Posted: Tue Nov 27, 2018 16:51 Post subject: Problem with simple iptables rule with newer fw
Hello,
I have a problem with simple rule on newer kong builds.
It seems like no support for prerouting/postrouting here is my "rule":
iptables -t nat -A PREROUTING -p tcp --dport 10101 -j DNAT --to-destination 192.168.102.1:9040
It worked on older builds, and yes I'm after nvram erase before and after fw upgrade:)
Posted: Wed Nov 28, 2018 14:43 Post subject: Re: Problem with simple iptables rule with newer fw
jaru wrote:
Hello,
I have a problem with simple rule on newer kong builds.
It seems like no support for prerouting/postrouting here is my "rule":
iptables -t nat -A PREROUTING -p tcp --dport 10101 -j DNAT --to-destination 192.168.102.1:9040
It worked on older builds, and yes I'm after nvram erase before and after fw upgrade:)
DD-WRT v3.0-r37015M kongac (09/23/1
Just a suggestion, but have you tried INSERTING the rule instead of APPENDING it (option "-I" instead of "-A")? This way, your rule will be in the top of the other rules instead of in the end...
iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Why are you using this rule?
For port forward you can use the GUI
Not really... I want to pass traffic for one port thru tor proxy on my router not from wan to lan
For example:
machine from lan (192.168.102.200) connecting to x.x.x.x:10101, so I need pass this traffic thru tor proxy binded on port 9040 on my router 192.168.102.1.
Previously my rule worked but unfortunately not now.
Posted: Thu Nov 29, 2018 12:08 Post subject: Re: Problem with simple iptables rule with newer fw
newsboost wrote:
jaru wrote:
Hello,
I have a problem with simple rule on newer kong builds.
It seems like no support for prerouting/postrouting here is my "rule":
iptables -t nat -A PREROUTING -p tcp --dport 10101 -j DNAT --to-destination 192.168.102.1:9040
It worked on older builds, and yes I'm after nvram erase before and after fw upgrade:)
DD-WRT v3.0-r37015M kongac (09/23/1
Just a suggestion, but have you tried INSERTING the rule instead of APPENDING it (option "-I" instead of "-A")? This way, your rule will be in the top of the other rules instead of in the end...
As you erased nvram, are you sure the destination adress is still the same?
Because the rule should actually work
Yes I'm sure Address is the same, without erasing nvram there was a problems with firewall as overall (maquerade etc.) As I See at tcpdump all traffic to mentioned port goes to internet bypassing rule. Dunno where is a problem.
Why are you using this rule?
For port forward you can use the GUI
Not really... I want to pass traffic for one port thru tor proxy on my router not from wan to lan
For example:
machine from lan (192.168.102.200) connecting to x.x.x.x:10101, so I need pass this traffic thru tor proxy binded on port 9040 on my router 192.168.102.1.
Previously my rule worked but unfortunately not now.
Rule works here, just run "iptables -vnL -t nat" to check if it was inserted and to see any rules that may pass the traffic before it reaches your rule. _________________ KONG PB's: http://www.desipro.de/ddwrt/
KONG Info: http://tips.desipro.de/
Why are you using this rule?
For port forward you can use the GUI
Not really... I want to pass traffic for one port thru tor proxy on my router not from wan to lan
For example:
machine from lan (192.168.102.200) connecting to x.x.x.x:10101, so I need pass this traffic thru tor proxy binded on port 9040 on my router 192.168.102.1.
Previously my rule worked but unfortunately not now.
Rule works here, just run "iptables -vnL -t nat" to check if it was inserted and to see any rules that may pass the traffic before it reaches your rule.
It's very very strange, I can see packets that match rule:
Chain PREROUTING (policy ACCEPT 165 packets, 13404 bytes)
pkts bytes target prot opt in out source destination
7 420 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10101 to:192.168.102.1:9040
(...) other rules
But on tcpdump (port 10101):
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:07:09.872167 ethertype IPv4, IP 192.168.102.200.33434 > some.internet.host.10101: Flags [S], seq 3832230864, win 29200, options [mss 1460,sackOK,TS val 1698529080 ecr 0,nop,wscale 7], length 0
08:07:09.873509 IP 192.168.102.200.33434 > some.internet.host.10101: Flags [S], seq 3832230864, win 29200, options [mss 1460,sackOK,TS val 1698529080 ecr 0,nop,wscale 7], length 0
08:07:09.875266 IP 192.168.102.200.33434 > some.internet.host.10101: Flags [S], seq 3832230864, win 29200, options [mss 1460,sackOK,TS val 1698529080 ecr 0,nop,wscale 7], length 0
08:07:09.876935 IP some.internet.host.10101 > 192.168.102.200.33434: Flags [S.], seq 1942564665, ack 3832230865, win 28960, options [mss 1460,sackOK,TS val 17665 ecr 1698529080,nop,wscale 4], length 0
08:07:09.878458 IP some.internet.host.10101 > 192.168.102.200.33434: Flags [S.], seq 1942564665, ack 3832230865, win 28960, options [mss 1460,sackOK,TS val 17665 ecr 1698529080,nop,wscale 4], length 0
So... your tor-daemon is running and fully functional? AFAIR "netstat -tulpn" or similar should show if anything is listening on port 9040... Sounds like iptables- forwarding IS active, but your daemon is not...