adri
New Around Here
Hi, I'm hoping someone can help me with a firewall issue I'm having on my RT-AX86U (Merlin 3004.388.8_2). I am port forwarding http/s (80/443) and bittorrent (port 51413). When I enable the main router firewall, http/s doesn't work so well - I can access it from outside my network, but it usually takes several attempts to establish a connection when connecting from an app that uses https (e.g. Jellyfin client app). Further, I can see in the logs that the router is sometimes dropping connections to the ports I am supposed to be forwarding. I could run without the firewall, but I've read that doing so is a Very Bad Idea. If I look at my iptables rules with or without the firewall enabled, I don't see the port forwarding happening anywhere, so I can only assume that 1. port forwarding is handled via another mechanism and 2. perhaps it is the DoS rate limiters the firewall adds to iptables that are causing the router to drop legitimate connections. So if that is true, I'm thinking maybe I can add some commands to /jffs/scripts/firewall-start to adjust the rate limits a little, at least for the ports I have open. My question is, what would those commands be? I have a very limited knowledge of iptables and I don't want to disable rate limiting altogether. (Also perhaps of note, enabling/disabling AiProtection has no effect. I was at one point also using Skynet, but found that it was mysteriously blocking some services also, but that's an issue for another post. And yes, my webserver has anti-intrusion protections on it.)
Sample log entries showing dropped connections:
The part of iptables that I think is the culprit:
(full iptables -L output attached)
Would the following in firewall-start accomplish what I'm trying to do?
Sample log entries showing dropped connections:
Code:
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT= MAC=xxxxx SRC=<some outside IP> DST=<my wan IP> LEN=132 TOS=0x00 PREC=0x00 TTL=118 ID=34191 PROTO=UDP SPT=19144 DPT=51413 LEN=112 MARK=0x8000000
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT=br0 MAC=xxxxx SRC=<some outside IP> DST=192.168.0.30 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=46352 DF PROTO=TCP SPT=1984 DPT=443 SEQ=1696130860 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405A00103030801010402) MARK=0x8000000
Nov 24 13:02:19 kernel: DROP IN=eth0 OUT=br0 MAC=xxxxx SRC=<some outside IP> DST=192.168.0.20 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=36532 DF PROTO=TCP SPT=35241 DPT=51413 SEQ=4086927719 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) MARK=0x8000000The part of iptables that I think is the culprit:
Code:
Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere(full iptables -L output attached)
Would the following in firewall-start accomplish what I'm trying to do?
Code:
/usr/sbin/iptables -I SECURITY 1 -p tcp --destination-port 51413 --tcp-flags FIN,SYN,RST,ACK ALL -m limit --limit 5/s --limit-burst 10 -j RETURN
/usr/sbin/iptables -I SECURITY 1 -p udp --destination-port 51413 -m limit --limit 5/s --limit-burst 10 -j RETURN
/usr/sbin/iptables -I SECURITY 1 -p tcp --destination-port 443 --tcp-flags FIN,SYN,RST,ACK ALL -m limit --limit 5/s --limit-burst 10 -j RETURN
