Hi,
I installed Kamikaze 7.07 on a WRT54GL and set up port forwarding to an internal server, with the usual ports (SSH, SMTP, HTTP). However, hitting the webserver from the outside often results in no repsonse at all. Sometimes it works in short bursts, but soon afterward there is no response from the other end. It seems like there's some sort of burst limiting, but only on outbound connections, since I am able to connect to port 80 from the outside every time. Whether or not I get a response back seems to be the questionable part.
ssh from the outside appears to be just fine.
Does anyone have any idea what's going on? I was sort of suspecting this:
RETURN all -- anywhere anywhere limit: avg 50/sec burst 100But looking at tcpdump output, I'm nowhere near approaching that level of new connections (as far as I can see).
The relevant configs:
/etc/config/firewall
forward:dport=22 proto=tcp:10.69.69.2:22
# SMTP
forward:dport=25 proto=tcp:10.69.69.2:25
# DNS
forward:dport=53:10.69.69.2:53
# HTTP
forward:dport=80 proto=tcp:10.69.69.2:80
# HTTPS
forward:dport=443:10.69.69.2:443
# Ventrilo
forward:dport=3784 proto=tcp:10.69.69.2:3784iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
input_wan all -- anywhere anywhere
LAN_ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forwarding_wan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LAN_ACCEPT (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
tcp -- anywhere 10.69.69.2 tcp dpt:22 state N
EW limit: avg 5/min burst 5
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:22
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:25
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:53
ACCEPT udp -- anywhere 10.69.69.2 udp dpt:53
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:80
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:443
ACCEPT udp -- anywhere 10.69.69.2 udp dpt:443
ACCEPT tcp -- anywhere 10.69.69.2 tcp dpt:3784
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destinationiptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NEW tcp -- anywhere anywhere state NEW
prerouting_rule all -- anywhere anywhere
prerouting_wan all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain NEW (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 50/sec burst 100
DROP all -- anywhere anywhere
Chain postrouting_rule (1 references)
target prot opt source destination
Chain prerouting_rule (1 references)
target prot opt source destination
Chain prerouting_wan (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere multiport dports 2
2 to:10.69.69.2:22
DNAT tcp -- anywhere anywhere multiport dports 2
5 to:10.69.69.2:25
DNAT tcp -- anywhere anywhere multiport dports 5
3 to:10.69.69.2:53
DNAT udp -- anywhere anywhere multiport dports 5
3 to:10.69.69.2:53
DNAT tcp -- anywhere anywhere multiport dports 8
0 to:10.69.69.2:80
DNAT tcp -- anywhere anywhere multiport dports 4
43 to:10.69.69.2:443
DNAT udp -- anywhere anywhere multiport dports 4
43 to:10.69.69.2:443
DNAT tcp -- anywhere anywhere multiport dports 3
784 to:10.69.69.2:3784Thanks,
-geordan