Menu
What's new
By:
Filters Better Search

VSERVER DNAT bypassing ipset filters

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WQ6N

WQ6N

Occasional Visitor
If this has been already vetted, please point me in the correct direction. New to the AC5300 and ASUSWRT-Merlin

I am using the gui Port Forwarding to allow external access to internal DMZ servers. I have also set up iptables INPUT ipset filters to control ingress packets. However, it is apparent that the VSERVER DNAT chains are going direct without filtering on the iptables INPUT ipset filters.

In order for me to make use of the iptables INPUT ipset filters for all ingress packets, do I need to remove the gui VSERVER rules and create FORWARD rules behind the INPUT ipset filters?

Thank you for the assistance.
 
The INPUT chain is for traffic that terminates at the router. The FORWARD chain is for traffic that terminates on a LAN client.
 
RMerlin said:
The INPUT chain is for traffic that terminates at the router. The FORWARD chain is for traffic that terminates on a LAN client.
Click to expand...
Thank you for your quick response. I understand the FORWARD chain relationship ingress to the LAN.
As an example # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set BlockTheWorld src
...
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere match-set BlockTheWorld src
-------------------
There is no VSERVER chain
The FORWARD chain does not contain any relationship to VSERVER

# iptables -t nat -L -nv --line

Chain PREROUTING (policy ACCEPT 61386 packets, 5169K bytes)
num pkts bytes target prot opt in out source destination
1 5639 293K VSERVER all -- * * 0.0.0.0/0 xxx.xxx.xxx.xxx (WAN IP)
2 SpeedGuide rule
more stuff ....

Chain VSERVER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181 to:xxx.xxx.xxx.xxx(inner LAN interface):80
2 77 4588 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxxxxxxx
3 188 10632 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxxxxxxxxx
....

So back to my original question, do I need to remove the existing gui Virual Server Port Forwards and handset the FORWARD rules or is there a way to move the VSERVER DNAT in behind the ipset DROP filters of the FORWARD chain?

V/R
 
You must log in or register to reply here.

Similar threads

A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
dacid44
Routing packets through a wireguard client
Replies
15
Views
3K
ZebMcKayhan
Z
P
Port Forwarding Transmission with AirVPN
Replies
4
Views
1K
alecmascot
A
kevinkey619
Route only specific ports and hosts via VPN. All other traffic via WAN. (Asuswrt-Merlin)
Replies
0
Views
2K
kevinkey619
kevinkey619
garycnew
Solved [SOLUTION] Asuswrt-Merlin 384.19 PortForwarding Not Working To Private Gateway Address
2
Replies
29
Views
6K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
J Prevent bypassing AGH DNS Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 652 (members: 28, guests: 624)
Top