Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#1111 - I have fresh install on WR740N and I discovered ip6tables setup is empty #6335

Closed
openwrt-bot opened this issue Oct 24, 2017 · 2 comments
Closed

FS#1111 - I have fresh install on WR740N and I discovered ip6tables setup is empty #6335

openwrt-bot opened this issue Oct 24, 2017 · 2 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

cypa:

Supply the following if possible:

  • Device problem occurs on --- is TP-link WR740N
  • Software versions of LEDE release, packages, etc. --- base image no additional packages
  • Steps to reproduce:

I have fresh install on WR740N and I discovered ip6tables setup is empty ("ip6tables --list -nv" shows everything is ACCEPTed), while ink-local fe80::... address is active on wan interface and web-interface listens on it since

$ netstat -apn
...
tcp 0 0 :::80 :::* LISTEN 754/uhttpd
...
@openwrt-bot
Copy link
Author

cypa:

root@lede:~# fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @redirect[0] has no target specified, defaulting to DNAT

  • Flushing IPv4 filter table
  • Flushing IPv4 nat table
  • Flushing IPv4 mangle table
  • Flushing IPv6 filter table
  • Flushing IPv6 mangle table
  • Flushing conntrack table ...
  • Populating IPv4 filter table
    • Zone 'lan'
    • Zone 'wan'
    • Rule 'Allow-DHCP-Renew'
    • Rule 'Allow-Ping'
    • Rule #6
    • Rule #7
    • Redirect #0
    • Forward 'lan' -> 'wan'
  • Populating IPv4 nat table
    • Zone 'lan'
    • Zone 'wan'
    • Redirect #0
  • Populating IPv4 mangle table
    • Zone 'lan'
    • Zone 'wan'
  • Set tcp_ecn to off
  • Set tcp_syncookies to on
  • Set tcp_window_scaling to on
  • Running script '/etc/firewall.user'

@openwrt-bot
Copy link
Author

mkresin:

Please provide the informations you already were told to provide on IRC:

13:51:33 < jow> please pastebin /etc/config/firewall and the output of "ip6tables-save" too, while you're at it 14:03:02 < jow> you could open a bug report, but that would need the output of "ip6tables-save" and /etc/config/firewall too

For reference the relevant "ip6tables --list -nv" output of a freshly booted LEDE Reboot SNAPSHOT r5122-f7a6fd3153:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 /* !fw3 */ 0 0 input_rule all * * ::/0 ::/0 /* !fw3: user chain for input */ 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED /* !fw3 */ 0 0 syn_flood tcp * * ::/0 ::/0 tcp flags:0x17/0x02 /* !fw3 */ 0 0 zone_lan_input all br-lan * ::/0 ::/0 /* !fw3 */ 0 0 zone_wan_input all dsl0.7 * ::/0 ::/0 /* !fw3 */

Chain reject (3 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp * * ::/0 ::/0 /* !fw3 / reject-with tcp-reset
0 0 REJECT all * * ::/0 ::/0 / !fw3 */ reject-with icmp6-port-unreachable

Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination

Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_wan_rule all * * ::/0 ::/0 /* !fw3: user chain for input /
0 0 ACCEPT udp * * fc00::/6 fc00::/6 udp dpt:546 / !fw3: Allow-DHCPv6 /
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130 code 0 / !fw3: Allow-MLD /
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131 code 0 / !fw3: Allow-MLD /
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132 code 0 / !fw3: Allow-MLD /
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143 code 0 / !fw3: Allow-MLD /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4 code 0 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4 code 1 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 limit: avg 1000/sec burst 5 / !fw3: Allow-ICMPv6-Input /
0 0 zone_wan_src_REJECT all * * ::/0 ::/0 / !fw3 */

Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all dsl0.7 * ::/0 ::/0 /* !fw3 */

Looks pretty much as expected. Only IPv6 ICMP packages are accepted via wan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot