt:809
to:192.168.1.9:809
DNAT tcp -- anywhere anywhere tcp dpt:19574
to:192.168.1.37:19574-0
DNAT udp -- anywhere anywhere udp dpt:19574
to:192.168.1.37:19574-0
DNAT udp -- anywhere anywhere udp dpt:3714
to:192.168.1.23:3714-0
DNAT tcp -- anywhere anywhere tcp dpt:3714
to:192.168.1.23:3714-0
and others DNAT of a lot of IPs.
Original comment by molnarjo...@gmail.com
on 2 Jul 2009 at 9:22
it's not enough. plz, provide iptables -nvL and iptables -t nat -nvL output
Original comment by v...@orient-96.ru
on 3 Jul 2009 at 10:08
and describe how, from where, and at what moments forward rules are creating
(manually, from post-firewal, from emule by upnp, etc)
seems like you have a mess of it
Original comment by v...@orient-96.ru
on 3 Jul 2009 at 10:19
Sorry for long delay, but this issue appear after 4-5 days normal router work.
1. I have 15MB/1MB UPC (Chello) cable connection (option with cable tv).
2. Upnp is disabled by default.
3. /usr/local/sbin/post-firewall is 0 sized
4. All port forwarding rules are created by router GUI (in webbrowser)
How I wrote in previously post, after 4-5 days normal work I couldn’t connect
to
computer in private network using forwarded ports ( Windows remote desktop,
ftp) but
SSH connection to router, enabled by GUI, working.
5. iptables -t nat -nvL after restart router
[admin@Asus root]$ iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 3494 packets, 241K bytes)
pkts bytes target prot opt in out source destination
2190 123K VSERVER all -- * * 0.0.0.0/0 89.75.208.97
Chain POSTROUTING (policy ACCEPT 2158 packets, 115K bytes)
pkts bytes target prot opt in out source destination
2558 143K MASQUERADE all -- * eth1 !89.75.208.97 0.0.0.0/0
13 2309 SNAT all -- * br0 192.168.1.0/24
192.168.1.0/24 to:192.168.1.1
Chain OUTPUT (policy ACCEPT 462 packets, 30669 bytes)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 to:192.168.1.2:20
1 52 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 to:192.168.1.2:21
1 52 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389 to:192.168.1.2:3389
1707 86907 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:65000 to:192.168.1.2:65000
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:11902 to:192.168.1.2:11902
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:31248 to:192.168.1.2:31248
[admin@Asus root]$
6. iptables –nvL after restart router
[admin@Asus root]$ iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51 3256 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
2429 228K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
155 9300 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
474 40476 ACCEPT all -- br0 * 0.0.0.0/0
0.0.0.0/0 state NEW
28 9057 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
2 100 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 flags:0x17/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
471 35749 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 6575 packets, 322K bytes)
pkts bytes target prot opt in out source destination
23 1378 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
162K 101M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth1 0.0.0.0/0 0.0.0.0/0
1610 81879 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3219 packets, 1242K bytes)
pkts bytes target prot opt in out source destination
Chain BRUTE (0 references)
pkts bytes target prot opt in out source destination
Chain MACS (0 references)
pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[admin@Asus root]$
7. iptables -t nat –nvL when forwarding stop working
[admin@Asus root]$ iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 678K packets, 49M bytes)
pkts bytes target prot opt in out source destination
1231K 65M VSERVER all -- * * 0.0.0.0/0 89.75.208.97
Chain POSTROUTING (policy ACCEPT 1168K packets, 59M bytes)
pkts bytes target prot opt in out source destination
500K 28M MASQUERADE all -- * eth1 !89.75.208.97 0.0.0.0/0
1643 232K SNAT all -- * br0 192.168.1.0/24
192.168.1.0/24 to:192.168.1.1
Chain OUTPUT (policy ACCEPT 67423 packets, 4303K bytes)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 to:192.168.1.2:20
15 832 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 to:192.168.1.2:21
14 684 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389 to:192.168.1.2:3389
1102K 55M DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:65000 to:192.168.1.2:65000
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:11902 to:192.168.1.2:11902
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:31248 to:192.168.1.2:31248
[admin@Asus root]$
8. iptables iptables –nvL when forwarding stop working
[admin@Asus root]$ iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10640 703K DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
524K 50M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
43271 2596K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
29679 2572K ACCEPT all -- br0 * 0.0.0.0/0
0.0.0.0/0 state NEW
6350 2114K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
9285 557K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 flags:0x17/0x02
128 7775 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
119K 9775K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 1475K packets, 69M bytes)
pkts bytes target prot opt in out source destination
4007 233K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
31M 20G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth1 0.0.0.0/0 0.0.0.0/0
2873K 142M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 627K packets, 66M bytes)
pkts bytes target prot opt in out source destination
Chain BRUTE (0 references)
pkts bytes target prot opt in out source destination
Chain MACS (0 references)
pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[admin@Asus root]$
Original comment by kuk...@gmail.com
on 13 Jul 2009 at 12:00
2kukucz:
Please clarify your WAN type, i.e. PPPoE, PPTP, L2TP, Static IP.
Original comment by lly.dev
on 17 Jul 2009 at 5:31
Hi,
my type of connection is: Automatic IP
Original comment by kuk...@gmail.com
on 18 Jul 2009 at 4:20
Very strange, we still can't reproduce problem. Are you absolutely sure that
r308
hasn't such problems? If yes, we will build intermediate builds for you to
determine
exact point of critical change.
Original comment by lly.dev
on 18 Jul 2009 at 4:42
[deleted comment]
My good friend is using chello and wl500gpv2.
He haven't got problems with port forwarding.
He is using motorola modem/router as gateway.
Original comment by lesiuk@gmail.com
on 20 Jul 2009 at 7:53
Problematic patch can be 603-netfilter_nat_pptp.patch - see OpenWRT
https://dev.openwrt.org/changeset/17552/trunk
btw., I found one problematic point in this patch - fixed in r541. Any
volunteers,
who expect same problem, ready for test?
Original comment by lly.dev
on 10 Sep 2009 at 12:27
I will, but it never issued for me...
Original comment by v...@orient-96.ru
on 10 Sep 2009 at 2:14
Bugfix confirmed by WiziPok from wl500g.info forum
Original comment by lly.dev
on 14 Sep 2009 at 10:09
Original comment by lly.dev
on 23 Jan 2010 at 5:43
Original issue reported on code.google.com by
kuk...@gmail.com
on 30 Jun 2009 at 1:00