v4 Firmware iptables help

[RHudack]

I have several LAN Turtles that I deploy to customer environments to perform vulnerability scans.

I mainly use AutoSSH for my phone home and reverse SSH into the Turtle (failsafe); and OpenVPN for NAT into the client environment. 

After I update one of my lanturtles to the lastest v4 firmware, it seems that my reverse NAT no longer works. I did some digging and found the v3 and v4 iptables are very different. the v4 is missing a statement regarding NAT. I dug and found that if I run "iptables -t nat -A POSTROUTING -j MASQUERADE"  after the OpenVPN connects then I can get into the client environment.  I need to know how to make this setting persistent in the IPTables config.

I am not a linux guy so please go easy on me if this is super simple fix. 

[RHudack]

So after a bit more review it seems I just have one turtle that has a blank iptables config

iptables -S from 2 units running v4 code have different outputs. 

Broken Turtle
root@turtle:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Working Turtles
root@turtle:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N delegate_forward
-N delegate_input
-N delegate_output
-N forwarding_3gwan_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_vpn_rule
-N forwarding_wan_rule
-N input_3gwan_rule
-N input_lan_rule
-N input_rule
-N input_vpn_rule
-N input_wan_rule
-N output_3gwan_rule
-N output_lan_rule
-N output_rule
-N output_vpn_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_3gwan_dest_ACCEPT
-N zone_3gwan_dest_REJECT
-N zone_3gwan_forward
-N zone_3gwan_input
-N zone_3gwan_output
-N zone_3gwan_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_vpn_dest_ACCEPT
-N zone_vpn_forward
-N zone_vpn_input
-N zone_vpn_output
-N zone_vpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i eth0 -j zone_lan_forward
-A delegate_forward -i eth1 -j zone_wan_forward
-A delegate_forward -i tun0 -j zone_vpn_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i eth0 -j zone_lan_input
-A delegate_input -i eth1 -j zone_wan_input
-A delegate_input -i tun0 -j zone_vpn_input
-A delegate_input -j reject
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o eth0 -j zone_lan_output
-A delegate_output -o eth1 -j zone_wan_output
-A delegate_output -o tun0 -j zone_vpn_output
-A delegate_output -j reject
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_3gwan_forward -m comment --comment "user chain for forwarding" -j forwarding_3gwan_rule
-A zone_3gwan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_3gwan_forward -j zone_3gwan_dest_REJECT
-A zone_3gwan_input -m comment --comment "user chain for input" -j input_3gwan_rule
-A zone_3gwan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_3gwan_input -j zone_3gwan_src_REJECT
-A zone_3gwan_output -m comment --comment "user chain for output" -j output_3gwan_rule
-A zone_3gwan_output -j zone_3gwan_dest_ACCEPT
-A zone_lan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1 -j reject

How do I copy this to the broken turtle? 

 

[Just_a_User]

19 minutes ago, RHudack said:

So after a bit more review it seems I just have one turtle that has a blank iptables config

Interesting issue, I would start here https://www.digitalocean.com/community/tutorials/how-to-migrate-iptables-firewall-rules-to-a-new-server  to see if thats possible. If its not i would look to reset/reflash.

[RHudack]

It appears it was all USER ERROR!  a capitol C in the word config inside the /etc/config/firewall file was the culprit.

fw3 print showed the line with the error. Sorry for the post, likely can be deleted now.  

[clewsy]

If anyone stumbles on this thread now, the fix to OP is within the firewall config file (/etc/config/firewall).

Within the "wan" zone, change:

option input REJECT

to:

option input ACCEPT

I believe the factory config is a security feature, not a bug.  Makes sense to deny attempted connections on the target (ethernet) side.