Temat: firewall na Kamikaze (8.09.2, r18961) w routerze linksys wrt54gs v4
Ostanio zestawiłem połączenie AP (router ASUS WL-500g Premium - OpenWrt Attitude Adjustment 12.09, r36088) - AP Client (router linksys wrt54gs v4 - Kamikaze (8.09.2, r18961) na asusie firewall nie sprawia problemów z udostępnianiem i przekierowaniem portów lecz na linksysie już tak. Na początek zamieszę pliki konfiguracyjne:
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'network' 'wan'
config 'zone'
option 'name' 'wwan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'network' 'wwan'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wwan'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wwan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'name' 'ssh'
option 'dest_port' '2222'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'ssh'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'src_dport' '2222'
option 'dest_port' '2222'
option 'dest_ip' '192.168.2.1'
config 'rule'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'name' 'WWW'
option 'dest_port' '8082'
config 'rule'
option 'name' 'IP_CAM_1_WWW'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'dest_port' '8083'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'IP_CAM_1_WWW'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'src_dport' '8083'
option 'dest_port' '8083'
option 'dest_ip' '192.168.2.128'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'WWW'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'src_dport' '8082'
option 'dest_port' '8082'
option 'dest_ip' '192.168.2.1'
config 'rule'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'name' 'hp_ssh'
option 'dest_port' '2223'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'hp_ssh'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'src_dport' '2223'
option 'dest_port' '22'
option 'dest_ip' '192.168.2.67'
config 'rule'
option 'name' 'rtsp'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'dest_port' '554'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'rtsp'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'dest_port' '554'
option 'dest_ip' '192.168.2.128'
config 'rule'
option 'name' 'IP_CAM_1_UDP'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '37778'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'IP_CAM_1_UDP'
option 'src' 'wwan'
option 'proto' 'udp'
option 'dest_port' '37778'
option 'dest_ip' '192.168.2.128'
config 'rule'
option 'name' 'IP_CAM_1_TCP'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '37777'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'IP_CAM_1_TCP'
option 'src' 'wwan'
option 'proto' 'tcp'
option 'dest_port' '37777'
option 'dest_ip' '192.168.2.128'
config 'include'
option 'path' '/etc/firewall.user'Wszystkie reguły działają oprócz dwóch ostatnich:
config 'rule'
option 'name' 'IP_CAM_1_UDP'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '37778'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'IP_CAM_1_UDP'
option 'src' 'wwan'
option 'proto' 'udp'
option 'dest_port' '37778'
option 'dest_ip' '192.168.2.128'
config 'rule'
option 'name' 'IP_CAM_1_TCP'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '37777'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'IP_CAM_1_TCP'
option 'src' 'wwan'
option 'proto' 'tcp'
option 'dest_port' '37777'
option 'dest_ip' '192.168.2.128'A taka ciekawostka jak przeniosę te reguły przed regułą:
config 'rule'
option 'name' 'rtsp'
option 'src' 'wwan'
option 'target' 'ACCEPT'
option 'proto' 'tcpudp'
option 'dest_port' '554'
config 'redirect'
option 'target' 'DNAT'
option 'name' 'rtsp'
option 'src' 'wwan'
option 'proto' 'tcpudp'
option 'dest_port' '554'
option 'dest_ip' '192.168.2.128'To już reguły z portem 37777 i 37778 działają a reguła z portem 554 przestaje działać. Nie wiem czy coś źle robię przy konfiguracji czy to jakiś błąd oprogramowania. Nawet przywracałem ustawienia do ustawień fabrycznych z ponownym ustawieniem firewalla. Przy każdej zmianie reguł firewalla wykonywałem /etc/init.d/firewall reload i /etc/init.d/firewall restart. Też sprawdzałem czy nie ma pustych znaków w configu.
Log z iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
zone_wwan_MSSFIX all -- anywhere anywhere
zone_wan_MSSFIX all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_wwan_forward all -- anywhere anywhere
zone_lan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain forwarding_wwan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_wwan all -- anywhere anywhere
zone_lan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain input_wwan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
zone_wwan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wwan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_wan (0 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:68
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
Chain zone_wan_DROP (0 references)
target prot opt source destination
Chain zone_wan_MSSFIX (1 references)
target prot opt source destination
Chain zone_wan_REJECT (2 references)
target prot opt source destination
Chain zone_wan_forward (0 references)
target prot opt source destination
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wwan (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:37777
ACCEPT udp -- anywhere anywhere udp dpt:37778
ACCEPT udp -- anywhere anywhere udp dpt:554
ACCEPT tcp -- anywhere anywhere tcp dpt:554
ACCEPT udp -- anywhere anywhere udp dpt:2223
ACCEPT tcp -- anywhere anywhere tcp dpt:2223
ACCEPT udp -- anywhere anywhere udp dpt:8083
ACCEPT tcp -- anywhere anywhere tcp dpt:8083
ACCEPT udp -- anywhere anywhere udp dpt:8082
ACCEPT tcp -- anywhere anywhere tcp dpt:8082
ACCEPT udp -- anywhere anywhere udp dpt:2222
ACCEPT tcp -- anywhere anywhere tcp dpt:2222
ACCEPT udp -- anywhere anywhere udp dpt:68
input_wwan all -- anywhere anywhere
zone_wwan_ACCEPT all -- anywhere anywhere
Chain zone_wwan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wwan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wwan_MSSFIX (1 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wwan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wwan_forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.2.128 tcp dpt:37777
ACCEPT udp -- anywhere 192.168.2.128 udp dpt:37778
ACCEPT udp -- anywhere 192.168.2.128 udp dpt:554
ACCEPT tcp -- anywhere 192.168.2.128 tcp dpt:554
ACCEPT udp -- anywhere 192.168.2.67 udp dpt:22
ACCEPT tcp -- anywhere 192.168.2.67 tcp dpt:22
ACCEPT udp -- anywhere 192.168.2.1 udp dpt:8082
ACCEPT tcp -- anywhere 192.168.2.1 tcp dpt:8082
ACCEPT udp -- anywhere 192.168.2.128 udp dpt:8083
ACCEPT tcp -- anywhere 192.168.2.128 tcp dpt:8083
ACCEPT udp -- anywhere 192.168.2.1 udp dpt:2222
ACCEPT tcp -- anywhere 192.168.2.1 tcp dpt:2222
forwarding_wwan all -- anywhere anywhere
zone_wwan_REJECT all -- anywhere anywhere 
