Similar problem, open routing on both host and gateway
Before I begin, a little info
ISP: Primus Canada (operates off of Bell Canada's network)
Modem: Thompson ST516 v6
after logging into speedtouch.lan through telnet, I get the firewall rule list:
Code:
{nsel}[firewall rule]=>list
Rules (flags: C=Constant, D=Dynamic, E=Enable, L=Log)
=====
Chain Nr. Flags Rule
---------------------------------------------------------------------------------------------------------
sink 1 CDE : link sink_fire
2 CDE : link sink_system_service
sink_system_service 1 CDE PPTPD : accept PPTPD_sv_0 PPTPD_if_0.* > *.*
2 CDE PPTPGRE : accept PPTPGRE_sv_0 PPTPGRE_if_0.* > *.*
3 CDE HTTP : accept HTTP_sv_0 HTTP_if_0.* > *.*
4 CDE HTTPs : accept HTTPs_sv_0 HTTPs_if_0.* > *.*
5 CDE FTP : accept FTP_sv_0 FTP_if_0.* > *.*
6 CDE TELNET : accept TELNET_sv_0 TELNET_if_0.TELNET_ip_0 > *.*
7 CD RIP : accept RIP_sv_0 *.* > *.*
8 CD RIP-Query : accept RIP-Query_sv_0 *.* > *.*
9 CDE IGMP-Proxy : accept IGMP-Proxy_sv_0 *.* > *.*
10 CDE DNS-S : accept DNS-S_sv_0 DNS-S_if_0.* > *.*
11 CDE DHCP-R : accept DHCP-R_sv_0 DHCP-R_if_0.* > *.*
12 CDE DHCP-S : accept DHCP-S_sv_0 DHCP-S_if_0.* > *.*
13 CD SNMP_AGENT : accept SNMP_AGENT_sv_0 SNMP_AGENT_if_0.* > *.*
14 CDE SSDP : accept SSDP_sv_0 SSDP_if_0.* > *.*
15 CDE MDAP : accept MDAP_sv_0 MDAP_if_0.* > *.*
16 CDE CWMP-S : accept CWMP-S_sv_0 *.* > *.*
17 CD RAS : accept RAS_sv_0 *.* > *.*
18 CD SRAS : accept SRAS_sv_0 *.* > *.*
19 D ICMP_LISTEN : accept ICMP_LISTEN_sv_0 *.* > *.*
20 CD SENDTO_LISTEN : accept SENDTO_LISTEN_sv_0 *.* > *.*
21 DE PING_RESPONDER : accept PING_RESPONDER_sv_0 PING_RESPONDER_if_0.* > *.*
22 CD HTTPI : accept HTTPI_sv_0 HTTPI_if_0.* > *.*
forward 1 CDE : link forward_fire
2 CDE : link forward_host_service
3 CDE : link forward_level
4 CDE : link forward_multicast
forward_host_service 1 CDE map_6_22-22:... : accept map_6_22-22:22-22 *.* > *.map_6_22-22:_192_168_1_64
forward_level 1 CDE : link forward_level_Disabled
forward_level_Disabled 1 C E AnyTraffic : accept *.* > *.*
source 1 CDE : link source_fire
2 CDE : link source_system_service
source_fire 1 C E AnyTraffic : accept *.* > *.*
As well as chain list:
Code:
{nsel}[firewall chain]=>list
Chains
======
Name Policy Description
----------------------------------------------------------------------------------
sink accept system
forward accept system
source accept system
sink_fire accept system
forward_fire accept system
source_fire accept system
sink_system_service accept system
source_system_service accept system
forward_level accept system
forward_host_service accept system
forward_multicast accept system
forward_level_Disabled accept user
on my host, my iptables is the following:
Code:
]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- speedtouch.lan anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- speedtouch.lan anywhere
ACCEPT all -- anywhere anywhere
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.1.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
LSI udp -- anywhere anywhere udp dpt:33434
LSI icmp -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- island-of-nowhere.lan speedtouch.lan tcp dpt:domain
ACCEPT udp -- island-of-nowhere.lan speedtouch.lan udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (6 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
This, to my understanding, should forward all requests through anywhere on either host or modem. Please correct me if I am wrong. I am going to try the above, the output is the following:
Code:
#ssh -p 51326 `ipnow`
ssh: connect to host [<my external ip> port 51326: Connection refused
ipnow is a script that resolves my external IP address.
If I try this using port 22 as usual on the other hand I get a connection timed out error.
Am I misunderstanding something? |
