OpenWrt Forum Archive

Topic: port forwarding works unstable on kamikaze 7.09

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
freeman
17 Feb 2008, 13:13

A have added into /etc/firewall.user following lines, to forward wan ports to my internal machine with bittorrent client (ktorrent).

iptables -t nat -A prerouting_wan -p tcp --dport 49151 -j DNAT --to-destination 192.168.1.100:49151
iptables        -A forwarding_wan -p tcp --dport 49151 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp --dport 49151 -j DNAT --to-destination 192.168.1.100:49151
iptables        -A forwarding_wan -p udp --dport 49151 -d 192.168.1.100 -j ACCEPT
iptables -t nat -A prerouting_wan -p udp --dport 4444 -j DNAT --to-destination 192.168.1.100:4444
iptables        -A forwarding_wan -p udp --dport 4444 -d 192.168.1.100 -j ACCEPT

Everithing was good, but after some time my router stops to forward connections, and I can't understand why. After reboot (/etc/init.d/firewall restart doesn't help) it works propertly but after some hours stops forwarding again. Iptables rules are the same in time when forwarding works and when it doesn't work. What i must do to have stable forwarding?

Here output of my iptables-save:

# Generated by iptables-save v1.3.7 on Sat Jan  1 03:15:13 2000
*nat
:PREROUTING ACCEPT [3443:385436]
:POSTROUTING ACCEPT [770:97046]
:OUTPUT ACCEPT [20:2691]
:NEW - [0:0]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
-A PREROUTING -p tcp -m state --state NEW -j NEW
-A PREROUTING -j prerouting_rule
-A PREROUTING -i ppp0 -j prerouting_wan
-A PREROUTING -i eth0.1 -j prerouting_wan
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0.1 -j MASQUERADE
-A NEW -m limit --limit 50/sec --limit-burst 100 -j RETURN
-A NEW -j DROP
-A prerouting_wan -p tcp -m tcp --dport 22 -j ACCEPT
-A prerouting_wan -p tcp -m tcp --dport 80 -j ACCEPT
-A prerouting_wan -p tcp -m tcp --dport 49151 -j DNAT --to-destination 192.168.1.100:49151
-A prerouting_wan -p udp -m udp --dport 49151 -j DNAT --to-destination 192.168.1.100:49151
-A prerouting_wan -p udp -m udp --dport 4444 -j DNAT --to-destination 192.168.1.100:4444
-A prerouting_wan -p tcp -m tcp --dport 59151 -j DNAT --to-destination 192.168.1.110:59151
-A prerouting_wan -p udp -m udp --dport 59151 -j DNAT --to-destination 192.168.1.110:59151
-A prerouting_wan -p udp -m udp --dport 5444 -j DNAT --to-destination 192.168.1.110:5444
COMMIT
# Completed on Sat Jan  1 03:15:14 2000
# Generated by iptables-save v1.3.7 on Sat Jan  1 03:15:14 2000
*mangle
:PREROUTING ACCEPT [58192:29565248]
:INPUT ACCEPT [41281:23308388]
:FORWARD ACCEPT [16861:6237411]
:OUTPUT ACCEPT [47500:46269738]
:POSTROUTING ACCEPT [64366:52512294]
:Default - [0:0]
:Default_ct - [0:0]
-A PREROUTING -i ppp0 -j Default
-A PREROUTING -i ppp0 -j IMQ --todev 0
-A FORWARD -o ppp0 -j Default
-A OUTPUT -o ppp0 -j Default
-A POSTROUTING -o ppp0 -j Default
-A Default -j CONNMARK --restore-mark
-A Default -m mark --mark 0x0 -j Default_ct
-A Default -m mark --mark 0x1 -m length --length 400:65535 -j MARK --set-mark 0x0
-A Default -m mark --mark 0x2 -m length --length 800:65535 -j MARK --set-mark 0x0
-A Default -p udp -m mark --mark 0x0 -m length --length 0:500 -j MARK --set-mark 0x2
-A Default -p icmp -j MARK --set-mark 0x1
-A Default -p tcp -m mark --mark 0x0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-mark 0x4
-A Default -p udp -m mark --mark 0x0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-mark 0x4
-A Default -p tcp -m length --length 0:128 -m mark ! --mark 0x4 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j MARK --set-mark 0x1
-A Default -p tcp -m length --length 0:128 -m mark ! --mark 0x4 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j MARK --set-mark 0x1
-A Default_ct -m mark --mark 0x0 -m ipp2p --kazaa --gnu --edk --dc --bit -j MARK --set-mark 0x4
-A Default_ct -m mark --mark 0x0 -m layer7 --l7proto edonkey -j MARK --set-mark 0x4
-A Default_ct -m mark --mark 0x0 -m layer7 --l7proto bittorrent -j MARK --set-mark 0x4
-A Default_ct -m mark --mark 0x0 -m layer7 --l7proto ssh -j MARK --set-mark 0x1
-A Default_ct -m mark --mark 0x0 -m layer7 --l7proto vnc -j MARK --set-mark 0x1
-A Default_ct -p tcp -m mark --mark 0x0 -m tcp -m multiport --ports 22,53 -j MARK --set-mark 0x1
-A Default_ct -p udp -m mark --mark 0x0 -m udp -m multiport --ports 22,53 -j MARK --set-mark 0x1
-A Default_ct -p tcp -m mark --mark 0x0 -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -j MARK --set-mark 0x3
-A Default_ct -p tcp -m mark --mark 0x0 -m tcp -m multiport --ports 5190 -j MARK --set-mark 0x2
-A Default_ct -p udp -m mark --mark 0x0 -m udp -m multiport --ports 5190 -j MARK --set-mark 0x2
-A Default_ct -j CONNMARK --save-mark
COMMIT
# Completed on Sat Jan  1 03:15:14 2000
# Generated by iptables-save v1.3.7 on Sat Jan  1 03:15:14 2000
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN_ACCEPT - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:output_rule - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
-A INPUT -j input_rule
-A INPUT -i ppp0 -j input_wan
-A INPUT -j LAN_ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0.1 -j input_wan
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -i ppp0 -j forwarding_wan
-A FORWARD -i br-lan -o br-lan -j ACCEPT
-A FORWARD -i br-lan -o ppp0 -j ACCEPT
-A FORWARD -i eth0.1 -j forwarding_wan
-A FORWARD -i br-lan -o eth0.1 -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j ACCEPT
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A LAN_ACCEPT -i ppp0 -j RETURN
-A LAN_ACCEPT -j ACCEPT
-A LAN_ACCEPT -i eth0.1 -j RETURN
-A forwarding_wan -d 192.168.1.100 -p tcp -m tcp --dport 49151 -j ACCEPT
-A forwarding_wan -d 192.168.1.100 -p udp -m udp --dport 49151 -j ACCEPT
-A forwarding_wan -d 192.168.1.100 -p udp -m udp --dport 4444 -j ACCEPT
-A forwarding_wan -d 192.168.1.110 -p tcp -m tcp --dport 59151 -j ACCEPT
-A forwarding_wan -d 192.168.1.110 -p udp -m udp --dport 59151 -j ACCEPT
-A forwarding_wan -d 192.168.1.110 -p udp -m udp --dport 5444 -j ACCEPT
-A input_wan -p tcp -m tcp --dport 22 -j ACCEPT
-A input_wan -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Sat Jan  1 03:15:14 2000

Thank you for helping!

Post #2
Tex-Twil
17 Feb 2008, 13:45

Hi,
do you have the Asus 500gp router ?

If so, there is a bug with port forwarding : http://forum.openwrt.org/viewtopic.php?id=13533
I personally switched back to White Russian which runs fine.

Tex

(Last edited by Tex-Twil on 17 Feb 2008, 13:47)

Post #3
Wodin
17 Feb 2008, 14:20
Tex-Twil wrote:

do you have the Asus 500gp router ?

I don't think this is specific to the Asus 500gp.  I have seen the same thing on another board that was running a custom Linux install (i.e. not OpenWrt.)

Post #4
freeman
17 Feb 2008, 14:25

yep, i running it on asus wl500gP. But a I don't want to downgrade from kamikaze, how do you think, i home it will be fixed smile.

Post #5
freeman
17 Feb 2008, 14:26

it is some kernel issue? I think so, becouse there isn't any userspace software, that can make problems like this.

The discussion might have continued from here.