[Tfug] firewall help
Bowie J. Poag
bpoag at comcast.net
Sun Feb 19 22:57:36 MST 2006
Not to be obnoxious (heh, tall order, I know..) but why are you using
OpenWRT? What are you gaining, other than a homebrew headache over a
commercial headache, in the end? Just curious. Whats OpenWRT have that
a stock wrt54g doesn't offer?
Cheers,
Bowie
John Gruenenfelder wrote:
>I just upgraded my wrt54g router to the newest (rc4) release of OpenWRT. The
>change was necessary to do some VOIP traffic shaping later.
>
>But... in doing so I seem to have messed up the very simple firewall. It's
>mostly working, though. All traffic on the LAN/wifi interfaces is fine as is
>all outbound and masqueraded traffic.
>
>What's not working is the blanket forwarding. Before, I had it set up to
>forward all incoming traffic to a machine on the LAN where I run my services.
>But now that machine is no longer reachable. All incoming connections go into
>the void.
>
>Unfortunately, this little problem demonstrates my lack of networking and
>firewall knowledge. So... I'm not entirely sure where my problem lies. Here
>is the output from "iptables -L -n":
>
>root at bebop:/etc/init.d# iptables -L -n
>Chain INPUT (policy DROP)
>target prot opt source destination
>DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp option=!2 flags:0x02/0x02
>input_rule all -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
>REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
>REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
>
>Chain FORWARD (policy DROP)
>target prot opt source destination
>DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>forwarding_rule all -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
>Chain OUTPUT (policy DROP)
>target prot opt source destination
>DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>output_rule all -- 0.0.0.0/0 0.0.0.0/0
>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
>REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
>
>Chain forwarding_rule (1 references)
>target prot opt source destination
>ACCEPT all -- 0.0.0.0/0 192.168.0.3
>
>Chain input_rule (1 references)
>target prot opt source destination
>
>Chain output_rule (1 references)
>target prot opt source destination
>
>
>The machine at 192.168.0.3 is my server.
>
>My best guess is that the new OpenWRT has a default DROP policy. And if I
>want anything to get in then I'll have to allow those specific ports. If
>that's the case, I'm fine with that. But I'd like to know what the problem is
>first before I start mucking around with the firewall and potentially hose it
>even further.
>
>Any ideas?
>
>
>
>
More information about the tfug
mailing list