Results 1 to 8 of 8

Thread: Web interface generates wrong iptables

  1. #1
    Join Date
    Sep 2005
    Location
    Madrid
    Posts
    31

    Web interface generates wrong iptables

    I have added an entry to the Virtual Server web page, mapping ports 256xx to a internal IP and restarted the firewall.

    The iptables rules generated in the filter table are in the wrong chain: they are in the FORWARD chain (where they are useless, since by default all packets are forwarded) and not in the INPUT chain (so I can't connect to my internal host).

    What should I change to let configure virtual servers correctly from the web interface? I've tried to follow the /linuxrc script but it lauches /sbin/init binary.

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ... bla bla ...
    ACCEPT tcp -- anywhere anywhere tcp dpts:25600:25699 flags:SYN/RST
    ACCEPT udp -- anywhere anywhere udp dpts:25600:25699
    ... bla bla ...

  2. #2
    Join Date
    Sep 2005
    Location
    Madrid
    Posts
    31
    I've written a script to automatically accept extern connections to the Virtual Hosts defined in the web interface.

    Yust put the attached script in /usr/local/sbin/fix-vhosts and execute:

    echo ". /usr/local/bin/fix-vhosts" >> /usr/local/sbin/post-firewall
    flashfs save && flashfs commit

    Although, I think that this is a bug and we should fix it in the firmware source code (broadcom/src/router/rc/firewall_ex.c).

    (What do you think, Oleg?)
    Attached Files Attached Files

  3. #3
    Join Date
    Dec 2003
    Location
    Russian Federation
    Posts
    8,356
    You're wrong in your expectations. They should be in FORWARD chain, as the destination is altered in nat table by PREROUTING chain, so packets are forwarded to internal host.

  4. #4
    Join Date
    Sep 2005
    Location
    Madrid
    Posts
    31
    With the default configuration and unless activating wan to lan filtering, only invalid packets are dropped, so rules 3 - 9 are useless:

    Chain FORWARD (policy ACCEPT 232 packets, 13335 bytes)
    num pkts bytes target prot opt in out source destination
    1 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    3 5396 2846K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    4 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
    5 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
    6 0 0 ACCEPT icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
    7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.1.21 tcp dpts:25600:25699
    8 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.2.1.21 udp dpts:25600:25699
    9 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6112
    Last edited by unaiur; 04-09-2005 at 21:58.

  5. #5
    Join Date
    Sep 2005
    Location
    Madrid
    Posts
    31
    Nonetheless, the problem isn't at the FORWARD'ing rules. The problem is that INPUT rules are missing, so the router doesn't behave as said at the web page:

    "To make services, like WWW, FTP, provided by a server in your local network accessible for outside users, you should specify a local IP address to the server."

  6. #6
    Join Date
    Dec 2003
    Location
    Russian Federation
    Posts
    8,356
    Once again. There should be NOTHING in the INPUT chain, as these packets are routed thru the router to the internal hosts. Check both tables to see the flow
    Code:
    iptables -t nat -L PREROUTING
    iptables -L FORWARD

  7. #7
    Join Date
    Sep 2005
    Location
    Madrid
    Posts
    31
    Upps... you are right. I learnt that on the Linux 2.0 and ipchain days and never updated my knowledge database.

  8. #8
    Join Date
    Dec 2003
    Location
    Russian Federation
    Posts
    8,356
    yes, ipchains worked in a different way.

Similar Threads

  1. iptables vs web interface
    By bomberman in forum WL-500g Q&A
    Replies: 0
    Last Post: 20-05-2005, 09:06
  2. What is wrong here?
    By fraho in forum WL-500g Q&A
    Replies: 1
    Last Post: 16-05-2005, 19:33
  3. Cgi-bin whats wrong
    By phobos2 in forum WL-500g Q&A
    Replies: 5
    Last Post: 23-01-2005, 17:43
  4. Wrong firmware!
    By maco in forum WL-500g Custom Development
    Replies: 5
    Last Post: 16-01-2005, 01:41

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •