Iptables Forwarding Problem -OpenWRT

stlpcsolutions · 11-30-2006, 12:16 PM

Hey guys, I have a problem with OpenWrt and port forwarding. If anyone has ideas please let me know.

-bash-2.05b$ ssh -l root -v ****no.ip.info
OpenSSH_4.3, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to *******[75.40.***.**] port 22.
debug1: connect to address 75.40.***.*** port 22: Connection refused
ssh: connect to host ********* port 22: Connection refused

-bash-2.05b$ telnet *** 10001
Trying 75.40.62.85..
(refused)

-bash-2.05b$ telnet *** 10003
Trying 75.40.62.85...
(refused)

Followed these instructions for my firewall setup:
http://wiki.openwrt.org/SimpleFirewall

This is the odd message I recieve:

root@OpenWrt:/etc# . /etc/init.d/S35firewall restart
/etc/fwlib.sh: 18: interface: not found
/etc/firewall.user: 6: -j: not found
/etc/firewall.user: 6: -j: not found
/etc/firewall.user: 7: -j: not found
/etc/firewall.user: 7: -j: not found
FORWARDING 113 TO doug (192.168.0.107)
/etc/firewall.user: 21: -j: not found
/etc/firewall.user: 21: -d: not found
FORWARDING 10001:10100 TO doug (192.168.0.107)
/etc/firewall.user: 25: -j: not found
/etc/firewall.user: 25: -d: not found
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
/etc/firewall.user: 33: ACCEPT: not found
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
/etc/firewall.user: 33: ACCEPT: not found

root@OpenWrt:/etc# cat firewall.user
#!/bin/sh
. /etc/fwlib.sh
flush_firewall

### Ports accessible on the router from the WAN
allow_tcp_port 22 # SSH
allow_tcp_port 465 # HTTPS

### Ports accessible from specific hosts to the router from the WAN
# allow_tcp_port_fromhost 80 remote_access # HTTP
# allow_tcp_port_fromhost 22 remote_access

### Ports accessible to client machines.
# forward_port 22 server
#forward_port 10001:10100 doug

### if we really need _all_ ports...
# register_dmz server

# forward workstation port for application development
forward_port 113 doug

# forward a few utility port-ranges to make it easier to deal with
# bittorrent configurations and the like
forward_port 10001:10100 doug
# forward_port 10100:10199 laptop1
# forward_port 10200:10299 laptop2

### Translate port for client machines.
# translate_port 8080 printer_01 80

### Trusted hosts, full access to router
trusted_host doug

/etc/hosts
127.0.0.1 localhost OpenWrt
192.168.0.107 doug

root@OpenWrt:/etc# cat fwlib.sh
#!/bin/sh

. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

flush_firewall () {
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
}

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN
interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

allow_tcp_port () {
ALLOWPORT=$1
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
}

allow_tcp_port_fromhost () {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "Allowing tcp from $ALLOWHOSTNAME to port $ALLOWPORT"
iptables -t nat -A prerouting_rule -i $WAN -p tcp -s $ALLOWHOST
--dport $ALLOWPORT -j ACCEPT
iptables -A input_rule -i $WAN -p tcp -s $ALLOWHOST
--dport $ALLOWPORT -j ACCEPT
}

sucky_resolve () {
HOSTNAME=$1
###
grep $HOSTNAME /etc/hosts | awk '{ print $1 }'
}

forward_port() {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "FORWARDING $ALLOWPORT TO $ALLOWHOSTNAME ($ALLOWHOST)"
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j DNAT --to $ALLOWHOST
iptables -A forwarding_rule -i $WAN -p tcp --dport $ALLOWPORT
-d $ALLOWHOST -j ACCEPT
}

translate_port() {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOSTPORT=$3
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "TRANSLATING $ALLOWPORT TO $ALLOWHOSTNAME
($ALLOWHOST:$ALLOWHOSTPORT)"
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j DNAT --to $ALLOWHOST:$ALLOWHOSTPORT
iptables -A forwarding_rule -i $WAN -p tcp --dport
$ALLOWHOSTPORT -d $ALLOWHOST -j ACCEPT
}

trusted_host (){
ALLOWHOSTNAME=$1
TRUSTEDHOST=`sucky_resolve $ALLOWHOSTNAME`
iptables -t nat -A prerouting_rule -i $WAN -p tcp -s $TRUSTEDHOST -j
ACCEPT
iptables -A input_rule -i $WAN -p tcp -s $TRUSTEDHOST -j
ACCEPT
}

Finally:

[b]root@OpenWrt:/etc# iptables -L[b/]
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
LAN_ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain LAN_ACCEPT (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain forward_ppp0 (1 references)
target prot opt source destination

Chain forwarding_rule (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:113
tcp -- anywhere anywhere tcp dpts:10001:10100
forward_ppp0 all -- anywhere anywhere

Chain input_ppp0 (1 references)
target prot opt source destination

Chain input_rule (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:22
tcp -- anywhere anywhere tcp dpt:465
input_ppp0 all -- anywhere anywhere

Chain output_rule (1 references)
target prot opt source destination

Any ideas? Bittorrent and Ktorrent are not working either.

Thanks,
Doug

osvaldomarques · 11-30-2006, 02:23 PM

Hi stlpcsolutions,

First of all, I would suggest you to enclose the code you send into a code block.

Now, looking for the errors, the first

Code:

/etc/fwlib.sh: 18: interface: not found

Your "fwlib.sh" code

Code:

}

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN
interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

allow_tcp_port () {

differs from the wiki:

Code:

}

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

allow_tcp_port () {

precisely on the line 18
If the line "interface;" has no meaning, delete it. Otherwise it may be an incomplete work; the shell undestands it as a command to executed and can't find it.

The lines 6 and 7 are calling the allow_tcp_port function which has broken lines:

Code:

allow_tcp_port () {
ALLOWPORT=$1
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
}

You can't break a shell command line; see the difference

Code:

allow_tcp_port () {
ALLOWPORT=$1
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport $ALLOWPORT -j ACCEPT
}

The lines 21, 25 and 33 have the same problem with other functions in the "/etc/functions.sh".