Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Sun Jul 19, 2020 1:57 Post subject:
Let's give the guys who actually understand this a head start.
1. What router?
2. What build?
3. If you (made a mistake and) got the build from the router database (and esp if you are using 40559), people are going to suggest you get an up-to-date build.
4. In the GUI's "NAT/QoS" tab, "UPnP" subtab, you have "UPnP Service" enabled? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Looking through, assuming nothing on the nat, mangle, raw, or security tables
vlan2 is default the WAN side of router, so traffic is destined to router (ie no port forwarding)
Assuming
New connection
PROTO=UDP SPT=53957 DPT=3355
IN=vlan2
Following through on input :
line 01, does not match (new)
line 02, does not match (ports are wrong)
line 03, does not match (dpt is not 520)
line 04, does not match (wrong in)
line 05, does not match (dpt is not 520)
line 06, does not match (wrong in, not br0)
line 07, does not match (wrong protocol)
line 08, does not match (wrong protocol udp vs igmp)
line 09, does not match (wrong protocol)
line 10, does not match (wrong in, not lo)
line 11, does not match (wrong in, not br0)
line 12, match *DROPS* packet
A shortened look at the FOWARD Chain:
Couple notes on the FORWARD Chain for upnp
So assuming that the upnp is supposed to be forwarded through as opposed to targeted at the router:
FORWARD chain line 5 jumps to upnp chain, but nothing is in that chain and so it returns. Should some kind of ACCEPT rule be there? And should it only be examining upnp packets (and not all like it is?)
lines 9 and 10 of forward look like you are trying to port forward a bunch but these would only come into play if the proper -t nat PREROUTING rules are in play but these are starting at 50000:65535 (50 000 to 65 535) which is higher than the DPT=3355 (only 3 355)
Thus a quick look at the rest of the FORWARD table means that I think it goes all the way to line 128 which drops it.
Where is the upnp packets coming from and where are they supposed to be going to? (This will help us determine if the INPUT chain or FORWARD chain is being executed) Also I want to make sure that I understand intent vs what might actually be happening (this is possibly just a me problem)
A few things stand out to me:
There is only rule that does logging and that is line #1 on the logdrop chain, but it has: Chain logdrop (0 references)
so nothing is jumping there, but yet you are getting a log message, so there is a rule somewhere that jumps to "LOG", otherwise the state that I (we) are looking at is inconsistent. Knowing this would help us track it down.
Otherwise:
Do you have ebtables rules? (ie:)
ebtables -t nat -L
ebtables -t filter -L
ebtables -t broute -L
Or install arptables or nftables?
The dumbest thing that we could do is just add a rule that automatically accepts everything and do a bisection search to see where things work and then where they do not.
Ie:
iptables -I INPUT (number) -j ACCEPT
yes or no it works, then delete and put it in the next location (Can do this for FORWARD if INPUT chain is wrong). If you have more specific knowledge we can restrict down to that for accepting vs just accepting all traffic from everywhere.
Okay yeah these make more sense on where the logging is coming from.
Since you did not answer my other questions about what the intent is.... I cannot provide much help beyond making a rule that disables the firewall (ie allows all ports and all ip addresses) uPnP does not really have standard ports so I am going to use the best information I have of udp port 1900 and tcp port 5000
Since the router does not know where to forward the packets, the upnp reference in the forward table may not make a lot of sense, So my 3rd line of adding that chain to the INPUT chain means that any packets from the WAN destined towards the router for those ports/protocols will be accepted.
if you basically want to disable the firewall just add (to the 3 rules that I gave above):
Code:
iptables -A upnp -j ACCEPT
and any packet that gets to that line in that chain will be accepted. (yes I know this could be done more efficiently)
So if I understand correctly:
Transmission is running on a client machine
the client machine/Transmission is sending the upnp packets to dd-wrt to configure the dd-wrt firewall
just a side note:
NAT loopback has been broken since r44148 ...and still broken with r44187
Don't know if this has anything to do with problem broly has but my natloopback is just no longer good since BS changes
You can looky at my 'iptables -vnL'
Joined: 06 Jun 2006 Posts: 7463 Location: Dresden, Germany
Posted: Sun Aug 16, 2020 14:54 Post subject:
i see no rules in the upnp chain. so i assume no upnp client has requested a forward so far or you simply did not enable upnp (its disabled by default)
check also if the upnp process is running
this here is a output from my test router.
Chain upnp (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.88.193.116 udp dpt:9306
1 92 ACCEPT udp -- * * 0.0.0.0/0 10.88.193.116 udp dpt:9308
440K 31M ACCEPT udp -- * * 0.0.0.0/0 10.88.193.145 udp dpt:896
550K 31M ACCEPT tcp -- * * 0.0.0.0/0 10.88.193.145 tcp dpt:896
root@shellfast:~# _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s