Closed GoogleCodeExporter closed 9 years ago
[admin@csoptima8 root]$ iptables-save
# Generated by iptables-save v1.4.3.2 on Thu Aug 9 13:26:41 2012
*nat
:PREROUTING ACCEPT [152611:19918516]
:POSTROUTING ACCEPT [62009:3945222]
:OUTPUT ACCEPT [382:42220]
:UPNP - [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 78.25.8.242/32 -j VSERVER
-A PREROUTING -d 78.25.8.242/32 -j VSERVER
-A POSTROUTING ! -s 78.25.8.242/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 78.25.8.242/32 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 195.24.153.48/29 -d 195.24.153.48/29 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 195.24.153.49:80
-A VSERVER -p tcp -m tcp --dport 53 -j DNAT --to-destination 195.24.153.51:53
-A VSERVER -p udp -m udp --dport 53 -j DNAT --to-destination 195.24.153.51:53
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 195.24.153.53:80
-A VSERVER -p udp -m udp --dport 80 -j DNAT --to-destination 195.24.153.53:80
-A VSERVER -p tcp -m tcp --dport 110 -j DNAT --to-destination 195.24.153.67:110
-A VSERVER -p udp -m udp --dport 110 -j DNAT --to-destination 195.24.153.67:110
-A VSERVER -p tcp -m tcp --dport 25 -j DNAT --to-destination 195.24.153.67:25
-A VSERVER -p udp -m udp --dport 25 -j DNAT --to-destination 195.24.153.67:25
-A VSERVER -p tcp -m tcp --dport 143 -j DNAT --to-destination 195.24.153.67:143
-A VSERVER -p udp -m udp --dport 143 -j DNAT --to-destination 195.24.153.67:143
-A VSERVER -p tcp -m tcp --dport 9091 -j DNAT --to-destination
195.24.153.51:9091
-A VSERVER -p udp -m udp --dport 9091 -j DNAT --to-destination
195.24.153.51:9091
-A VSERVER -p tcp -m tcp --dport 51413 -j DNAT --to-destination
195.24.153.51:51413
-A VSERVER -p udp -m udp --dport 51413 -j DNAT --to-destination
195.24.153.51:51413
-A VSERVER -p tcp -m tcp --dport 2706 -j DNAT --to-destination
195.24.153.51:2706
-A VSERVER -p udp -m udp --dport 2706 -j DNAT --to-destination
195.24.153.51:2706
-A VSERVER -p tcp -m tcp --dport 23377 -j DNAT --to-destination
195.24.153.66:23377
-A VSERVER -p udp -m udp --dport 23377 -j DNAT --to-destination
195.24.153.66:23377
-A VSERVER -p tcp -m tcp --dport 9140 -j DNAT --to-destination 195.24.153.5:9140
-A VSERVER -p udp -m udp --dport 9140 -j DNAT --to-destination 195.24.153.5:9140
-A VSERVER -p tcp -m tcp --dport 9141 -j DNAT --to-destination 195.24.153.5:9141
-A VSERVER -p udp -m udp --dport 9141 -j DNAT --to-destination 195.24.153.5:9141
-A VSERVER -p tcp -m tcp --dport 995 -j DNAT --to-destination 195.24.153.67:995
-A VSERVER -p udp -m udp --dport 995 -j DNAT --to-destination 195.24.153.67:995
-A VSERVER -p tcp -m tcp --dport 993 -j DNAT --to-destination 195.24.153.67:993
-A VSERVER -p udp -m udp --dport 993 -j DNAT --to-destination 195.24.153.67:993
COMMIT
# Completed on Thu Aug 9 13:26:41 2012
# Generated by iptables-save v1.4.3.2 on Thu Aug 9 13:26:41 2012
*mangle
:PREROUTING ACCEPT [1751833:589089367]
:INPUT ACCEPT [24820:3039402]
:FORWARD ACCEPT [1717996:585183160]
:OUTPUT ACCEPT [11845:4154419]
:POSTROUTING ACCEPT [1697365:587705467]
COMMIT
# Completed on Thu Aug 9 13:26:41 2012
# Generated by iptables-save v1.4.3.2 on Thu Aug 9 13:26:41 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [336784:29392216]
:OUTPUT ACCEPT [11837:4152204]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i ppp0 -m conntrack --ctstate NEW -j SECURITY
-A INPUT -i vlan1 -m conntrack --ctstate NEW -j SECURITY
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -d 195.24.153.49/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 515 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3838 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o vlan1 -j DROP
-A FORWARD ! -i br0 -m conntrack --ctstate NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A BRUTE -m recent --update --seconds 600 --hitcount 3 --name BRUTE --rsource
-j DROP
-A BRUTE -m recent --set --name BRUTE --rsource -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit
1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m conntrack --ctstate NEW -j LOG --log-prefix "ACCEPT "
--log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logaccept -j ACCEPT
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP "
--log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug 9 13:26:41 2012
Original comment by ad...@csa.dp.ua
on 9 Aug 2012 at 10:28
large differences between "iptables -L" on chain Forward !!!!!
on wl-500gpv2 with 1.9.2.7.4-rtn-4527:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere ctstate NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
DROP all -- anywhere anywhere
and on wl-500w with dd-wrt:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- 0-27-subnet.computersystemsltd.com/27 anywhere
ACCEPT tcp -- 0-27-subnet.computersystemsltd.com/27 anywhere
tcp dpt:1723
ACCEPT 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere cs-internet-app.computersystemsltd.com
tcp dpt:domain
ACCEPT udp -- anywhere cs-internet-app.computersystemsltd.com
udp dpt:domain
ACCEPT tcp -- anywhere exchange.computersystemsltd.com tcp
dpt:pop3
ACCEPT udp -- anywhere exchange.computersystemsltd.com udp
dpt:pop3
ACCEPT tcp -- anywhere exchange.computersystemsltd.com tcp
dpt:smtp
ACCEPT udp -- anywhere exchange.computersystemsltd.com udp
dpt:25
ACCEPT tcp -- anywhere exchange.computersystemsltd.com tcp
dpt:imap2
ACCEPT udp -- anywhere exchange.computersystemsltd.com udp
dpt:imap2
ACCEPT tcp -- anywhere www.csa.dp.ua tcp dpt:www
ACCEPT udp -- anywhere www.csa.dp.ua udp dpt:www
ACCEPT tcp -- anywhere cs-internet-app.computersystemsltd.com
tcp dpt:9091
ACCEPT udp -- anywhere cs-internet-app.computersystemsltd.com
udp dpt:9091
ACCEPT tcp -- anywhere cs-internet-app.computersystemsltd.com
tcp dpt:51413
ACCEPT udp -- anywhere cs-internet-app.computersystemsltd.com
udp dpt:51413
ACCEPT tcp -- anywhere servernt.computersystemsltd.com tcp
dpt:23377
ACCEPT udp -- anywhere servernt.computersystemsltd.com udp
dpt:23377
ACCEPT tcp -- anywhere cs-internet-app.computersystemsltd.com
tcp dpt:2706
ACCEPT udp -- anywhere cs-internet-app.computersystemsltd.com
udp dpt:2706
ACCEPT tcp -- anywhere office-router.computersystemsltd.com
tcp dpt:9140
ACCEPT udp -- anywhere office-router.computersystemsltd.com
udp dpt:9140
ACCEPT tcp -- anywhere office-router.computersystemsltd.com
tcp dpt:9141
ACCEPT udp -- anywhere office-router.computersystemsltd.com
udp dpt:9141
ACCEPT tcp -- anywhere exchange.computersystemsltd.com tcp
dpt:pop3s
ACCEPT udp -- anywhere exchange.computersystemsltd.com udp
dpt:995
ACCEPT tcp -- anywhere exchange.computersystemsltd.com tcp
dpt:imaps
ACCEPT udp -- anywhere exchange.computersystemsltd.com udp
dpt:993
TRIGGER 0 -- anywhere anywhere TRIGGER type:in
match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Original comment by ad...@csa.dp.ua
on 9 Aug 2012 at 4:57
First of all, it is expected that design of iptables rules in our firmware
differ from dd-wrt.
Second, in case of NAT used, address in VSERVER rule "--to-destination
195.24.153.53:80" must be internal, not public.
At last - sorry, we unable to provide personal technical support.
Original comment by lly.dev
on 15 Aug 2012 at 4:23
Try to seek wl500g.info forum, it contain useful samples
Original comment by lly.dev
on 15 Aug 2012 at 4:24
why you mean that address of LAN must be internal?
53 port forwarding working!
9091 and 51413 port forwarding working!
80, 8080 (to web gui), 22, 110, 25, 143 - forwarding NOT work!
Original comment by ad...@csa.dp.ua
on 15 Aug 2012 at 4:31
you have same ip address (78.25.8.242) on physical vlan1 (WAN port) and ppp0
(VPN) interface due incorrect setup
at this case routing table is confused and reply to incoming packets from vlan1
will go out via ppp0 interface, and possibly dropped as invalid.
fix your setup.
Original comment by themiron.ru
on 6 Sep 2012 at 11:20
Original issue reported on code.google.com by
ad...@csa.dp.ua
on 8 Aug 2012 at 9:17