Topic: Firewall rules not working at all.

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Goad.99

4 Jan 2006, 03:15

I have read the common mistakes.....reviewed my rules...and nothing seems to be working.

here is my firewall.user file:

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

### Allow SSH on the WAN interface
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

### Port forwarding
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.100
# iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 113 -j DNAT --to 192.168.1.100
iptables        -A forwarding_rule -i $WAN -p tcp --dport 113 -d 192.168.1.2 -j ACCEPT

### DMZ (should be placed after port forwarding / accept rules)
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT

I have entered a simple rule to map port 113 (identd) to an inside ip.

Why is my rules being completely ignored?

Post #2

florian_

4 Jan 2006, 07:59

I see two things :

- you are trying to allow SSH from the WAN side, at the same time, you DNAT the ssh port to a LAN machine, the last rule will "win"

- you are doing DNAT on ports 22,113 to 192.168.1.100, but you only accept forwarding for 192.168.1.2, so replace 192.168.1.2 with 192.168.1.100

Anyway your rules are not ignored at all, there are just wrong with what you want to do.

Post #3

Goad.99

4 Jan 2006, 16:07

RItalMan wrote:

I see two things :
- you are trying to allow SSH from the WAN side, at the same time, you DNAT the ssh port to a LAN machine, the last rule will "win"
- you are doing DNAT on ports 22,113 to 192.168.1.100, but you only accept forwarding for 192.168.1.2, so replace 192.168.1.2 with 192.168.1.100
Anyway your rules are not ignored at all, there are just wrong with what you want to do.

actually, the .2 and .100 typo is only in the example i posted above (sorry about that) and the SSH rule is denoted anyways.

I finally figured out my problem....after days of banging my head on my keyboard, i had misspelled "forwarding_rule" once (spelled it as "fowarding_rule"), then had copy and pasted it several times within my rules, but it wasnt mispelled in every rule, so the problem wasnt too obvious and the few rules i did check, were the ones in the typo, so i assumed it was all rules. I was just working with way too many rules all at once making it too difficult to troubleshoot.

Its now working much better, thanks for your help.

The discussion might have continued from here.

Page 1 of 1