Menu
What's new
By:
Filters Better Search

iptable questions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

Mikii

Regular Contributor
Hi. I am rather new to iptables.

I have set up the following rules for one of the open vpn interfaces, but I randomly end up with a "Connected (Local: nn.nn.nn.nn - Public: unknown)" interface message on that vpn, and I understand this is mostly due to some iptables conflicts.

Code: 
iptables -I FORWARD -i br0 -o tun14 -j ACCEPT
iptables -I FORWARD -i tun14 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun14 -j REJECT
iptables -t nat -A POSTROUTING -o tun14 -j MASQUERADE

iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 16881 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 16881 -j ACCEPT
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 16881 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 16881 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5672 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5672 -j ACCEPT
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5672 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5672 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5662 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5662 -j ACCEPT
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5662 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5662 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5665 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5665 -j ACCEPT
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5665 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5665 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 6881 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 6881 -j ACCEPT
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 6881 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 6881 -j DNAT --to-destination 192.168.1.100

So here'a few questions:

1. I currently set these rules on the "nat-start" file. Is this wrong (I read on the internet about using an "iptables-save and iptables-restore" method)?
2. I am also using "x3mRouting" at the same time, is this ok?
3. Can I use the above rules in conjunction with Merlin's "WAN - Virtual Server / Port Forwarding" or not?
- 3.1 With different ports on the same device (192.168.1.100)?
- 3.2 With different ports on other 192.168.1.nn devices?

I am pretty sure I am messing something up and I'd appreciate some suggestions!
 
Last edited:
You've got quite a bit going on here. Well, not really it's just a bit too many lines for something simple.

First thing I would do to KISS it is use the range option for the ports to collapse several lines into a single line.
Using the ESTABLISHED command also helps in slimming things down.
One thing that sticks out is the REJECT on inbound traffic for Tun14 - this will drop all of your tunnel traffic / no connection

Code: 
iptables -I INPUT -i tun14 -j REJECT

Code: 
iptables -I FORWARD -i br0 -o tun14 -j ACCEPT
iptables -I FORWARD -i tun14 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 16881 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 16881 -j ACCEPT
iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5672 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5672 -j ACCEPT
iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5662 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5662 -j ACCEPT
iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 5665 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 5665 -j ACCEPT
iptables -I FORWARD -i tun14 -p udp -d 192.168.1.100 --dport 6881 -j ACCEPT
iptables -I FORWARD -i tun14 -p tcp -d 192.168.1.100 --dport 6881 -j ACCEPT

Another thing that sticks out is do you need both TCP/UDP for these ports or is it primarily TCP or UDP?

This is what I do for FWD on my setup and it's a lot simpler.

Code: 
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT

Using a similar setup for the NAT since everything seems to be bound for the same IP maybe just push the HOST / Tun14 binding instead of specifying ports. This would condense the rules needed for both NAT / FWD. Another thing that sticks out is the -A for the Tun14 which puts it at the bottom of the rules vs -I which puts it at the top.

Code: 
iptables -t nat -A POSTROUTING -o tun14 -j MASQUERADE
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 16881 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 16881 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5672 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5672 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5662 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5662 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 5665 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 5665 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p tcp --dport 6881 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun14 -p udp --dport 6881 -j DNAT --to-destination 192.168.1.100

Another option for the ports is making a container and put all of the ports into it and then just reference it instead.
 
You must log in or register to reply here.

Similar threads

H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
145
GShlomi
GShlomi
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
406
Grefyne
G
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
287
PaulA
PaulA
H
Solved Beginners firewall question.
Replies
6
Views
793
Henk-J
H
Similar threads
Thread starter Title Forum Replies Date
U IPtable entries not saving? Asuswrt-Merlin 9
B RT-AC68U QoS and questions about latest Merlin Asuswrt-Merlin 20
N guest network questions Asuswrt-Merlin 9
W Compiling and toolchain questions for RT-AX86U Pro Asuswrt-Merlin 6
C Fiber passthrough questions? Asuswrt-Merlin 1
G hardware upgrade questions Asuswrt-Merlin 4
T RT-AX88U Vlan bridge/port questions Asuswrt-Merlin 25
B Questions about the RT-AX86u Pro Asuswrt-Merlin 7
B Ethernet Cable Questions - Jitter / Ping - Professional opinion needed please. Asuswrt-Merlin 12
eddiec repeater mode and samba share/cloud disk questions Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,105 (members: 32, guests: 1,073)
Top