PDA

View Full Version : Web interface generates wrong iptables

unaiur
04-09-2005, 20:18
I have added an entry to the Virtual Server web page, mapping ports 256xx to a internal IP and restarted the firewall.

The iptables rules generated in the filter table are in the wrong chain: they are in the FORWARD chain (where they are useless, since by default all packets are forwarded) and not in the INPUT chain (so I can't connect to my internal host).

What should I change to let configure virtual servers correctly from the web interface? I've tried to follow the /linuxrc script but it lauches /sbin/init binary.

Chain FORWARD (policy ACCEPT)
target prot opt source destination
... bla bla ...
ACCEPT tcp -- anywhere anywhere tcp dpts:25600:25699 flags:SYN/RST
ACCEPT udp -- anywhere anywhere udp dpts:25600:25699
... bla bla ...
unaiur
04-09-2005, 21:22
I've written a script to automatically accept extern connections to the Virtual Hosts defined in the web interface.

Yust put the attached script in /usr/local/sbin/fix-vhosts and execute:

echo ". /usr/local/bin/fix-vhosts" >> /usr/local/sbin/post-firewall
flashfs save && flashfs commit

Although, I think that this is a bug and we should fix it in the firmware source code (broadcom/src/router/rc/firewall_ex.c).

(What do you think, Oleg?)
Oleg
04-09-2005, 21:33
You're wrong in your expectations. They should be in FORWARD chain, as the destination is altered in nat table by PREROUTING chain, so packets are forwarded to internal host.
unaiur
04-09-2005, 21:42
With the default configuration and unless activating wan to lan filtering, only invalid packets are dropped, so rules 3 - 9 are useless:

Chain FORWARD (policy ACCEPT 232 packets, 13335 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3 5396 2846K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
5 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
6 0 0 ACCEPT icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.1.21 tcp dpts:25600:25699
8 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.2.1.21 udp dpts:25600:25699
9 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6112
unaiur
04-09-2005, 21:53
Nonetheless, the problem isn't at the FORWARD'ing rules. The problem is that INPUT rules are missing, so the router doesn't behave as said at the web page:

"To make services, like WWW, FTP, provided by a server in your local network accessible for outside users, you should specify a local IP address to the server."
Oleg
05-09-2005, 09:55
Once again. There should be NOTHING in the INPUT chain, as these packets are routed thru the router to the internal hosts. Check both tables to see the flow

iptables -t nat -L PREROUTING
iptables -L FORWARD
unaiur
05-09-2005, 11:26
Upps... you are right. I learnt that on the Linux 2.0 and ipchain days and never updated my knowledge database. :rolleyes:
Oleg
05-09-2005, 15:31
yes, ipchains worked in a different way. :)