| View previous topic :: View next topic |
| Author |
Message |
59729
Apprentice
Joined: 21 Jun 2004
Posts: 279
|
 Posted: Fri Nov 18, 2016 10:36 pm Post subject: problems with dnsmasq on nat router/firewall (SOLVED) |
 |
|
I posted this a week ago but deleted the thread quickly as there were some things I wanted to try. Im still stuck
If i set the input chain to drop , my computers or wifi accesspoint connected interface eno1 will not get an IP, my mobile phone says connecting->connected->getting ip adress but nothing happens.
With input to accept dnsmasq works as intended
Complete ruleset below that doesn't work below, any help appreciated as I don't really know what to do next as I think the corresponding ports are open "bootps/bootpc/domain" @ lan-services
| Code: |
nuc lappen # nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
iif enp0s20u3 tcp dport 20000 dnat 192.168.0.202
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif enp0s20u3 masquerade random,persistent
}
}
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
iif lo accept
ip protocol icmp accept
ip saddr 192.168.0.0/24 jump lan-services
jump public-services
}
chain output {
type filter hook output priority 0; policy accept;
}
chain lan-services {
tcp dport { ssh, bootps, domain, bootpc} accept
udp dport { bootpc, domain, bootps} accept
tcp dport 3005 accept
udp dport { 32414, 32413, 32410, 32412} accept
}
chain public-services {
tcp dport 32400 accept
}
}
|
| Code: |
nuc lappen # ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
ether c0:3f:d5:62:2b:3d txqueuelen 1000 (Ethernet)
RX packets 50964317 bytes 31539661512 (29.3 GiB)
RX errors 0 dropped 110523 overruns 0 frame 0
TX packets 72698934 bytes 89371496623 (83.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7c00000-f7c20000
enp0s20u3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet WANIP netmask 255.255.240.0 broadcast WANIP
ether XXXXXXXXXX txqueuelen 1000 (Ethernet)
RX packets 76074542 bytes 84999229889 (79.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38776965 bytes 13502112873 (12.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 1471319 bytes 392972955 (374.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1471319 bytes 392972955 (374.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
Last edited by 59729 on Sat Nov 19, 2016 10:18 am; edited 1 time in total |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 2017
|
| Posted: Fri Nov 18, 2016 11:33 pm Post subject: |
|
|
| Quote: | | ip saddr 192.168.0.0/24 jump lan-services |
DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.
If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with
loopback.
If you don't, it's a bad pick for a router, but you can still try accepting packets sent from IP 0.0.0.0 to 255.255.255.255 (or more lax rule) |
|
| Back to top |
|
|
brendlefly62
Tux's lil' helper
Joined: 19 Dec 2009
Posts: 101
|
|
| Back to top |
|
|
59729
Apprentice
Joined: 21 Jun 2004
Posts: 279
|
| Posted: Sat Nov 19, 2016 10:15 am Post subject: |
|
|
Yup
| szatox wrote: | | Quote: | | ip saddr 192.168.0.0/24 jump lan-services |
DHCP requests from new clients will not match this rule because a new client doesn't have an IP yet.
If you have multiple interfaces, it would be best to simply use one of them as the local one and accept traffic based on the interface, just like you did with
loopback.
If you don't, it's a bad pick for a router, but you can still try accepting packets sent from IP 0.0.0.0 to 255.255.255.255 (or more lax rule) |
Finally it works, and a great explanation why, thank you 
| Code: | | iif eno1 jump lan-services |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
