Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2042 - nat helpers do not work (e.g. ftp), CT rules do not match connections in chain zone_wan_helper #6918

Open
openwrt-bot opened this issue Jan 3, 2019 · 3 comments
Labels

Comments

@openwrt-bot
Copy link

arus:

OpenWrt SNAPSHOT, r8978-eb1887be93

Automatically generated rule like the below does not match any connections originating from WAN:

Chain zone_wan_helper (1 references)
pkts bytes target prot opt in out source destination
0 0 CT tcp -- * * 0.0.0.0/0 192.168.1.250 tcp dpt:21 ctstate DNAT /* !fw3: FTP (CT helper) */ CT helper ftp

To have working passive FTP I need to add the following line to /etc/firewall.user (based on rules generated by shorewall):

iptables -t raw -A zone_wan_helper -p tcp --dport 21 -j CT --helper ftp --tcp-flags SYN,ACK,FIN,RST SYN

Either ctstate or destination ip does not match in the original rule.

@openwrt-bot
Copy link
Author

jow-:

Do you mean connections originating from the router itself?

@openwrt-bot
Copy link
Author

cpatulea:

I have observed the same, for sip connections originating from WAN.

Do you mean connections originating from the router itself?

No, I believe OP means an external host originating the connection, which matches a configured port forward rule:

external host (source) ---> (wan) router (lan) --> internal host (destination)

In this case, it appears conntrack helpers are not triggered correctly (iptables -vnL shows zero matches to helper rule) and connection is not nat'ed properly.

For SIP, this means the call cannot be established, due to media channel addresses not rewritten.

I am able to fix the problem using wide open helper rule in firewall.user:

iptables -t raw -A zone_wan_helper -p udp -m udp --dport 5060 -j CT --helper sip

(..but now I am having problems making fw3 apply the rule consistently, because zone_wan_helper is a built-in chain which is reset by fw3 on each reload.. we would need a similar chain like prerouting_wan_rule (dedicated to user-defined rules), but in raw table..)

@openwrt-bot
Copy link
Author

jow-:

I'd appreciate if you could try if the original rule matches when you leave out the ctstate DNAT match.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant