bottleneck
Choose style:
« previous next »
Pages: [1]   Go Down

Author Topic: Port Forwards shouldn't masquerade  (Read 3153 times)

0 Members and 1 Guest are viewing this topic.

Offline jtrott

  • Backer
  • *
  • Posts: 5
  • Thanks: 0
    • Registered : 11/08/2013
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Port Forwards shouldn't masquerade
« on: January 23, 2015, 05:13:32 pm »
I'm running R069 but this has been an issue from the first day.
I have several port forwards from the internet to internal hosts, I set these up in the GUI under the port forwarding section.
They work, the problem is that they masquerade the incoming traffic behind the LAN IP of the Almond+.
This causes issues for SMTP as the mail server can't see the original source IP of the connection, so can't apply blacklisting or other filtering rules properly.
The iptables rule that causes the problem is this one:

Chain zone_lan_nat (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

The fix I have found is to insert the following rule:

Chain zone_lan_nat (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Can anyone tell me why incoming traffic is being masqueraded and if there is any good reason for this practice? Also, is there some way other than hacking the firewall scripts to turn this behaviour off?
Masquerading outgoing traffic is neccessary and good, but not incoming traffic.

Thanks,
JT
Logged

Offline j8048188

  • Backer
  • *
  • Posts: 108
  • Thanks: 0
    • Registered : 12/08/2014
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Re: Port Forwards shouldn't masquerade
« Reply #1 on: January 25, 2015, 06:26:04 pm »
This might fix my VPN server issues. I'll give it a try and report back.
Logged

Offline j8048188

  • Backer
  • *
  • Posts: 108
  • Thanks: 0
    • Registered : 12/08/2014
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Re: Port Forwards shouldn't masquerade
« Reply #2 on: January 25, 2015, 09:34:58 pm »
Hey jtrott, how did you add in that rule?
Logged

Offline jtrott

  • Backer
  • *
  • Posts: 5
  • Thanks: 0
    • Registered : 11/08/2013
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Re: Port Forwards shouldn't masquerade
« Reply #3 on: January 27, 2015, 06:26:06 am »
I added the rule with the following command:

/usr/sbin/iptables -t nat -I zone_lan_nat -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

You can see if it worked with the following command:

/usr/sbin/iptables -t nat -L -n

To try and make it permanent, I added the command into the /lib/firewa/core.sh file on the 54th line before the "}" of the "fw_start() { "  block.
I haven't had a chance to reboot and test the changes yet.
Logged

Offline jtrott

  • Backer
  • *
  • Posts: 5
  • Thanks: 0
    • Registered : 11/08/2013
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Re: Port Forwards shouldn't masquerade
« Reply #4 on: February 08, 2015, 01:46:54 pm »
A better fix is probably to switch to the OpenWRT interface, edit the port forward rule and turn off NAT Reflection.
That also fixes the problem and doesn't require hacking any firewall rules files manually.
Logged

Offline jtrott

  • Backer
  • *
  • Posts: 5
  • Thanks: 0
    • Registered : 11/08/2013
    YearsYearsYearsYearsYearsYearsYearsYearsYearsYearsYears
Re: Port Forwards shouldn't masquerade
« Reply #5 on: February 13, 2015, 05:29:11 pm »
Except, after upgrading to R70, the problem is back - and I still have the Enable NAT Loopback option disabled in OpenWRT.
Logged
Pages: [1]   Go Up
« previous next »
 

Page created in 0.044 seconds with 18 queries.