[Tfug] firewall help

John Gruenenfelder johng at as.arizona.edu
Sun Feb 19 16:47:42 MST 2006


I just upgraded my wrt54g router to the newest (rc4) release of OpenWRT.  The
change was necessary to do some VOIP traffic shaping later.

But... in doing so I seem to have messed up the very simple firewall.  It's
mostly working, though.  All traffic on the LAN/wifi interfaces is fine as is
all outbound and masqueraded traffic.

What's not working is the blanket forwarding.  Before, I had it set up to
forward all incoming traffic to a machine on the LAN where I run my services.
But now that machine is no longer reachable.  All incoming connections go into
the void.

Unfortunately, this little problem demonstrates my lack of networking and
firewall knowledge.  So... I'm not entirely sure where my problem lies.  Here
is the output from "iptables -L -n":

root at bebop:/etc/init.d# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=!2 flags:0x02/0x02 
input_rule  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
output_rule  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain forwarding_rule (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            192.168.0.3         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         


The machine at 192.168.0.3 is my server.

My best guess is that the new OpenWRT has a default DROP policy.  And if I
want anything to get in then I'll have to allow those specific ports.  If
that's the case, I'm fine with that.  But I'd like to know what the problem is
first before I start mucking around with the firewall and potentially hose it
even further.

Any ideas?


-- 
--John Gruenenfelder    Research Assistant, UMass Amherst student
                        Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS  --  http://gutenpalm.sf.net
"This is the most fun I've had without being drenched in the blood
of my enemies!"
        --Sam of Sam & Max


More information about the tfug mailing list