OpenWrt Forum Archive

Topic: DMZ and /etc/config/firewall

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mread5
25 Apr 2006, 04:29

I am having trouble with my port forwarding through the /etc/config/firewall file whenever I have a DMZ enabled in the firewall.user file.   


          Has anyone else experienced this before or is the general consensus that I messed it up (very possible)?



I have run a sniffer on my DMZ machine and it is showing ports that are supposed to be forwarded to another machine(specifically port 6477)...and the other machine is not receiving anything on that port

Any Ideas?  Here is what I have

==============FIREWALL.USER==================
#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
## The "-i $WAN" is used to match packets that come in via the $WAN interface.
## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able
## to see the effects from within the LAN.

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 127.0.0.1:80
#iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 127.0.0.1 -j ACCEPT

### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.100
iptables        -A forwarding_rule -i $WAN -d 192.168.1.100 -j ACCEPT
=======================================================

=====================/etc/config/firewall======================

# EXAMPLES:
# drop:dport=22 src=1.3.3.7
# accept:proto=tcp dport=22
# forward:dport=60168:192.168.1.2:60169
forward:dport=8090-8098:192.168.1.21
forward:dport=20-21:192.168.1.100
forward:dport=6477:192.168.1.22:6477
forward:dport=8099:192.168.1.100
======================================================

any help is greatly appreciated.
thanks!

(Last edited by mread5 on 26 Apr 2006, 00:06)

Post #2
mread5
26 Apr 2006, 02:35

for what it's worth, when I comment out the DMZ lines, everything else works just fine.  That is why I think there is something wrong with the way my DMZ is configured.  I think that the packets come in and my router immediately forwards them to the DMZ, and waits to process the rules.  This effectively would not allow any of the trafic to even get to the forwarding rules because it would have already forwared it to the DMZ.

Can someone confirm this so that I am not guessing in the dark.

Post #3
mbm
26 Apr 2006, 03:36

Look at /etc/init.d/S45firewall the firewall.user rules get executed before the /etc/config/firewall rules (we didn't expect people to use both).

The discussion might have continued from here.