I have updated a small OpenWRT based router, it's running on a
simple network. It's running on a RB450 board
br-lan is the LAN side, 172.20.0.0/16
eth0 is the WAN side, 192.168.25.x/24 (dhcp provided)
i have just a few iptables rules and NAT. Basically it's a 'allow
everything' router with some very few exceptions:
-A FORWARD -d 192.168.25.1/32 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -s 172.20.1.0/24 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i br-lan -o eth0 -j DROP
-A FORWARD -d 10.0.0.0/8 -i br-lan -o eth0 -j DROP
-A FORWARD -d 172.16.0.0/12 -i br-lan -o eth0 -j DROP
-A FORWARD -s 172.20.0.0/16 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o br-lan -m state ! --state NEW -j ACCEPT
-A POSTROUTING -s 172.20.0.0/16 -o eth0 -j MASQUERADE
traffic on br-lan (internal) and eth0 (external) interfaces is
almost the same, only with RX and TX inverted, which is fine and
expected, as this is a router with almost no traffic to/from itself
root@firewall:/# ifconfig br-lan
br-lan Link encap:Ethernet HWaddr 00:0C:42:3D:FC:CD
inet addr:172.20.1.1 Bcast:172.20.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1862835 errors:0 dropped:0 overruns:0 frame:0
TX packets:2704211 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:586769410 (559.5 MiB) TX bytes:3337034105 (3.1 GiB)
root@firewall:/# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:42:3D:FC:CC
inet addr:192.168.25.22 Bcast:192.168.25.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2730189 errors:0 dropped:16202 overruns:0 frame:0
TX packets:1847701 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3348006946 (3.1 GiB) TX bytes:609083798 (580.8 MiB)
Interrupt:5
However, when watching my iptables rules, i'm not seeing the
'return' traffic hitting the 'in eth0 out br-lan' ruleand not hitting
the default ACCEPT rule as well.
Chain FORWARD (policy ACCEPT 1278 packets, 91872 bytes)
pkts bytes target prot opt in out source
destination
6 412 ACCEPT all -- br-lan eth0
0.0.0.0/0 192.168.25.1
9609 552193 ACCEPT all -- br-lan eth0
172.20.1.0/24 0.0.0.0/0
0 0 DROP all -- br-lan eth0
0.0.0.0/0 192.168.0.0/16
0 0 DROP all -- br-lan eth0
0.0.0.0/0 10.0.0.0/8
0 0 DROP all -- br-lan eth0
0.0.0.0/0 172.16.0.0/12
23145 1562899 ACCEPT all -- br-lan eth0
172.20.0.0/16 0.0.0.0/0
231 21457 ACCEPT all -- eth0 br-lan 0.0.0.0/0
0.0.0.0/0 ! state NEW
Question: what is happening to my return traffic ? Where is it
going to (which rule) ?? The network is working, so i'm sure the return
traffic isnot being blocked. However, i'm not seeing it on the rules it
was supposed to be 'hitting'.
is this some new behavior from new iptables/netfilter versions ? is
this some behavior exclusively to OpenWRT, maybe some patch they apply
to iptables/netfilter ?
root@firewall:/# uname -r
3.10.49
root@firewall:/# iptables --version
iptables v1.4.21
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
