Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)TomatoUSB on WRT54GL V1.1 and VPN (GRE)
thekiwi

295 posts

Ultimate Geek


#110279 6-Oct-2012 09:50
Send private message

Hi all

Hoping someone with some expertise in iptables can help me adjust my settings on my TomatoUSB router.

GRE packets are being dropped by the router, and I think all I have to do is add an entry for the wanin chain.

This is what I get in my logs when attempting a VPN to my Windows 2008 R2 server.

Oct  6 08:45:41 ? user.warn kernel: DROP IN=vlan1 OUT= MAC=58:6d:8f:0f:f9:4e:d8:5d:4c:a7:18:99:08:00:45:00:00:3c SRC=222.153.223.87 DST=MYIPAddress LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=3090 DF PROTO=47
TomatoUSB has all the required ports forwarded, but there is nothing for the GRE protocol.

This is my iptables output 

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br0    *       0.0.0.0/0            123.255.41.36       
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   17  1865 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2   112 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
   26  6126 restrict   all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
   26  6126 monitor    all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
   48  9681 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    6   749 wanin      all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 wanout     all  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    6   749 upnp       all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 31 packets, 13934 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain logaccept (24 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `REJECT ' 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 

Chain monitor (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBMON --max_domains 300 --max_searches 300 

Chain rdev01 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 rres01     all  --  *      *       10.0.0.7             0.0.0.0/0           [goto] 
    0     0 rres01     all  --  *      *       10.0.0.6             0.0.0.0/0           [goto] 
    0     0 rres01     all  --  *      *       10.0.0.14            0.0.0.0/0           [goto] 
    0     0 rres01     all  --  *      *       10.0.0.15            0.0.0.0/0           [goto] 
    0     0 rres01     all  --  *      *       10.0.0.113           0.0.0.0/0           [goto] 
    0     0 rres01     all  --  *      *       10.0.0.5             0.0.0.0/0           [goto] 

Chain restrict (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   26  6126 rres02     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain rres01 (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           web --hore "facebook myspace yaba bepo fbcdn" reject-with tcp-reset 

Chain rres02 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           destination IP range 0.0.1.0-0.0.255.255 

Chain upnp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.8            tcp dpt:38449 
    6   749 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.8            udp dpt:38449 

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx/18      10.0.0.2            tcp dpt:1025 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx/18      10.0.0.2            udp dpt:1025 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx         10.0.0.2            tcp dpts:5060:5062 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx         10.0.0.2            udp dpts:5060:5062 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx/13        10.0.0.12           tcp dpt:21 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx        10.0.0.2            tcp dpt:1025 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx         10.0.0.2            udp dpt:1025 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx      10.0.0.2            tcp dpts:5060:5062 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx      10.0.0.2            udp dpts:5060:5062 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx      10.0.0.2            tcp dpts:50600:50610 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx      10.0.0.2            udp dpts:50600:50610 
    0     0 logaccept  tcp  --  *      *       xx.xx.xx.xx         10.0.0.2            tcp dpts:50600:50610 
    0     0 logaccept  udp  --  *      *       xx.xx.xx.xx        10.0.0.2            udp dpts:50600:50610 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:123 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:80 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:1723 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:443 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.8            tcp dpt:44871 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:1701 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.12           tcp dpt:500 
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            10.0.0.12           udp dpt:500 
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            10.0.0.3            tcp dpt:25 
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            10.0.0.12           udp dpt:4500 

Chain wanout (1 references)

Create new topic
thekiwi

295 posts

Ultimate Geek


  #697109 6-Oct-2012 12:54
Send private message

Seemed to have got it working, In the meantime I decided to try the Toastman firmware but that still didnt work. In the end added a Firewall script

iptables -t nat -I PREROUTING -p 47 -j DNAT --to 10.0.0.12
iptables -I wanin -p 47 -d 10.0.0.12 -j logaccept

which has allowed me to connect remotely

Create new topic





News and reviews »

Gen Threat Report Reveals Rise in Crypto, Sextortion and Tech Support Scams
Posted 7-Aug-2025 13:09

Logitech G and McLaren Racing Sign New, Expanded Multi-Year Partnership
Posted 7-Aug-2025 13:00

A Third of New Zealanders Fall for Online Scams Says Trend Micro
Posted 7-Aug-2025 12:43

OPPO Releases Its Most Stylish and Compact Smartwatch Yet, the Watch X2 Mini.
Posted 7-Aug-2025 12:37

Epson Launches New High-End EH-LS9000B Home Theatre Laser Projector
Posted 7-Aug-2025 12:34

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright