Error with iptables in Telnet RT-AC66U

[lord_Galathon]

I'm fairly new to Linux scripting and iptables so bare with me. I'm going to use some private IPs to show the example but it should translate to public.

I want to setup an init-start script to run on my AC66U flashed with Merlin, the purpose of the init-start is to setup multiple WAN adresses (I have a pool from my ISP) and forward two of them to two web servers I run on 172.21.100.10 and 11

I had a script that ran on my old router (TP-Link flashed with DD-WRT) that worked so I'm starting from that script that worked.

I'm testing the script line by line by using putty telnetted onto the router.

My pool is 10.10.10.152/29 with 153 as a gateway. My addresses are .154~.158.

The first IP address is easy, I configure the WAN port eth0:1 directly from the web-interface to use 10.10.10.154 which I use for webmail. This one is actually off the script as it's not needed.

Then I assign the two other addresses using the following commands:

ifconfig eth0:2 10.10.10.155 netmask 255.255.255.248 broadcast 10.10.10.153
ifconfig eth0:3 10.10.10.156 netmask 255.255.255.248 broadcast 10.10.10.153

Which results in ifconfig eth0:

eth0 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.154 Bcast:10.10.10.153 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29391 errors:0 dropped:0 overruns:0 frame:0
TX packets:14488 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3920444 (3.7 MiB) TX bytes:6567216 (6.2 MiB)
Interrupt:4 Base address:0x2000

eth0:2 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.155 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000

eth0:3 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.156 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000

All of the above seems correct and I'm happy.

_______________________________________________________________


Then I want to setup the firewall rules right? So here's what I got so far:

iptables -t nat -I PREROUTING -d 10.10.10.155 -j DNAT --to 172.21.100.10
iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156

All of the above seems to work. From what I think I understand about iptables, the lines above create a rule that blocks all traffic from both IPs stated. Please correct me if I'm understanding this incorrectly.

Then I want to unblock the port (80) and this is where I get weird:

iptables -i FORWARD -d 172.21.100.10 -p tcp --dport 80 -j ACCEPT

The line above gives me the following error:

iptables v1.3.8: Unknown arg `--delete'

There are several things that don't make sense here:

-Why am I deleting a FORWARD rule?
-Are the rules above creating a firewall rule to block all traffic?

Now I'm stumped and baffled!

Note that the above line does NOT return an error on the TP-Link flashed with DD-WRT.

Any advise is welcome, thanks!

 

[mstombs]

Your first pair of rules are doing some form of one-to-one nat, mapping external IPs to internal.

Is the problem with your second rule simply the lower case "-i", which should be "-I". If all forwarded traffic blocked by default, this will allow the web server on 172.21.100.10 to receive external requests on port 80.

I have no idea how you integrate this with merlin firmware auto scripts though

 

[lord_Galathon]

Thank you, I've not tried that.


Sent from my iPad using Tapatalk

 

[Prevok]

iptables -t nat -I PREROUTING -d 10.10.10.155 -j DNAT --to 172.21.100.10
iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156

Those 2 rules look fine to me. As mstombs pointed out, they are doing 1:1 NAT, which means all incoming request to 10.10.10.156 would be forwarded to 172.21.100.10, while any outoing request from 172.21.100.10 would be rewrite to be sent as 10.10.10.156.

In this instance, there is no need for the FORWARD rule. On the other hand, if you would like to map all outgoing traffic, but only specific incoming port, you could do the following:
- To map outgoing traffic: iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156
- To map specific incoming ports: iptables -t nat -I 10.10.10.156 -p tcp --dport 80 -j DNAT --to 172.21.100.10

Ideally, you would configure your interfaces in wan-start and your NAT mapping in nat-start.

 

[lord_Galathon]

In this instance, there is no need for the FORWARD rule. On the other hand, if you would like to map all outgoing traffic, but only specific incoming port, you could do the following:
- To map outgoing traffic: iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156
- To map specific incoming ports: iptables -t nat -I 10.10.10.156 -p tcp --dport 80 -j DNAT --to 172.21.100.10

Ideally, you would configure your interfaces in wan-start and your NAT mapping in nat-start.

Thanks.

Could the line to map specific incoming ports be missing the name? I'm finding that it returns the error "No chain/target/match by that name."

BUT If I put " iptables -t nat -I PREROUTING -s 10.10.10.156 -p tcp --dport 80 -j DNAT --to 172.21.100.10 " it then accepts without any errors, however if I then query with iptables -L there are no entries.

?

 

[john9527]

Thanks.

Could the line to map specific incoming ports be missing the name? I'm finding that it returns the error "No chain/target/match by that name."

BUT If I put " iptables -t nat -I PREROUTING -s 10.10.10.156 -p tcp --dport 80 -j DNAT --to 172.21.100.10 " it then accepts without any errors, however if I then query with iptables -L there are no entries.

?

Yes, he forgot the chain name in the second command.

To list the rules, your have to tell it which table (default is the filter table)....so

iptables -t nat -L

should do it.

 

[lord_Galathon]

Wow thanks for the ultra-quick response. That works, but is it normally that slow at listing the rules? I thought I had hung up the router and was about to reset when it started listing the first rule!

 

[john9527]

I haven't worked on a MIPS based router, but I wouldn't expect it to be overly slow (it's instant on my AC68). If you've been experimenting for a while, it may be worthwhile to reboot to clear things out and apply things from scratch.

 

[lord_Galathon]

This is great, after a reboot it lists the rules much quicker.

I've managed to create/append and make executable the wan-start and nat-start but only the wan-start seems to work as I get the correct IPs assigned to the eth0:x port, the nat-start doesn't seem to "stick" as all I get from the listing command are the default gateway NAT rules.

I'm going to copy both files to USB (mnt/sda) and look at them with notepad to see if I can figure out what's different.

Thanks again for all the help.

 

[john9527]

You shouldn't use notepad to edit your script files. It will save them in DOS/Windows format, and not Linux format (and they won't work). See this thread for recommendations on how to edit the scripts....
http://www.snbforums.com/threads/editor-for-a-user-scripts-files.24573/

 

[RMerlin]

Wow thanks for the ultra-quick response. That works, but is it normally that slow at listing the rules? I thought I had hung up the router and was about to reset when it started listing the first rule!

It will be slow if it tries to resolve all the IPs entered in your rules. Add "-n" to tell it to display the IPs instead of the resolved names.

 

[lord_Galathon]

I've just been writing to them using the echo "... " >>//jffs/scripts/ commands.

I just wanted to look at the contents with notepad. They look okay to me. Not sure why it's not running. I'm looking at the log on the router and it shows: (ignore the date/time, I've not connected it to the Internet yet so it's not updated)

Dec 31 19:00:25 custom script: Running /jffs/scripts/wan-start (args: 0)
Dec 31 19:00:25 kernel: nf_conntrack_rtsp v0.6.21 loading

But no other custom script and no mention of nat-start. Weird... I'm checking more to see why it's not running. Downloaded and installed Notepad ++.

 

[RMerlin]

I've just been writing to them using the echo "... " >>//jffs/scripts/ commands.

I just wanted to look at the contents with notepad. They look okay to me. Not sure why it's not running. I'm looking at the log on the router and it shows: (ignore the date/time, I've not connected it to the Internet yet so it's not updated)

Dec 31 19:00:25 custom script: Running /jffs/scripts/wan-start (args: 0)
Dec 31 19:00:25 kernel: nf_conntrack_rtsp v0.6.21 loading

But no other custom script and no mention of nat-start. Weird... I'm checking more to see why it's not running. Downloaded and installed Notepad ++.

wan-start isn't a good place to modify the firewall rules, as they will be overwritten afterward as the firewall will be restarted to take into account the WAN state change. Use firewall-start or nat-start instead.

 

[lord_Galathon]

I did. I used nat-start for the NAT/firewall rules. wan-start is to assign 2 static ips to a single interface. (actually 3 but the first is assigned in the GUI...)

As it stands now, I have the nat-start in the jffs/scripts folder but it does not autorun at startup. Not sure why since wan-start runs fine.

 

[lord_Galathon]

I can copy/paste all the lines from nat-start using notepad++ directly into putty at once, they all run succesfully and my NATting shows up in the iptables list. Problem is nat-start not running.

As far as I can tell using the ls -l command both files are executable.

-rwxrwxrwx 1 admin root 726 Dec 31 19:34 nat-start
-rwxrwxrwx 1 admin root 238 Dec 31 19:25 wan-start

I wonder if the issue stems from the timestamp not being accurate. I'll try deleting nat-start and recreating it.

 

[john9527]

Just to double check things....

- first line of nat-start is

#!/bin/sh

- enter the following commands

cd /jffs/scripts
sed -i 's/\r//g' nat-start
chmod a+rx nat-start

Reboot with fingers crossed

 

[lord_Galathon]

Yes:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 172.21.100.11 -j SNAT --to 10.10.10.156
iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.155
...
and so on with the rest of the rules. I get no error messages in the log file, the nat-start file just doesn't automatically run at boot.

What's really messed up is that I can run the file manually by entering /jffs/scripts/nat-start and it will run without any errors, and the correct rules show up in the iptables...



Weird no?

 

[john9527]

OK....next debug check....insert the following line after the shebang (the first line) to force a syslog entry

echo "running nat-start script" | logger -t "nat-start"

 

[lord_Galathon]

Nope. Still nothing until I run the file manually, then and only then do I get:

"Dec 31 19:04:11 nat-start: running nat-start script"

In the logs, and the NAT entries are now showing. I'm thinking it might be a firmware issue, maybe this version of Merlin runs a different named file automatically? I'm checking to see if there's a difference but as far as the Merlin wiki goes it's nat-start.

My firmware is 378.53_0

One question, will the nat-start run if the router is not on the Internet yet? It's just connected to my LAN via a LAN port. How about NAT? As far as I can tell there's no option to turn it on or off using the GUI.

 

[lord_Galathon]

Well, being afterhours I decided to test the router. It works but all the tables outbound from .155 and .156 insist on coming out masquerading on the .154 address which of course is wrong and does not work. I guess I have more work to do.

Thanks all for your help so far. I've learned a lot in just a day.