OpenWrt Forum Archive

Topic: Outgoing traffic - from some LAN devices - is blocked

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
petercraft
4 Dec 2011, 21:45

I am using a D-Link DSL-524T. My internal network is quite complex, and includes 20+ devices. I need some of them to be reachable from outside, so I configured the file /etc/firewall.user, as for port forwarding, according to my needs.
Here it is:

---------------

WAN=$(uci -P/var/state get network.wan.ifname)

# 1.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8001 -j DNAT --to-destination 192.168.1.1:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.1 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.1 -j MASQUERADE

# 2.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.41:22
iptables -I FORWARD -i $WAN -p tcp --dport 22 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 22 -d 192.168.1.41 -j MASQUERADE

# 3.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 631 -j DNAT --to-destination 192.168.1.41:631
iptables -I FORWARD -i $WAN -p tcp --dport 631 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 631 -d 192.168.1.41 -j MASQUERADE

# 4.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j DNAT --to-destination 192.168.1.41:1723
iptables -I FORWARD -i $WAN -p tcp --dport 1723 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 1723 -d 192.168.1.41 -j MASQUERADE

# 5.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 4663 -j DNAT --to-destination 192.168.1.41:4663
iptables -I FORWARD -i $WAN -p tcp --dport 4663 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 4663 -d 192.168.1.41 -j MASQUERADE

# 6.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 4711 -j DNAT --to-destination 192.168.1.41:4711
iptables -I FORWARD -i $WAN -p tcp --dport 4711 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 4711 -d 192.168.1.41 -j MASQUERADE

# 7.
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 7735 -j DNAT --to-destination 192.168.1.41:7735
iptables -I FORWARD -i $WAN -p udp --dport 7735 -d 192.168.1.41 -j ACCEPT
iptables -t nat -A postrouting_rule -p udp --dport 7735 -d 192.168.1.41 -j MASQUERADE

# 8.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 443 -j DNAT --to-destination 192.168.1.43:443
iptables -I FORWARD -i $WAN -p tcp --dport 443 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 443 -d 192.168.1.43 -j MASQUERADE

# 9.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1158 -j DNAT --to-destination 192.168.1.43:1158
iptables -I FORWARD -i $WAN -p tcp --dport 1158 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 1158 -d 192.168.1.43 -j MASQUERADE

# 10.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1234 -j DNAT --to-destination 192.168.1.43:1234
iptables -I FORWARD -i $WAN -p tcp --dport 1234 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 1234 -d 192.168.1.43 -j MASQUERADE

# 11.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1521 -j DNAT --to-destination 192.168.1.43:1521
iptables -I FORWARD -i $WAN -p tcp --dport 1521 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 1521 -d 192.168.1.43 -j MASQUERADE

# 12.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3901:4100 -j DNAT --to-destination 192.168.1.43:3901-4100
iptables -I FORWARD -i $WAN -p tcp --dport 3901:4100 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 3901:4100 -d 192.168.1.43 -j MASQUERADE

# 13.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5800 -j DNAT --to-destination 192.168.1.43:5800
iptables -I FORWARD -i $WAN -p tcp --dport 5800 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 5800 -d 192.168.1.43 -j MASQUERADE

# 14.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j DNAT --to-destination 192.168.1.43:5900
iptables -I FORWARD -i $WAN -p tcp --dport 5900 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 5900 -d 192.168.1.43 -j MASQUERADE

# 15.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8691 -j DNAT --to-destination 192.168.1.43:8691
iptables -I FORWARD -i $WAN -p tcp --dport 8691 -d 192.168.1.43 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 8691 -d 192.168.1.43 -j MASQUERADE

# 16.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 21 -j DNAT --to-destination 192.168.1.44:21
iptables -I FORWARD -i $WAN -p tcp --dport 21 -d 192.168.1.44 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 21 -d 192.168.1.44 -j MASQUERADE

# 17.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8046 -j DNAT --to-destination 192.168.1.46:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.46 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.46 -j MASQUERADE

# 18.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 23 -j DNAT --to-destination 192.168.1.49:23
iptables -I FORWARD -i $WAN -p tcp --dport 23 -d 192.168.1.49 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 23 -d 192.168.1.49 -j MASQUERADE

# 19.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8049 -j DNAT --to-destination 192.168.1.49:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.49 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.49 -j MASQUERADE

# 20.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8050 -j DNAT --to-destination 192.168.1.50:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.50 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.50 -j MASQUERADE

# 21.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 554 -j DNAT --to-destination 192.168.1.53:554
iptables -I FORWARD -i $WAN -p tcp --dport 554 -d 192.168.1.53 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 554 -d 192.168.1.53 -j MASQUERADE
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 554 -j DNAT --to-destination 192.168.1.53:554
iptables -I FORWARD -i $WAN -p udp --dport 554 -d 192.168.1.53 -j ACCEPT
iptables -t nat -A postrouting_rule -p udp --dport 554 -d 192.168.1.53 -j MASQUERADE

# 22.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8053 -j DNAT --to-destination 192.168.1.53:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.53 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.53 -j MASQUERADE

# 23.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 53 -j DNAT --to-destination 192.168.1.82:53
iptables -I FORWARD -i $WAN -p tcp --dport 53 -d 192.168.1.82 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 53 -d 192.168.1.82 -j MASQUERADE
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 53 -j DNAT --to-destination 192.168.1.82:53
iptables -I FORWARD -i $WAN -p udp --dport 53 -d 192.168.1.82 -j ACCEPT
iptables -t nat -A postrouting_rule -p udp --dport 53 -d 192.168.1.82 -j MASQUERADE

# 24.
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 88 -j DNAT --to-destination 192.168.1.82:88
iptables -I FORWARD -i $WAN -p udp --dport 88 -d 192.168.1.82 -j ACCEPT
iptables -t nat -A postrouting_rule -p udp --dport 88 -d 192.168.1.82 -j MASQUERADE

# 25.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3074 -j DNAT --to-destination 192.168.1.82:3074
iptables -I FORWARD -i $WAN -p tcp --dport 3074 -d 192.168.1.82 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 3074 -d 192.168.1.82 -j MASQUERADE
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 3074 -j DNAT --to-destination 192.168.1.82:3074
iptables -I FORWARD -i $WAN -p udp --dport 3074 -d 192.168.1.82 -j ACCEPT
iptables -t nat -A postrouting_rule -p udp --dport 3074 -d 192.168.1.82 -j MASQUERADE

# 26.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 2121 -j DNAT --to-destination 192.168.1.83:21
iptables -I FORWARD -i $WAN -p tcp --dport 21 -d 192.168.1.83 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 21 -d 192.168.1.83 -j MASQUERADE

# 27.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8083 -j DNAT --to-destination 192.168.1.83:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.83 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.83 -j MASQUERADE

# 28.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8084 -j DNAT --to-destination 192.168.1.84:80
iptables -I FORWARD -i $WAN -p tcp --dport 80 -d 192.168.1.84 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 80 -d 192.168.1.84 -j MASQUERADE

# 29.
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 9100 -j DNAT --to-destination 192.168.1.84:9100
iptables -I FORWARD -i $WAN -p tcp --dport 9100 -d 192.168.1.84 -j ACCEPT
iptables -t nat -A postrouting_rule -p tcp --dport 9100 -d 192.168.1.84 -j MASQUERADE

---------------

Each tern of rules consists of a prerouting phase, a forward one, and finally a postrouting, which I was forced to add, even though I cannot figure out exactly why, in order to make the firewall works better. For the rules # 21,23,25, I need to allow incoming connections both on TCP and UDP protocols, probably there is a better syntax to group TCP and UDP rules together, but I am not aware of it.

For some devices (192.168.1.41, 192.168.1.44 - involved rules # 2 to 7 and # 16 respectively), everything seems to properly work, and I can normally access Internet. From some others (192.168.1.50, 192.168.1.53 - rules # 18,19 and # 20 respectively), NAT is working, but I cannot access Internet from them, not even on ports not involved by the previous redirection, i.e. tcp/25 (trying to send an email): it simply seems that outgoing traffic is blocked. I didn't try other IP's, but already these ones show that there is something different between the ones for which outgoing traffic is permitted and the ones for which it isn't. And I really cannot understand what. What's wrong with 192.168.1.50 or 192.168.1.53? Why cannot I access Internet from them?

Thanks for your answers and your time!
Cheers

Post #2
petercraft
23 Dec 2011, 15:49

Dear all,
I managed to solve my problem... for my distraction or for a missing setting there wasn't LAN -> WAN path. Sorry... Curiously, not all the outgoing traffic was blocked, only the traffic on ports not involved by any port forwarding.
Just a final question: for the rules involving both TCP and UDP, is there a syntax involving the both, instead of repeating the lines twice (rules #21,23,25 in my configuration file)? I tried -p tcp,udp, -p both, -p all, I read the documentation, but found nothing.
Thanks!

The discussion might have continued from here.