RHudack Posted March 9, 2018 Share Posted March 9, 2018 I have several LAN Turtles that I deploy to customer environments to perform vulnerability scans. I mainly use AutoSSH for my phone home and reverse SSH into the Turtle (failsafe); and OpenVPN for NAT into the client environment. After I update one of my lanturtles to the lastest v4 firmware, it seems that my reverse NAT no longer works. I did some digging and found the v3 and v4 iptables are very different. the v4 is missing a statement regarding NAT. I dug and found that if I run "iptables -t nat -A POSTROUTING -j MASQUERADE" after the OpenVPN connects then I can get into the client environment. I need to know how to make this setting persistent in the IPTables config. I am not a linux guy so please go easy on me if this is super simple fix. Link to comment Share on other sites More sharing options...
RHudack Posted March 9, 2018 Author Share Posted March 9, 2018 So after a bit more review it seems I just have one turtle that has a blank iptables config iptables -S from 2 units running v4 code have different outputs. Broken Turtle root@turtle:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT Working Turtles root@turtle:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N delegate_forward -N delegate_input -N delegate_output -N forwarding_3gwan_rule -N forwarding_lan_rule -N forwarding_rule -N forwarding_vpn_rule -N forwarding_wan_rule -N input_3gwan_rule -N input_lan_rule -N input_rule -N input_vpn_rule -N input_wan_rule -N output_3gwan_rule -N output_lan_rule -N output_rule -N output_vpn_rule -N output_wan_rule -N reject -N syn_flood -N zone_3gwan_dest_ACCEPT -N zone_3gwan_dest_REJECT -N zone_3gwan_forward -N zone_3gwan_input -N zone_3gwan_output -N zone_3gwan_src_REJECT -N zone_lan_dest_ACCEPT -N zone_lan_forward -N zone_lan_input -N zone_lan_output -N zone_lan_src_ACCEPT -N zone_vpn_dest_ACCEPT -N zone_vpn_forward -N zone_vpn_input -N zone_vpn_output -N zone_vpn_src_ACCEPT -N zone_wan_dest_ACCEPT -N zone_wan_forward -N zone_wan_input -N zone_wan_output -N zone_wan_src_REJECT -A INPUT -j delegate_input -A FORWARD -j delegate_forward -A OUTPUT -j delegate_output -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_forward -i eth0 -j zone_lan_forward -A delegate_forward -i eth1 -j zone_wan_forward -A delegate_forward -i tun0 -j zone_vpn_forward -A delegate_forward -j reject -A delegate_input -i lo -j ACCEPT -A delegate_input -m comment --comment "user chain for input" -j input_rule -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood -A delegate_input -i eth0 -j zone_lan_input -A delegate_input -i eth1 -j zone_wan_input -A delegate_input -i tun0 -j zone_vpn_input -A delegate_input -j reject -A delegate_output -o lo -j ACCEPT -A delegate_output -m comment --comment "user chain for output" -j output_rule -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A delegate_output -o eth0 -j zone_lan_output -A delegate_output -o eth1 -j zone_wan_output -A delegate_output -o tun0 -j zone_vpn_output -A delegate_output -j reject -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN -A syn_flood -j DROP -A zone_3gwan_forward -m comment --comment "user chain for forwarding" -j forwarding_3gwan_rule -A zone_3gwan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_3gwan_forward -j zone_3gwan_dest_REJECT -A zone_3gwan_input -m comment --comment "user chain for input" -j input_3gwan_rule -A zone_3gwan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_3gwan_input -j zone_3gwan_src_REJECT -A zone_3gwan_output -m comment --comment "user chain for output" -j output_3gwan_rule -A zone_3gwan_output -j zone_3gwan_dest_ACCEPT -A zone_lan_dest_ACCEPT -o eth0 -j ACCEPT -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_lan_forward -j zone_lan_dest_ACCEPT -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_lan_input -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule -A zone_lan_output -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i eth0 -j ACCEPT -A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT -A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule -A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT -A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_vpn_forward -j zone_vpn_dest_ACCEPT -A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_vpn_input -j zone_vpn_src_ACCEPT -A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule -A zone_vpn_output -j zone_vpn_dest_ACCEPT -A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m comment --comment "forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT -A zone_wan_forward -j zone_wan_dest_ACCEPT -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT -A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT -A zone_wan_input -j zone_wan_src_REJECT -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule -A zone_wan_output -j zone_wan_dest_ACCEPT -A zone_wan_src_REJECT -i eth1 -j reject How do I copy this to the broken turtle? Link to comment Share on other sites More sharing options...
Just_a_User Posted March 9, 2018 Share Posted March 9, 2018 19 minutes ago, RHudack said: So after a bit more review it seems I just have one turtle that has a blank iptables config Interesting issue, I would start here https://www.digitalocean.com/community/tutorials/how-to-migrate-iptables-firewall-rules-to-a-new-server to see if thats possible. If its not i would look to reset/reflash. Link to comment Share on other sites More sharing options...
RHudack Posted March 9, 2018 Author Share Posted March 9, 2018 It appears it was all USER ERROR! a capitol C in the word config inside the /etc/config/firewall file was the culprit. fw3 print showed the line with the error. Sorry for the post, likely can be deleted now. Link to comment Share on other sites More sharing options...
clewsy Posted August 21, 2023 Share Posted August 21, 2023 If anyone stumbles on this thread now, the fix to OP is within the firewall config file (/etc/config/firewall). Within the "wan" zone, change: option input REJECT to: option input ACCEPT I believe the factory config is a security feature, not a bug. Makes sense to deny attempted connections on the target (ethernet) side. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.