no ftp connection from wan anymore

[5over12]

Hi Folkes,

I think I have been a littlebit too enthousiastic with busybox and telnet, eventhough I am a complete noob in these matters.

So,.. I bought my wl500g after reading several websites and after reading what this thing was capable of.. I still think its great.
But.... I bought it to us the ftp server for wan use. With the original firmware I did not manage to use this feature. so after first upgrading to a newer original firmware I still did not manage.
Sollution? installing firmware from Oleg.. (I now have 1.9.2.7-4 installed) and it actually worked.
Doing this I wanted more MORE MORE features!!!
So,.. I used through telnet some options mentioned here in this forum. Some how I think I did not manage to use the virtual input in telnet the right way, though the other lines were updated. (I used for example the port 80 issue mentioned here in the forum).
After doing this FTP aswell as webcam was not aproachable from wansite anymore...
Knowing that I must have done something wrong,.. I figured just to go back in firmware (original) to delete the entries made by telnet. Apparently that did not the trick. So.... going back to firmware 1.9.2.7-4 now at least my webcam is working from wansite again,.. but ftp gives a message something like this:
"Mar 27 12:46:31 kernel: DROPIN=eth1 OUT= MAC=bla bl blaSRC= bla bla DST= bla bla bla LEN=42 TOS=0x00 PREC=0x00 TTL=107 ID=42067 DF PROTO=TCP SPT=49763 DPT=2992 SEQ=2501708738 ACK=3834017422 WINDOW=65487 RES=0x00 ACK PSH URGP=0
Mar 27 12:46:32 kernel: ACCEPT IN=eth1 OUT= MAC=bla bla bla :71:08:00 SRC=80.61.167.119 DST=bla bla blaLEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11616 DF PROTO=TCP SPT=25667 DPT=7776 SEQ=259557029 ACK=0 WINDOW=64512 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Mar 27 12:46:32 kernel: DROPIN=eth1 OUT= MAC=bla bla bla:08:00 SRC=67.170.5.29 DST=bla bla blaLEN=42 TOS=0x00 PREC=0x00 TTL=107 ID=42077 DF PROTO=TCP SPT=49763 DPT=2992 SEQ=2501708738 ACK=3834017422 WINDOW=65487 RES=0x00 ACK PSH URGP=0
Mar 27 12:46:32 kernel: DROPIN=eth1 OUT= MAC=bla bla bla:08:00 SRC=205.188.8.236 DST=bla bla blaLEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=12462 DF PROTO=TCP SPT=5190 DPT=2557 SEQ=2123700918 ACK=1687883417 WINDOW=16384 RES=0x00 ACK RST URGP=0 "

I have no cleu, why it is blocking the ip adresses to connect to ftp. Also I dont know why it is not giving the normal message: FTP user denied or something.

Is there somebody who knows how I can get my standard settings for busybox through telnet again?

please help.. I AM a noob.. and I promise when it all works again,.. I will never touch this anymore..

[WlanMan]

Hi

Seem you have messed around with network routing rules, and this is th result. Install -4 Build if you have not allready, and after this hould Reset button for around 5 secounds. this should bring ou back to a usable state.

Greets
Also, this is more a Q&A Thread ...

[5over12]

Thanks for your reply Wlanman

That is the whole point.. I Installed the version -4 (and even went back to previous versions in hte hope that it would solve my problem)
Also hardresetting on the router itself did not do the trick. Though webcam functionallity came back after that, so my hope was big..
But looking at my log I saw still that ip adresses were blocked, trying to enter my FTP. Though inside entering ftp is going fine..
I hoped it would also reset all the things I changed in telnet, but apparently hardreset is not changing internal settings

[5over12]

ok,.. a little update here about my problem...

Seems that my router is not accesable from wan site anymore aswell..

changed the port for acces,.. and still it did not work..
strange though that my webcam is accesable still...
my problem gets weirder and weirder..

I really hope that somebody somebody have a cleu, what could be wrong with my router...

[tthen]

I had the exact same problem as you. i got a tip to do is, and it worked for me:

post an output for the

Code:

iptables -L -vn
iptables -L -t nat -vn

in the forum post.
via the hidden admin page.
http://my.router/Main_AdmStatus_Content.asp
type command and press Refresh.

[5over12]

Thank you TTHEN,

in the first place.. for making me feel that I am not completely crazy
and secondly to show me something that I had not seen before..

its now too late to check if it is really working,.. and to be honoust.. I am a complete 'no no' in this area. So I am sorry if I am asking stupid questions now..

I followed your instructions the way I think I did understand.

typing in the console of the hidden admin: output iptables -L -vn and then hit refresh and doing hte same with: output iptables -L -t nat -vn.

the stupid question now is.. what exactly is this doing? and what went wrong before that I got this problem in the first place?

regards, 5over12

[Jean-Fabrice]

don't type

Code:

output iptables -L -vn

but

Code:

iptables -L -vn

in the hidden adminpage
Hitting refresh should then show you the results of the command

[rdude]

The same here, no access from WAN except the web-interface, this is in my post-firewall script:

iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT

but no ssh connection possible - connection refused

Bug in the firewal???

v1.9.2.7 CR4 [Oleg] client mode

[Jean-Fabrice]

try with

Code:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

as --syn means "all packets but syn" i.e it refuses connection attempt on port 22 what is exactly what you don't want.

[Oleg]

try with

Code:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

as --syn means "all packets but syn" i.e it refuses connection attempt on port 22 what is exactly what you don't want.

Jean-Fabrice, you are not correct. --syn should be used as it indicates, that only initial packets requesting a connection should be accepted by this rule. Other packaets would be related and would accepted by connection tracking rules.

[Jean-Fabrice]

Sorry about my post.
Can I delete it not to fool ppl ?

[rdude]

Code:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

tried this as well - "connection timed out"

[tomilius]

Show the other rules. With appended rules, the earlier applied the higher precedence. It's the opposite for insertions (-I).

Point is, you have another rule above it blocking it--probaby this:
iptables -A INPUT -j logdrop

Before you add any rules (with post-firewall or bash), use:
iptables -D INPUT -j logdrop

After you append the rules, put it back:
iptables -A INPUT -j logdrop

But again. Show your other rules.

[rdude]

Show the other rules. With appended rules, the earlier applied the higher precedence. It's the opposite for insertions (-I).

No other rules from me, only enabled the firewall on the Web-interface (Internet Firewall - Basic Config)
My post-firewall script, in v1.7.5.9 this worked:

Code:

#!/bin/sh
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j ACCEPT

Point is, you have another rule above it blocking it--probaby this:
iptables -A INPUT -j logdrop

Code:

[admin@wl500g root]$ iptables -D INPUT -j logdrop
iptables: Bad rule (does a matching rule exist in that chain?)

I also tried

Code:

iptables -I INPUT -p tcp --dport 22 -j ACCEPT

with the same results.

The only way I can connect from Wan if I disable the firewall from the Web-ifc.

Any other suggestions?
Tnx

[tthen]

firmware 1.9.2.7 is working fine for accessing ftp from wan