PDA

Bekijk de volledige versie : Port Forwarding? iptables?



*Sorcerer*
07-05-2005, 22:58
My asus wl-500g is working pretty good for me, but I can't get anything through the gateway in to my computer. When I try to run a port scan (http://www.grc.com/x/ne.dll?rh1dkyd2) on my system I get the result that all my ports are stelthed. I have tried everything I can possibly think of in the web ui and i wonder if i need to change the iptables by hand to make it work. What I want to do is simply open up some ports (21, 80...) so that people can connect to my computer from wan.

here is my iptables config now:



iptables -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere


iptables -t nat -nL:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !82.xxx.xxx.xxx 0.0.0.0/0
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



Can anyone tell me what I will need to change in the iptables and how to do it?
(because I don't understand much of it)

and just to say it, I am using Olegs latest firmware 1.9.2.7-5 on an asus wl-500g and I am using Winxp pro sp2

tomilius
08-05-2005, 01:00
(edit... updated detection of interfaces when user runs post-firewall)
(edit... updated pf code to make it look better mostly)

This should make it easier for you... I hope...
Perform the following, not typing the $ (that just shows it's a command ;)) (this information is available here (http://wl500g.dyndns.org/)):

$ flashfs enable
$ mkdir -p /usr/local/sbin
$ vi /usr/local/sbin/post-firewall
Now, I hope you know how to use vi. Basically, to start typing stuff press i for insert. To stop, press ESC. To delete a line, press d twice (if you're not in insert mode). To save (not in insert mode), press colon, the w, then enter. To quit, press colon, then q, then enter. To save and quit, press colon, then wq, then enter :). "Move around" with the arrow keys (this may be done in or out of insert mode). And that's all I'll cover here.

If you press i, you can paste the following into telnet/putty when you're in vi.

All of this assumes your computer's LAN IP is 192.168.1.10. If it's not, just change 192.168.1.10 to whatever it is.

#!/bin/sh
wan_if=$1
wan_ip=$2
lan_if=$3
lan_ip=$4

# no arguments
if [ "$#" -eq 0 ]; then
# reset firewall rules to defaults
iptables -t mangle -F
iptables -t mangle -X
iptables-restore /tmp/filter_rules
iptables-restore /tmp/nat_rules
wan_if=`nvram get wan_ifname`
wan_ip=`nvram get wan_ipaddr_t`
lan_if=`nvram get lan_ifname`
lan_ip=`nvram get lan_ipaddr`
fi

pf() {
# pf(port,ip,optional localport,optional protocol)
if [ $4 ]; then prot=$4; else prot=tcp; fi
out="iptables -t nat -A PREROUTING -p $prot -d $wan_ip --dport $1 -j DNAT --to $2"
if [ $3 ] && [ $1 -ne $3 ]; then out=$out:$3; fi
$out
out="iptables -A FORWARD -p $prot -d $2 --dport "
if [ "$3" ]; then out=$out$3; else out=$out$1; fi
out="$out -j ACCEPT"
$out
}

####### PORT FORWARDING #######
pf 21 192.168.1.10
pf 80 192.168.1.10

OR, you could have a much simpler (but harder to configure later) post-firewall:

#!/bin/sh
wan_if=$1
wan_ip=$2
lan_if=$3
lan_ip=$4

iptables -t nat -A PREROUTING -p tcp -d $wan_ip --dport 21 -j DNAT --to 192.168.1.10
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $wan_ip --dport 80 -j DNAT --to 192.168.1.10
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT

Once you've gotten that in vi (vi editing /usr/local/sbin/post-firewall, of course), ESC (if you haven't already; exit insert mode), and press colon, and press wq, and press enter :rolleyes:. Now type this:

$ chmod +x /usr/local/sbin/post-firewall
$ flashfs save
$ flashfs commit

If you chose the first version of post-firewall I chose you, you should be able to simply run post-firewall each time you make a modification to test it.

$ post-firewall

Otherwise, reboot (you might have to reboot the first time anyway).

$ reboot

I think that about covers it. To add more ports, modify post-firewall some more with vi, save it, and then type:

$ flashfs save
$ flashfs commit

Sorry if you knew all of that... If I made any mistakes, or if that doesn't work, please tell me. I'm likely to have made some, but they're probably not devastating ;)

hugo
08-05-2005, 13:13
or you can add entry to your NAT settings - virtual server admin web page. Don't forget to enable virtual server on top of the page.

http://my.router/Advanced_VirtualServer_Content.asp

*Sorcerer*
08-05-2005, 15:34
@hugo: I have tried that, but unfortunately it didn't work the way I wanted

@tomilius: I will try it, and i will ask more if I don't get it.

tomilius
08-05-2005, 19:41
This should make it easier for you... I hope...


or you can add entry to your NAT settings - virtual server admin web page.

Oh boy. I'm so not thinking clearly lately. Thanks for that, hugo.

I prefer my method though. ;)

tomilius
08-05-2005, 20:38
@hugo: I have tried that, but unfortunately it didn't work the way I wanted

What is it you wanted? Because what I showed you doesn't have much of a different effect if any than Virtual Servers.

*Sorcerer*
08-05-2005, 21:56
OK i will try to rephrase my question.

I just want to make it possible to connect to my pc from wan.

Now i have turned on virtual DMZ to my lan ip 192.168.1.10.
If I am correct in my assumption this should make all packages come to my pc.
But when i run port scan on all service ports I get the esult that all ports are stelthed, that means it cannot even be determined if there is a computer at the adress.

this is my iptables now:




Chain INPUT (policy ACCEPT 14085 packets, 1967K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 686 packets, 33168 bytes)
pkts bytes target prot opt in out source destination
16739 9574K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.1.10

Chain OUTPUT (policy ACCEPT 16403 packets, 6978K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PREROUTING (policy ACCEPT 1033 packets, 79476 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 82.xxx.xxx.xxx to:192.168.1.10

Chain POSTROUTING (policy ACCEPT 547 packets, 32982 bytes)
pkts bytes target prot opt in out source destination
629 28758 MASQUERADE all -- * eth1 !82.xxx.xxx.xxx 0.0.0.0/0
5 300 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT 552 packets, 33282 bytes)
pkts bytes target prot opt in out source destination


Do anyone know what I am doing wrong?

tomilius
08-05-2005, 22:00
Try http://scan.sygate.com/prequickscan.html. Maybe the scan from the site you're using now isn't good enough.

Wait...

0 0 DNAT all -- * * 0.0.0.0/0 82.xxx.xxx.xxx to:192.168.1.10

0 packets, 0 bytes... hmm.

OK, I just tried that myself with no issue:

iptables -t nat -I PREROUTING -d `nvram get wan_ipaddr_t` -j DNAT --to 192.168.1.10
iptables -I FORWARD -d 192.168.1.10 -j ACCEPT

But the 0 packets, 0 bytes thing is peculiar. I don't know what to tell you about that.... Weird.

I'd start logging dropped packets and go from there (post syslog droppages).