RHudack

It appears it was all USER ERROR! a capitol C in the word config inside the /etc/config/firewall file was the culprit. fw3 print showed the line with the error. Sorry for the post, likely can be deleted now.

So after a bit more review it seems I just have one turtle that has a blank iptables config iptables -S from 2 units running v4 code have different outputs. Broken Turtle root@turtle:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT Working Turtles root@turtle:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N delegate_forward -N delegate_input -N delegate_output -N forwarding_3gwan_rule -N forwarding_lan_rule -N forwarding_rule -N forwarding_vpn_rule -N forwarding_wan_rule -N input_3gwan_rule -N input_lan_rule -N input_rule -N input_vpn_rule -N input_wan_rule -N output_3gwan_rule -N output_lan_rule -N output_rule -N output_vpn_rule -N output_wan_rule -N reject -N syn_flood -N zone_3gwan_dest_ACCEPT -N zone_3gwan_dest_REJECT -N zone_3gwan_forward -N zone_3gwan_input -N zone_3gwan_output -N zone_3gwan_src_REJECT -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_vpn_dest_ACCEPT -N zone_vpn_forward -N zone_vpn_input -N zone_vpn_output -N zone_vpn_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_REJECT -A INPUT -j delegate_input -A FORWARD -j delegate_forward -A OUTPUT -j delegate_output -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_forward -i eth0 -j zone_lan_forward -A delegate_forward -i eth1 -j zone_wan_forward -A delegate_forward -i tun0 -j zone_vpn_forward -A delegate_forward -j reject -A delegate_input -i lo -j ACCEPT -A delegate_input -m comment --comment "user chain for input" -j input_rule -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood -A delegate_input -i eth0 -j zone_lan_input -A delegate_input -i eth1 -j zone_wan_input -A delegate_input -i tun0 -j zone_vpn_input -A delegate_input -j reject -A delegate_output -o lo -j ACCEPT -A delegate_output -m comment --comment "user chain for output" -j output_rule -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_output -o eth0 -j zone_lan_output -A delegate_output -o eth1 -j zone_wan_output -A delegate_output -o tun0 -j zone_vpn_output -A delegate_output -j reject -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN -A syn_flood -j DROP -A zone_3gwan_forward -m comment --comment "user chain for forwarding" -j forwarding_3gwan_rule -A zone_3gwan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_3gwan_forward -j zone_3gwan_dest_REJECT -A zone_3gwan_input -m comment --comment "user chain for input" -j input_3gwan_rule -A zone_3gwan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_3gwan_input -j zone_3gwan_src_REJECT -A zone_3gwan_output -m comment --comment "user chain for output" -j output_3gwan_rule -A zone_3gwan_output -j zone_3gwan_dest_ACCEPT -A zone_lan_dest_ACCEPT -o eth0 -j ACCEPT -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_lan_forward -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_lan_input -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule -A zone_lan_output -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i eth0 -j ACCEPT -A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT -A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule -A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT -A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_vpn_forward -j zone_vpn_dest_ACCEPT -A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_vpn_input -j zone_vpn_src_ACCEPT -A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule -A zone_vpn_output -j zone_vpn_dest_ACCEPT -A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m comment --comment "forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_wan_forward -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT -A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule -A zone_wan_output -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i eth1 -j reject How do I copy this to the broken turtle?

I have several LAN Turtles that I deploy to customer environments to perform vulnerability scans. I mainly use AutoSSH for my phone home and reverse SSH into the Turtle (failsafe); and OpenVPN for NAT into the client environment. After I update one of my lanturtles to the lastest v4 firmware, it seems that my reverse NAT no longer works. I did some digging and found the v3 and v4 iptables are very different. the v4 is missing a statement regarding NAT. I dug and found that if I run "iptables -t nat -A POSTROUTING -j MASQUERADE" after the OpenVPN connects then I can get into the client environment. I need to know how to make this setting persistent in the IPTables config. I am not a linux guy so please go easy on me if this is super simple fix.