search

hxping7 / wl500g

Automatically exported from code.google.com/p/wl500g
0 stars 0 forks source link

some ports still not open even all settings done #340

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. PPPoE (over ADSL)
2. static IP address
3. in web set Access for router Web GUI from Internet on port 8080? set ssh and 
telnet enable from internet
4. in NAT Port Forwarding add some port to open: 53, 110, 25, 143, 80 and for 
some torrent apps 9091, 51413 etc

What is the expected output? What do you see instead?
test port open/close http://www.yougetsignal.com/tools/open-ports/
this router: 78.25.8.242
another router (wl-500w with dd-wrt): 82.207.89.70 with SAME settings

on 78.25.8.242 80, 8080, 22, 23, 110, 25, 143 are closed!

What version of the product are you using?
wl-500gpv2 1.9.2.7.d rtn 4527 (and many previously) vectormm build 

Please provide any additional information below.

Original issue reported on code.google.com by ad...@csa.dp.ua on 8 Aug 2012 at 9:17

GoogleCodeExporter commented 9 years ago 
 [admin@csoptima8 root]$ iptables-save
# Generated by iptables-save v1.4.3.2 on Thu Aug  9 13:26:41 2012
*nat
:PREROUTING ACCEPT [152611:19918516]
:POSTROUTING ACCEPT [62009:3945222]
:OUTPUT ACCEPT [382:42220]
:UPNP - [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 78.25.8.242/32 -j VSERVER
-A PREROUTING -d 78.25.8.242/32 -j VSERVER
-A POSTROUTING ! -s 78.25.8.242/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 78.25.8.242/32 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 195.24.153.48/29 -d 195.24.153.48/29 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 195.24.153.49:80
-A VSERVER -p tcp -m tcp --dport 53 -j DNAT --to-destination 195.24.153.51:53
-A VSERVER -p udp -m udp --dport 53 -j DNAT --to-destination 195.24.153.51:53
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 195.24.153.53:80
-A VSERVER -p udp -m udp --dport 80 -j DNAT --to-destination 195.24.153.53:80
-A VSERVER -p tcp -m tcp --dport 110 -j DNAT --to-destination 195.24.153.67:110
-A VSERVER -p udp -m udp --dport 110 -j DNAT --to-destination 195.24.153.67:110
-A VSERVER -p tcp -m tcp --dport 25 -j DNAT --to-destination 195.24.153.67:25
-A VSERVER -p udp -m udp --dport 25 -j DNAT --to-destination 195.24.153.67:25
-A VSERVER -p tcp -m tcp --dport 143 -j DNAT --to-destination 195.24.153.67:143
-A VSERVER -p udp -m udp --dport 143 -j DNAT --to-destination 195.24.153.67:143
-A VSERVER -p tcp -m tcp --dport 9091 -j DNAT --to-destination 
195.24.153.51:9091
-A VSERVER -p udp -m udp --dport 9091 -j DNAT --to-destination 
195.24.153.51:9091
-A VSERVER -p tcp -m tcp --dport 51413 -j DNAT --to-destination 
195.24.153.51:51413
-A VSERVER -p udp -m udp --dport 51413 -j DNAT --to-destination 
195.24.153.51:51413
-A VSERVER -p tcp -m tcp --dport 2706 -j DNAT --to-destination 
195.24.153.51:2706
-A VSERVER -p udp -m udp --dport 2706 -j DNAT --to-destination 
195.24.153.51:2706
-A VSERVER -p tcp -m tcp --dport 23377 -j DNAT --to-destination 
195.24.153.66:23377
-A VSERVER -p udp -m udp --dport 23377 -j DNAT --to-destination 
195.24.153.66:23377
-A VSERVER -p tcp -m tcp --dport 9140 -j DNAT --to-destination 195.24.153.5:9140
-A VSERVER -p udp -m udp --dport 9140 -j DNAT --to-destination 195.24.153.5:9140
-A VSERVER -p tcp -m tcp --dport 9141 -j DNAT --to-destination 195.24.153.5:9141
-A VSERVER -p udp -m udp --dport 9141 -j DNAT --to-destination 195.24.153.5:9141
-A VSERVER -p tcp -m tcp --dport 995 -j DNAT --to-destination 195.24.153.67:995
-A VSERVER -p udp -m udp --dport 995 -j DNAT --to-destination 195.24.153.67:995
-A VSERVER -p tcp -m tcp --dport 993 -j DNAT --to-destination 195.24.153.67:993
-A VSERVER -p udp -m udp --dport 993 -j DNAT --to-destination 195.24.153.67:993
COMMIT
# Completed on Thu Aug  9 13:26:41 2012
# Generated by iptables-save v1.4.3.2 on Thu Aug  9 13:26:41 2012
*mangle
:PREROUTING ACCEPT [1751833:589089367]
:INPUT ACCEPT [24820:3039402]
:FORWARD ACCEPT [1717996:585183160]
:OUTPUT ACCEPT [11845:4154419]
:POSTROUTING ACCEPT [1697365:587705467]
COMMIT
# Completed on Thu Aug  9 13:26:41 2012
# Generated by iptables-save v1.4.3.2 on Thu Aug  9 13:26:41 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [336784:29392216]
:OUTPUT ACCEPT [11837:4152204]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i ppp0 -m conntrack --ctstate NEW -j SECURITY
-A INPUT -i vlan1 -m conntrack --ctstate NEW -j SECURITY
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -d 195.24.153.49/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 515 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3838 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o vlan1 -j DROP
-A FORWARD ! -i br0 -m conntrack --ctstate NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A BRUTE -m recent --update --seconds 600 --hitcount 3 --name BRUTE --rsource 
-j DROP
-A BRUTE -m recent --set --name BRUTE --rsource -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 
1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 
1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m conntrack --ctstate NEW -j LOG --log-prefix "ACCEPT " 
--log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logaccept -j ACCEPT
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " 
--log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug  9 13:26:41 2012

Original comment by ad...@csa.dp.ua on 9 Aug 2012 at 10:28

GoogleCodeExporter commented 9 years ago 
large differences between "iptables -L" on chain Forward !!!!!

on wl-500gpv2 with 1.9.2.7.4-rtn-4527:
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            ctstate INVALID 
TCPMSS     tcp  --  anywhere             anywhere            tcp 
flags:SYN,RST/SYN TCPMSS clamp to PMTU 
ACCEPT     all  --  anywhere             anywhere            ctstate 
RELATED,ESTABLISHED 
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
SECURITY   all  --  anywhere             anywhere            ctstate NEW 
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT 
DROP       all  --  anywhere             anywhere            

and on wl-500w with dd-wrt:
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     gre  --  0-27-subnet.computersystemsltd.com/27  anywhere            
ACCEPT     tcp  --  0-27-subnet.computersystemsltd.com/27  anywhere            
tcp dpt:1723 
ACCEPT     0    --  anywhere             anywhere            
TCPMSS     tcp  --  anywhere             anywhere            tcp 
flags:SYN,RST/SYN TCPMSS clamp to PMTU 
lan2wan    0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            state 
RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             cs-internet-app.computersystemsltd.com 
tcp dpt:domain 
ACCEPT     udp  --  anywhere             cs-internet-app.computersystemsltd.com 
udp dpt:domain 
ACCEPT     tcp  --  anywhere             exchange.computersystemsltd.com tcp 
dpt:pop3 
ACCEPT     udp  --  anywhere             exchange.computersystemsltd.com udp 
dpt:pop3 
ACCEPT     tcp  --  anywhere             exchange.computersystemsltd.com tcp 
dpt:smtp 
ACCEPT     udp  --  anywhere             exchange.computersystemsltd.com udp 
dpt:25 
ACCEPT     tcp  --  anywhere             exchange.computersystemsltd.com tcp 
dpt:imap2 
ACCEPT     udp  --  anywhere             exchange.computersystemsltd.com udp 
dpt:imap2 
ACCEPT     tcp  --  anywhere             www.csa.dp.ua       tcp dpt:www 
ACCEPT     udp  --  anywhere             www.csa.dp.ua       udp dpt:www 
ACCEPT     tcp  --  anywhere             cs-internet-app.computersystemsltd.com 
tcp dpt:9091 
ACCEPT     udp  --  anywhere             cs-internet-app.computersystemsltd.com 
udp dpt:9091 
ACCEPT     tcp  --  anywhere             cs-internet-app.computersystemsltd.com 
tcp dpt:51413 
ACCEPT     udp  --  anywhere             cs-internet-app.computersystemsltd.com 
udp dpt:51413 
ACCEPT     tcp  --  anywhere             servernt.computersystemsltd.com tcp 
dpt:23377 
ACCEPT     udp  --  anywhere             servernt.computersystemsltd.com udp 
dpt:23377 
ACCEPT     tcp  --  anywhere             cs-internet-app.computersystemsltd.com 
tcp dpt:2706 
ACCEPT     udp  --  anywhere             cs-internet-app.computersystemsltd.com 
udp dpt:2706 
ACCEPT     tcp  --  anywhere             office-router.computersystemsltd.com 
tcp dpt:9140 
ACCEPT     udp  --  anywhere             office-router.computersystemsltd.com 
udp dpt:9140 
ACCEPT     tcp  --  anywhere             office-router.computersystemsltd.com 
tcp dpt:9141 
ACCEPT     udp  --  anywhere             office-router.computersystemsltd.com 
udp dpt:9141 
ACCEPT     tcp  --  anywhere             exchange.computersystemsltd.com tcp 
dpt:pop3s 
ACCEPT     udp  --  anywhere             exchange.computersystemsltd.com udp 
dpt:995 
ACCEPT     tcp  --  anywhere             exchange.computersystemsltd.com tcp 
dpt:imaps 
ACCEPT     udp  --  anywhere             exchange.computersystemsltd.com udp 
dpt:993 
TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in 
match:0 relate:0 
trigger_out  0    --  anywhere             anywhere            
ACCEPT     0    --  anywhere             anywhere            state NEW 
DROP       0    --  anywhere             anywhere

Original comment by ad...@csa.dp.ua on 9 Aug 2012 at 4:57

GoogleCodeExporter commented 9 years ago 
First of all, it is expected that design of iptables rules in our firmware 
differ from dd-wrt.

Second, in case of NAT used, address in VSERVER rule "--to-destination 
195.24.153.53:80" must be internal, not public.

At last - sorry, we unable to provide personal technical support.

Original comment by lly.dev on 15 Aug 2012 at 4:23

GoogleCodeExporter commented 9 years ago 
Try to seek wl500g.info forum, it contain useful samples

Original comment by lly.dev on 15 Aug 2012 at 4:24

GoogleCodeExporter commented 9 years ago 
why you mean that address of LAN must be internal?

53 port forwarding working!
9091 and 51413 port forwarding working!
80, 8080 (to web gui), 22, 110, 25, 143 - forwarding NOT work!

Original comment by ad...@csa.dp.ua on 15 Aug 2012 at 4:31

GoogleCodeExporter commented 9 years ago 
you have same ip address (78.25.8.242) on physical vlan1 (WAN port) and ppp0 
(VPN) interface due incorrect setup
at this case routing table is confused and reply to incoming packets from vlan1 
will go out via ppp0 interface, and possibly dropped as invalid.
fix your setup.

Original comment by themiron.ru on 6 Sep 2012 at 11:20