Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




295 posts

Ultimate Geek


# 110279 6-Oct-2012 09:50
Send private message

Hi all

Hoping someone with some expertise in iptables can help me adjust my settings on my TomatoUSB router.

GRE packets are being dropped by the router, and I think all I have to do is add an entry for the wanin chain.

This is what I get in my logs when attempting a VPN to my Windows 2008 R2 server.

Oct  6 08:45:41 ? user.warn kernel: DROP IN=vlan1 OUT= MAC=58:6d:8f:0f:f9:4e:d8:5d:4c:a7:18:99:08:00:45:00:00:3c SRC=222.153.223.87 DST=MYIPAddress LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=3090 DF PROTO=47
TomatoUSB has all the required ports forwarded, but there is nothing for the GRE protocol.

This is my iptables output 

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br0 * 0.0.0.0/0 123.255.41.36
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
17 1865 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 112 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 logaccept udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
26 6126 restrict all -- * vlan1 0.0.0.0/0 0.0.0.0/0
26 6126 monitor all -- * vlan1 0.0.0.0/0 0.0.0.0/0
48 9681 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 749 wanin all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 wanout all -- * vlan1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
6 749 upnp all -- vlan1 * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 31 packets, 13934 bytes)
pkts bytes target prot opt in out source destination

Chain logaccept (24 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 6 level 4 prefix `REJECT '
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain monitor (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 WEBMON --max_domains 300 --max_searches 300

Chain rdev01 (0 references)
pkts bytes target prot opt in out source destination
0 0 rres01 all -- * * 10.0.0.7 0.0.0.0/0 [goto]
0 0 rres01 all -- * * 10.0.0.6 0.0.0.0/0 [goto]
0 0 rres01 all -- * * 10.0.0.14 0.0.0.0/0 [goto]
0 0 rres01 all -- * * 10.0.0.15 0.0.0.0/0 [goto]
0 0 rres01 all -- * * 10.0.0.113 0.0.0.0/0 [goto]
0 0 rres01 all -- * * 10.0.0.5 0.0.0.0/0 [goto]

Chain restrict (1 references)
pkts bytes target prot opt in out source destination
26 6126 rres02 all -- * * 0.0.0.0/0 0.0.0.0/0

Chain rres01 (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 web --hore "facebook myspace yaba bepo fbcdn" reject-with tcp-reset

Chain rres02 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 0.0.1.0-0.0.255.255

Chain upnp (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.8 tcp dpt:38449
6 749 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.8 udp dpt:38449

Chain wanin (1 references)
pkts bytes target prot opt in out source destination
0 0 logaccept tcp -- * * xx.xx.xx.xx/18 10.0.0.2 tcp dpt:1025
0 0 logaccept udp -- * * xx.xx.xx.xx/18 10.0.0.2 udp dpt:1025
0 0 logaccept tcp -- * * xx.xx.xx.xx 10.0.0.2 tcp dpts:5060:5062
0 0 logaccept udp -- * * xx.xx.xx.xx 10.0.0.2 udp dpts:5060:5062
0 0 logaccept tcp -- * * xx.xx.xx.xx/13 10.0.0.12 tcp dpt:21
0 0 logaccept tcp -- * * xx.xx.xx.xx 10.0.0.2 tcp dpt:1025
0 0 logaccept udp -- * * xx.xx.xx.xx 10.0.0.2 udp dpt:1025
0 0 logaccept tcp -- * * xx.xx.xx.xx 10.0.0.2 tcp dpts:5060:5062
0 0 logaccept udp -- * * xx.xx.xx.xx 10.0.0.2 udp dpts:5060:5062
0 0 logaccept tcp -- * * xx.xx.xx.xx 10.0.0.2 tcp dpts:50600:50610
0 0 logaccept udp -- * * xx.xx.xx.xx 10.0.0.2 udp dpts:50600:50610
0 0 logaccept tcp -- * * xx.xx.xx.xx 10.0.0.2 tcp dpts:50600:50610
0 0 logaccept udp -- * * xx.xx.xx.xx 10.0.0.2 udp dpts:50600:50610
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:123
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:80
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:1723
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:443
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.8 tcp dpt:44871
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:1701
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.12 tcp dpt:500
0 0 logaccept udp -- * * 0.0.0.0/0 10.0.0.12 udp dpt:500
0 0 logaccept tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:25
0 0 logaccept udp -- * * 0.0.0.0/0 10.0.0.12 udp dpt:4500

Chain wanout (1 references)

Create new topic


295 posts

Ultimate Geek


  # 697109 6-Oct-2012 12:54
Send private message

Seemed to have got it working, In the meantime I decided to try the Toastman firmware but that still didnt work. In the end added a Firewall script

iptables -t nat -I PREROUTING -p 47 -j DNAT --to 10.0.0.12
iptables -I wanin -p 47 -d 10.0.0.12 -j logaccept

which has allowed me to connect remotely

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.