Topic: Need some help with port opening/forwarding

The content of this topic has been archived on 27 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

hoofer

4 Apr 2007, 15:41

I just installed OpenWRT White Russian RC6 and I'm still playing with it. I'm not too familiar with all this networking stuff, I'm pretty much learning by configuring OpenWRT, and I'm having some trouble with bittorrent accesibility.
This is my current setup:

DSL line---->DLink DSL-500G Modem/Router------>Linksys WRT54GL (White Russian RC6)------>Slackware 10.2 box

First of all, I managed to put my DLink in bridged mode, and to redirect everything to 10.1.1.2 (which is how it sees the Linksys).
I've configured PPPoE on the Linksys, and I can access the internet, everything is OK.
Also, I've configured DHCP on the Linksys, to serve IPs to my network, and I've also created a rule to always assign 192.168.1.135 to my Slackware box.
I have activated QoS on the Linksys, but I'm using the default configuration.
Lastly, I have created some firewall accept/forward rules both at the Webif (x-wrt) and by editing the file directly (firewall.user, if I'm not mistaken), accepting and forwarding the ports to 192.168.1.135 (Slack box). But all this filters are kind of irrelevant right now, see below.

The problem is, some bittorrent sites are now reporting me as Firewalled, and in fact, all of my connections to other peers are local (outgoing).
I have disabled iptables on the Slack box, and I also temporarily disabled OpenWRT's firewall (S35firewall stop, is that right?), but nothing changed.

As I understand it, I could have 3 possible places where the ports are closed: the Dlink, the Linksys, and the Slack box. Like I said before, I have (or at least thought I had), disabled all blocking in all 3 devices. So, I'd like to try to test each of the connections, to try to find out exactly where it's being blocked.

1 - Is there any program for OpenWRT that I can use to test if XXX ports are accesible from the outside? This way, I could find out if there's still any blocking going on at the Dlink.

2 - Also, is there a way to test the ports between the Linksys and my box?

3 - Lastly, is it possible that QoS is somehow blocking bittorrent?

I understand that there's the possibility that my problem is not OpenWRT related, but mostly I want to try to test the connectivity from World->OpenWRT and from OpenWRT->MyPC.

Post #2

sammy2ooo

5 Apr 2007, 08:11

Why dont you remove the DLink doohickey and properly configure your WRT?

1.)
If you give me your IP and the port (maybe via PM) I could test it for you or have a look at http://www.derkeiler.com/Service/PortScan/

2.)
If your DLink is in bridged Mode it is working on a different ISO/OSI Layer and therefor cannot block any ports. So this can be excluded.

3.)
Please send the output of "iptables -L" from your slack and openwrt installation. Regarding QoS I would first start of with the basics and when everything is fine go over to QoS

Regs,
Matze

Post #3

hoofer

5 Apr 2007, 14:07

Thanks for your reply, sammy.

sammy2ooo wrote:

Why dont you remove the DLink doohickey and properly configure your WRT?

What exactly do you mean?

I have apparently fixed my problem, I'm just not sure how. Here's what I did:

1 - Disabled QoS - No apparent change
2 - Instead of having the Dlink send everything to 10.1.1.2 (Linksys), send it to 192.168.1.135 (Slack box's IP on the internal LAN) - No apparent change
3 - Added every forwarding and accept rule I could think of to iptables. It works! Now, it'd be really great to know exactly how I fixed it...

Here's my Slack's iptables output (empty)

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and my OpenWRT's mess:

root@OpenWrt:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination        
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere           
input_wan  all  --  anywhere             anywhere           
LAN_ACCEPT  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     gre  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination        
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere           
forwarding_wan  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           


Chain LAN_ACCEPT (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             anywhere           
RETURN     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy DROP)
target     prot opt source               destination        
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             server              tcp dpts:55000:55010

Chain forwarding_wan (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             server              tcp dpt:22
ACCEPT     tcp  --  anywhere             server             
ACCEPT     udp  --  anywhere             server             
ACCEPT     tcp  --  anywhere             server              tcp dpt:22
ACCEPT     udp  --  anywhere             server              udp dpt:22

Chain input_rule (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:55000:55010 flags:FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  anywhere             anywhere            udp dpts:55000:55010

Chain input_wan (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:55000:55010 flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6890:6900 flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8080 flags:FIN,SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1863 flags:FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  anywhere             anywhere            udp dpts:55000:55010
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6890:6900
ACCEPT     udp  --  anywhere             anywhere            udp dpt:8080
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1863
ACCEPT     tcp  --  anywhere             anywhere            multiport sports 55000:55010
ACCEPT     tcp  --  anywhere             anywhere            multiport dports 55000:55010
ACCEPT     udp  --  anywhere             anywhere            multiport sports 55000:55010
ACCEPT     udp  --  anywhere             anywhere            multiport dports 55000:55010

Chain output_rule (1 references)
target     prot opt source               destination

I have messed with a lot of stuff, but the ports that really matter here are 55000:55010 (I use those for bittorrent).
I have mostly tried to add accept and forward rules for these specific ports (both source and destination), and those are the ports that I kept testing.

Basically, i have one UDP and one TCP for every rule. Do I need to do that? I'm thinking that maybe if I don't specify the protocol it'll be good for both. Can I do that?

Here's one thing that's a little confusing for me: what's the difference between forwarding_wan and forwarding_rule (the same goes for input_*). Are the "_rule"s used for the internal LAN and "_wan"s for WAN only? If so, how should I deal with it? Do I need to have one instance of every rule for the WAN and one for the LAN?

Aside from that, I'd really appreciate any other tips for cleaning up my iptables rules.

Oh, and another thing. When I want to use bittorrent (or any other open port needing app) on 2 machines on my LAN, should I:
A - use a different set of ports for the other machine and have iptables forward those ports to that machine
B - Use the same ports, and have iptables forward those ports to both machines, OpenWRT will know which traffic belongs to each
C - ?

Thanks again

The discussion might have continued from here.

Page 1 of 1