What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Firewall, Port Forwarding, and DoS Question

adri

New Around Here
Hi, I'm hoping someone can help me with a firewall issue I'm having on my RT-AX86U (Merlin 3004.388.8_2). I am port forwarding http/s (80/443) and bittorrent (port 51413). When I enable the main router firewall, http/s doesn't work so well - I can access it from outside my network, but it usually takes several attempts to establish a connection when connecting from an app that uses https (e.g. Jellyfin client app). Further, I can see in the logs that the router is sometimes dropping connections to the ports I am supposed to be forwarding. I could run without the firewall, but I've read that doing so is a Very Bad Idea. If I look at my iptables rules with or without the firewall enabled, I don't see the port forwarding happening anywhere, so I can only assume that 1. port forwarding is handled via another mechanism and 2. perhaps it is the DoS rate limiters the firewall adds to iptables that are causing the router to drop legitimate connections. So if that is true, I'm thinking maybe I can add some commands to /jffs/scripts/firewall-start to adjust the rate limits a little, at least for the ports I have open. My question is, what would those commands be? I have a very limited knowledge of iptables and I don't want to disable rate limiting altogether. (Also perhaps of note, enabling/disabling AiProtection has no effect. I was at one point also using Skynet, but found that it was mysteriously blocking some services also, but that's an issue for another post. And yes, my webserver has anti-intrusion protections on it.)

Sample log entries showing dropped connections:

Code:
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT= MAC=xxxxx SRC=<some outside IP> DST=<my wan IP> LEN=132 TOS=0x00 PREC=0x00 TTL=118 ID=34191 PROTO=UDP SPT=19144 DPT=51413 LEN=112 MARK=0x8000000
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT=br0 MAC=xxxxx SRC=<some outside IP> DST=192.168.0.30 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=46352 DF PROTO=TCP SPT=1984 DPT=443 SEQ=1696130860 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405A00103030801010402) MARK=0x8000000
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT=br0 MAC=xxxxx SRC=<some outside IP> DST=192.168.0.20 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=36532 DF PROTO=TCP SPT=35241 DPT=51413 SEQ=4086927719 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0x8000000


The part of iptables that I think is the culprit:

Code:
Chain SECURITY (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

(full iptables -L output attached)


Would the following in firewall-start accomplish what I'm trying to do?

Code:
/usr/sbin/iptables -I SECURITY 1 -p tcp --destination-port 51413 --tcp-flags FIN,SYN,RST,ACK ALL -m limit --limit 5/s --limit-burst 10 -j RETURN
/usr/sbin/iptables -I SECURITY 1 -p udp --destination-port 51413 -m limit --limit 5/s --limit-burst 10 -j RETURN
/usr/sbin/iptables -I SECURITY 1 -p tcp --destination-port 443 --tcp-flags FIN,SYN,RST,ACK ALL -m limit --limit 5/s --limit-burst 10 -j RETURN
 

Attachments

Look at the nat table too:

Code:
iptables -t nat -nvL
 
Ah ok, thank you. I didn't realize that was a separate thing. I see now where the port forwarding is occurring (I guess I only need it in one of the two places). So do you think the problem is the rate limit in the SECURITY chain? Or is there anything else in there that would cause connections to be dropped?
 

Attachments

Or is there anything else in there that would cause connections to be dropped?
Rerun the original output to show the packet counters.
Code:
iptables -t filter -nvL
or
Code:
iptables-save -c
 
Last edited:
@ColinTaylor yes, turning off DoS protection does make the problems go away. And @dave14305 yes the counter for dropped packets was high for that rate limit rule in the SECURITY chain. Is there some way I can retain some level of DoS protection while easing up on the rate limits a little? I tried the commands I mentioned in my initial post, but they didn't seem to help, so I must have done something wrong.
 
Show us the packet counters as Dave asked, after say one day. Then we can see which of the rules are being hit and in what quantity. Then we might be able to suggest some adjustments.
 
Try creating a firewall-start script as follows which allows the specified IP address to be excluded from the DoS protection.

Code:
#!/bin/sh
iptables -I SECURITY -d 192.168.0.30 -j RETURN
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top