Jump to content

v4 Firmware iptables help


Recommended Posts

I have several LAN Turtles that I deploy to customer environments to perform vulnerability scans.

I mainly use AutoSSH for my phone home and reverse SSH into the Turtle (failsafe); and OpenVPN for NAT into the client environment. 

After I update one of my lanturtles to the lastest v4 firmware, it seems that my reverse NAT no longer works. I did some digging and found the v3 and v4 iptables are very different. the v4 is missing a statement regarding NAT. I dug and found that if I run "iptables -t nat -A POSTROUTING -j MASQUERADE"  after the OpenVPN connects then I can get into the client environment.  I need to know how to make this setting persistent in the IPTables config.

I am not a linux guy so please go easy on me if this is super simple fix. 

Link to comment
Share on other sites

So after a bit more review it seems I just have one turtle that has a blank iptables config

iptables -S from 2 units running v4 code have different outputs. 

Broken Turtle
root@turtle:~# iptables -S

Working Turtles
root@turtle:~# iptables -S
-N delegate_forward
-N delegate_input
-N delegate_output
-N forwarding_3gwan_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_vpn_rule
-N forwarding_wan_rule
-N input_3gwan_rule
-N input_lan_rule
-N input_rule
-N input_vpn_rule
-N input_wan_rule
-N output_3gwan_rule
-N output_lan_rule
-N output_rule
-N output_vpn_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_3gwan_dest_ACCEPT
-N zone_3gwan_dest_REJECT
-N zone_3gwan_forward
-N zone_3gwan_input
-N zone_3gwan_output
-N zone_3gwan_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_vpn_dest_ACCEPT
-N zone_vpn_forward
-N zone_vpn_input
-N zone_vpn_output
-N zone_vpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i eth0 -j zone_lan_forward
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_forward -i tun0 -j zone_vpn_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i eth0 -j zone_lan_input
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_input -i tun0 -j zone_vpn_input
-A delegate_input -j reject
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o eth0 -j zone_lan_output
-A delegate_output -o eth1 -j zone_wan_output
-A delegate_output -o tun0 -j zone_vpn_output
-A delegate_output -j reject
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_3gwan_forward -m comment --comment "user chain for forwarding" -j forwarding_3gwan_rule
-A zone_3gwan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_3gwan_forward -j zone_3gwan_dest_REJECT
-A zone_3gwan_input -m comment --comment "user chain for input" -j input_3gwan_rule
-A zone_3gwan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_3gwan_input -j zone_3gwan_src_REJECT
-A zone_3gwan_output -m comment --comment "user chain for output" -j output_3gwan_rule
-A zone_3gwan_output -j zone_3gwan_dest_ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -j reject

How do I copy this to the broken turtle? 


Link to comment
Share on other sites

19 minutes ago, RHudack said:

So after a bit more review it seems I just have one turtle that has a blank iptables config

Interesting issue, I would start here https://www.digitalocean.com/community/tutorials/how-to-migrate-iptables-firewall-rules-to-a-new-server  to see if thats possible. If its not i would look to reset/reflash.

Link to comment
Share on other sites

  • 5 years later...

If anyone stumbles on this thread now, the fix to OP is within the firewall config file (/etc/config/firewall).

Within the "wan" zone, change:

option input REJECT


option input ACCEPT

I believe the factory config is a security feature, not a bug.  Makes sense to deny attempted connections on the target (ethernet) side.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...