uPnP requests being dropped by iptables -- any help

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Sun Jul 19, 2020 1:57    Post subject: Reply with quote
Let's give the guys who actually understand this a head start.

1. What router?
2. What build?
3. If you (made a mistake and) got the build from the router database (and esp if you are using 40559), people are going to suggest you get an up-to-date build.
4. In the GUI's "NAT/QoS" tab, "UPnP" subtab, you have "UPnP Service" enabled?

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jul 19, 2020 10:15    Post subject: Reply with quote
See what is blocked with
iptables -vnL
iptables -vnL -t nat
iptables -vnL -t raw

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jul 22, 2020 9:28    Post subject: Reply with quote
Sorry Broly I do not see any obvious things which are wrong
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Aug 12, 2020 19:32    Post subject: Reply with quote
Broly did you see the recent changes BS has made?
e.g. https://svn.dd-wrt.com/changeset/44168

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Thu Aug 13, 2020 1:31    Post subject: Reply with quote
Looking through, assuming nothing on the nat, mangle, raw, or security tables

vlan2 is default the WAN side of router, so traffic is destined to router (ie no port forwarding)

Assuming
New connection
PROTO=UDP SPT=53957 DPT=3355
IN=vlan2



Following through on input :
line 01, does not match (new)
line 02, does not match (ports are wrong)
line 03, does not match (dpt is not 520)
line 04, does not match (wrong in)
line 05, does not match (dpt is not 520)
line 06, does not match (wrong in, not br0)
line 07, does not match (wrong protocol)
line 08, does not match (wrong protocol udp vs igmp)
line 09, does not match (wrong protocol)
line 10, does not match (wrong in, not lo)
line 11, does not match (wrong in, not br0)
line 12, match *DROPS* packet


A shortened look at the FOWARD Chain:

Couple notes on the FORWARD Chain for upnp
So assuming that the upnp is supposed to be forwarded through as opposed to targeted at the router:

FORWARD chain line 5 jumps to upnp chain, but nothing is in that chain and so it returns. Should some kind of ACCEPT rule be there? And should it only be examining upnp packets (and not all like it is?)


lines 9 and 10 of forward look like you are trying to port forward a bunch but these would only come into play if the proper -t nat PREROUTING rules are in play but these are starting at 50000:65535 (50 000 to 65 535) which is higher than the DPT=3355 (only 3 355)
Thus a quick look at the rest of the FORWARD table means that I think it goes all the way to line 128 which drops it.



Hopefully I have helped some.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Aug 13, 2020 8:33    Post subject: Reply with quote
just a side note:
NAT loopback has been broken since r44148 ...and still broken with r44187 Rolling Eyes
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Thu Aug 13, 2020 22:48    Post subject: Reply with quote
Help me understand a few things...

Where is the upnp packets coming from and where are they supposed to be going to? (This will help us determine if the INPUT chain or FORWARD chain is being executed) Also I want to make sure that I understand intent vs what might actually be happening (this is possibly just a me problem)




A few things stand out to me:

There is only rule that does logging and that is line #1 on the logdrop chain, but it has: Chain logdrop (0 references)

so nothing is jumping there, but yet you are getting a log message, so there is a rule somewhere that jumps to "LOG", otherwise the state that I (we) are looking at is inconsistent. Knowing this would help us track it down.


Otherwise:

Do you have ebtables rules? (ie:)
ebtables -t nat -L
ebtables -t filter -L
ebtables -t broute -L

Or install arptables or nftables?




The dumbest thing that we could do is just add a rule that automatically accepts everything and do a bisection search to see where things work and then where they do not.

Ie:
iptables -I INPUT (number) -j ACCEPT
yes or no it works, then delete and put it in the next location (Can do this for FORWARD if INPUT chain is wrong). If you have more specific knowledge we can restrict down to that for accepting vs just accepting all traffic from everywhere.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Fri Aug 14, 2020 2:48    Post subject: Reply with quote
Okay yeah these make more sense on where the logging is coming from.

Since you did not answer my other questions about what the intent is.... I cannot provide much help beyond making a rule that disables the firewall (ie allows all ports and all ip addresses) uPnP does not really have standard ports so I am going to use the best information I have of udp port 1900 and tcp port 5000

So these commands should do it:
Code:

iptables -A upnp -p udp --dport 1900 -j ACCEPT
iptables -A upnp -p tcp --dport 5000 -j ACCEPT
iptables -I INPUT 2 -j upnp


Since the router does not know where to forward the packets, the upnp reference in the forward table may not make a lot of sense, So my 3rd line of adding that chain to the INPUT chain means that any packets from the WAN destined towards the router for those ports/protocols will be accepted.

if you basically want to disable the firewall just add (to the 3 rules that I gave above):
Code:

iptables -A upnp -j ACCEPT


and any packet that gets to that line in that chain will be accepted. (yes I know this could be done more efficiently)
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Fri Aug 14, 2020 18:13    Post subject: Reply with quote
Is transmission running on the router? If it is to be forwarded there is not enough information for the router to forward the correct location.

As I said that last accept all rule essentially disabled the firewall, so of course you will not get dropped messages in the log.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Fri Aug 14, 2020 20:30    Post subject: Reply with quote
So if I understand correctly:
Transmission is running on a client machine
the client machine/Transmission is sending the upnp packets to dd-wrt to configure the dd-wrt firewall

Is this correct?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Aug 14, 2020 23:51    Post subject: Reply with quote
mrjcd wrote:
just a side note:
NAT loopback has been broken since r44148 ...and still broken with r44187 Rolling Eyes


Don't know if this has anything to do with problem broly has but my natloopback is just no longer good since BS changes Evil or Very Mad
You can looky at my 'iptables -vnL'
BrainSlayer
Site Admin


Joined: 06 Jun 2006
Posts: 7463
Location: Dresden, Germany

PostPosted: Sun Aug 16, 2020 14:54    Post subject: Reply with quote
i see no rules in the upnp chain. so i assume no upnp client has requested a forward so far or you simply did not enable upnp (its disabled by default)
check also if the upnp process is running

this here is a output from my test router.

Chain upnp (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.88.193.116 udp dpt:9306
1 92 ACCEPT udp -- * * 0.0.0.0/0 10.88.193.116 udp dpt:9308
440K 31M ACCEPT udp -- * * 0.0.0.0/0 10.88.193.145 udp dpt:896
550K 31M ACCEPT tcp -- * * 0.0.0.0/0 10.88.193.145 tcp dpt:896
root@shellfast:~#

_________________
"So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Aug 16, 2020 23:11    Post subject: Reply with quote
broly, figured how to get my problem working and yea tis still bit a head scratcher Rolling Eyes

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1214471#1214471

alright then I'll get outta this thread
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14126
Location: Texas, USA

PostPosted: Mon Mar 22, 2021 2:36    Post subject: Reply with quote
https://web.archive.org/web/20031205041242/http://hometoys.com/htinews/aug01/articles/microsoft/upnp.htm

https://web.archive.org/web/20031130075958/http://upnp.org/

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum