iptables/OpenVPN not applying rule

[Deleted member 19827]

Hi there

I would like to forward port 53 to 1194 (UDP/OpenVPN) with iptables. I applied these same steps in an earlier version of Asuswrt-Merlin and it worked without any problems. After upgrading to a recent version it stopped to work. The iptable rule doesn't seem to be applied.

____________________________________

My configuration:
Device: Asus RT-AC66U
Firmware: 376.45 (Asuswrt-Merlin)
OpenVPN: Listening on port 1194 UDP, works
____________________________________

Autostart script install steps:

cd /jffs/scripts/
vi firewall-start

<INSERTED>
#!/bin/sh
iptables -t nat -A PREROUTING -p udp -d $(nvram get wan0_ipaddr) -i $(nvram get wan0_ifname) --dport 53 -j REDIRECT --to-port 1194
</INSERTED>

Note: $(nvram get wan0_ifname) = eth0

chmod a+rx /jffs/scripts/*

. firewall-start

After running the script or the command manually will not return any error message.
____________________________________

iptables config after running the command:

admin@RT-AC66U:/tmp/home/root# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:1194
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere

____________________________________

Any help is highly appreciated.

Best regards
DR_HAMMER

 

[RMerlin]

Rules aimed at the NAT chain should go in nat-start rather than firewall-start.

 

[john9527]

And to list the nat rules, you have to specify that in iptables list command

iptables -t nat -L

 

[Deleted member 19827]

Thanks for the quick answers.

I renamed my script to "nat-start" as proposed. But after executing the command/script my rule still doesn't seem to be applied?

admin@RT-AC66U:/jffs/scripts# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:1194
VSERVER all -- anywhere xyz.com
REDIRECT udp -- anywhere xyz.com udp dpt:domain redir ports 1194
REDIRECT udp -- anywhere xyz.com udp dpt:domain redir ports 1194

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !xyz.com anywhere
MASQUERADE all -- anywhere anywhere MARK match 0xd001

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DNSFILTER (0 references)
target prot opt source destination

Chain LOCALSRV (0 references)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
VUPNP all -- anywhere anywhere

Chain VUPNP (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:28940 to:192.168.255.4:32400

I upgraded to Merlin version 376.47 in the meantime.

Any suggestions? Have there been any changes in iptables recently?

 

[john9527]

Please try this just to double check where we are at.....

reboot the router
enter the iptables routing command via command line
enter 'iptables -t nat -S'

the last command will print the rules in the same format as they are entered and it is sometimes easier to see what is going on.

 

[user2k10]

#!/bin/sh
iptables -t nat -A PREROUTING -p udp -d $(nvram get wan0_ipaddr) -i $(nvram get wan0_ifname) --dport 53 -j REDIRECT --to-port 1194

admin@RT-AC66U:/jffs/scripts# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:1194
VSERVER all -- anywhere xyz.com
REDIRECT udp -- anywhere xyz.com udp dpt:domain redir ports 1194
REDIRECT udp -- anywhere xyz.com udp dpt:domain redir ports 1194

Your rule has been appended twice in the above PREROUTING table, so the script nat-start is working.

You might want to use the following command to view the nat table so that it does not try to resolve IP addresses.

iptables -L -n -t nat

Sent from my Samsung S3 (GT-i9300) on Sammy JB 4.3 (NB6) powered by Boeffla kernel via Tapatalk

 

[Deleted member 19827]

admin@RT-AC66U:/tmp/home/root# iptables -t nat -S
iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.

____________________________________

admin@RT-AC66U:/tmp/home/root# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
VSERVER all -- 0.0.0.0/0 w.x.y.z
REDIRECT udp -- 0.0.0.0/0 w.x.y.z udp dpt:53 redir ports 1194

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !w.x.y.z 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 MARK match 0xd001

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DNSFILTER (0 references)
target prot opt source destination

Chain LOCALSRV (0 references)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
VUPNP all -- 0.0.0.0/0 0.0.0.0/0

Chain VUPNP (1 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21021 to:w.x.y.z:21021
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21021 to:w.x.y.z:21021
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:w.x.y.z:6881
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:w.x.y.z:6881

____________________________________

The first command couldn't be recognized but the second one worked thanks a lot. It helped me for further investigation.
After upgrading to version 376.47 and a configuration reset it works now.

Thanks a lot for all the help!

 

[john9527]

admin@RT-AC66U:/tmp/home/root# iptables -t nat -S
iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.
...
The first command couldn't be recognized

Sorry about that....iptables is one of the components where there are different releases on the various router models (as I've discovered recently). -S is only supported on the AC56/AC68, so nothing wrong with your setup in case you were wondering.