OpenWrt Forum Archive

Topic: Can't ping WAN from LAN

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
toris
28 Jan 2006, 22:35

Hi,

I'm having a problem, due to rearranging of furniture I had to unplug my router today, and upon power up I'm now having a problem, basically I can't ping my modem from the LAN side of the network.

I have the following setup:
Modem - 10.0.1.253
Router [WAN side] - 10.0.1.254
Router [LAN side] - 10.0.0.254
Clients [LAN] - 10.0.0.[1-253]

Now, pinging the modem from any of the clients does not work, but I can ping it from the Router (WL500GD with OpenWRT White Russian RC4). One thing I might mention is I was messing with Shorewall to try and get traffic shaping working a few weeks ago (it's not been rebooted since), Shorewall has been uninstalled though, and no script was ever run at boot, as I didn't want to break anything, so I'm unsure whether that's at all relevant.

I have noticed that no packets are ever reaching the FORWARD table.

Here is my S45firewall, firewall.user, and output from iptables:
S45firewall:

#!/bin/sh

## Please make changes in /etc/firewall.user
${FAILSAFE:+exit}

. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

## CLEAR TABLES
for T in filter nat; do
  iptables -t $T -F
  iptables -t $T -X
done

iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule

iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

### INPUT
###  (connections with the router as destination)

  # base case
  iptables -P INPUT DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A INPUT -j input_rule

  # allow
  iptables -A INPUT -i \! $WAN  -j ACCEPT       # allow from lan/wifi interfaces
  iptables -A INPUT -p icmp     -j ACCEPT       # allow ICMP
  iptables -A INPUT -p gre      -j ACCEPT       # allow GRE

  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
### (connections with the router as source)

  # base case
  iptables -P OUTPUT DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A OUTPUT -j output_rule

  # allow
  iptables -A OUTPUT -j ACCEPT          #allow everything out

  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)
                                                                                  
  # base case                                                                     
  iptables -P FORWARD DROP                                                        
  iptables -A FORWARD -m state --state INVALID -j DROP                            
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT     
                                                                         
  #                                                                      
  # insert accept rule or to jump to new accept-check table here  
  #                                                                      
  iptables -A FORWARD -j forwarding_rule                                 
                                                                         
  # allow                                                                
  iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT                                 
  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT                                 
                                                                                
  # reject (what to do with anything not allowed earlier)   
  # uses the default -P DROP                                                    
                                                                                
### MASQ                                                                        
  iptables -t nat -A PREROUTING -j prerouting_rule                              
  iptables -t nat -A POSTROUTING -j postrouting_rule             
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE      
                                                                 
## USER RULES                                                    
[ -f /etc/firewall.user ] && . /etc/firewall.user

firewall.user:

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

### Allow SSH on the WAN interface
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

### Port forwarding
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 10.0.0.253
iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 10.0.0.253 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 10.0.0.253
iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 10.0.0.253 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8010:8020 -j DNAT --to 10.0.0.253
iptables        -A forwarding_rule -i $WAN -p tcp --dport 8010:8020 -d 10.0.0.253 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8081 -j DNAT --to 10.0.0.253
iptables        -A forwarding_rule -i $WAN -p tcp --dport 8081 -d 10.0.0.253 -j ACCEPT

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 21 -j DNAT --to 10.0.0.253
iptables        -A forwarding_rule -i $WAN -p tcp --dport 21 -d 10.0.0.253 -j ACCEPT


#iptables -t nat -A prerouting_rule -i $LAN -p tcp -d 212.69.52.248 --dport 80 -j DNAT --to 10.0.0 .253
#iptables        -A forwarding_rule -i $LAN -p tcp -d 212.69.52.248 --dport 80 -d 10.0.0.253 -j ACCEPT

### DMZ (should be placed after port forwarding / accept rules)
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT

### Marking for QOS
#insmod ipt_layer7

#iptables -t mangle -F POSTROUTING
#iptables -t mangle -A POSTROUTING -o $WAN -p icmp -j MARK --set-mark 1
#iptables -t mangle -A POSTROUTING -o $WAN -p tcp --dport 22 -j MARK --set-mark 1
#iptables -t mangle -A POSTROUTING -o $WAN -p tcp --sport 22 -j MARK --set-mark 1

# irc
#iptables -t mangle -A POSTROUTING -o $WAN -m layer7 --l7proto irc -j MARK --set-mark 2

# unmarked
#iptables -t mangle -A POSTROUTING -o $WAN -m mark --mark 0 -j MARK --set-mark 3

# p2p
#iptables -t mangle -A POSTROUTING -o $WAN -m layer7 --l7proto bittorrent -j MARK --set-mark 4
#iptables -t mangle -A POSTROUTING -o $WAN -m layer7 --l7proto directconnect -j MARK --set-mark 4

iptables:

root@centaur:~# iptables -v -L 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 2055  166K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=!2 flags:SYN/SYN 
  216 30233 input_rule  all  --  any    any     anywhere             anywhere            
  216 30233 ACCEPT     all  --  !vlan1 any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 forwarding_rule  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere            
    0     0 ACCEPT     all  --  br0    vlan1   anywhere             anywhere            

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
 1864  571K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    6   476 output_rule  all  --  any    any     anywhere             anywhere            
    6   476 ACCEPT     all  --  any    any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  vlan1  any     anywhere             leviathan           tcp dpt:80 
    0     0 ACCEPT     tcp  --  vlan1  any     anywhere             leviathan           tcp dpt:22 
    0     0 ACCEPT     tcp  --  vlan1  any     anywhere             leviathan           tcp dpts:8010:8020 
    0     0 ACCEPT     tcp  --  vlan1  any     anywhere             leviathan           tcp dpt:8081 
    0     0 ACCEPT     tcp  --  vlan1  any     anywhere             leviathan           tcp dpt:21 

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         




root@centaur:~# iptables -v -L -t nat
Chain PREROUTING (policy ACCEPT 2333 packets, 8577K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  767 72933 prerouting_rule  all  --  any    any     anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   140 postrouting_rule  all  --  any    any     anywhere             anywhere            
    2   140 MASQUERADE  all  --  any    vlan1   anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 17 packets, 1311 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  vlan1  any     anywhere             anywhere            tcp dpt:80 to:10.0.0.253 
    0     0 DNAT       tcp  --  vlan1  any     anywhere             anywhere            tcp dpt:22 to:10.0.0.253 
    6   288 DNAT       tcp  --  vlan1  any     anywhere             anywhere            tcp dpts:8010:8020 to:10.0.0.253 
    0     0 DNAT       tcp  --  vlan1  any     anywhere             anywhere            tcp dpt:8081 to:10.0.0.253 
    0     0 DNAT       tcp  --  vlan1  any     anywhere             anywhere            tcp dpt:21 to:10.0.0.253

Any suggestions anyone can make are hugely welcome!

[edit] I mistakenly said my router was a WRT54G, it's not, it's a WL500GD [/edit]

(Last edited by toris on 29 Jan 2006, 12:16)

Post #2
Sputnik
6 Feb 2006, 14:34

Does this still persist?
Move away your S45firewall-Script from /etc/init.d/
Reboot wrt
What is the output of route -n?
Does a traceroute to your providers IP work?

Sputnik

PS: If you are scared about exposing your LAN-PC to the internet without firewall, boot a Linux-Live System (Knoppix, Kanotix, Auditor, ...) and do the testing.

Post #3
toris
6 Feb 2006, 21:47

Hi there,

The problem was actually resolved today, for some reason /proc/sys/net/ipv4/ip_forwarding was set to 0, so nothing was forwarding... at least I know what to check in the future smile

Should that flag not be set on boot by something, or is it normal for it to be 0, and set to 1 manually?

Cheers,
Jamie.

Post #4
Sputnik
8 Feb 2006, 01:15

Welcome to wireless freedom ;-)

Running whiterussian RC4 the ip_forward setting (and others) is located in /etc/sysctl.conf and gets set by sysctl -p which is called whithin /etc/init.d/S99done.
By default ip_forward is set to 1.

Sputnik

The discussion might have continued from here.