Hi,
On Mon, Dec 29, 2014 at 9:00 AM, Michal Zuber <michael@xxxxxxxxxx> wrote:
Hi,
1. what about the logs?
2. I have the following in my iptables.rules to be notified what was
blocked
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
I added this to firewall.user and saw that UDP messages are somehow blocked.
[ 2539.100000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=38735 DF PROTO=UDP
SPT=48397 DPT=9053 LEN=46
[ 2550.550000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=40926 DF PROTO=UDP
SPT=47905 DPT=9053 LEN=50
[ 2563.880000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=43508 DF PROTO=UDP
SPT=37506 DPT=9053 LEN=44
[ 2574.950000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=54347 DF PROTO=UDP
SPT=28425 DPT=9053 LEN=50
[ 2586.200000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=66 TOS=0x00 PREC=0x00 TTL=64 ID=46793 DF PROTO=UDP
SPT=37394 DPT=9053 LEN=46
[ 2598.680000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:e0:b9:a5:9d:7b:4f:08:00 SRC=192.168.2.171
DST=192.168.2.1 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48473 DF PROTO=UDP
SPT=57058 DPT=9053 LEN=44
[ 2611.290000] iptables denied: IN=wlan0 OUT=
MAC=20:28:18:a0:a8:fe:68:48:98:59:97:36:08:00 SRC=192.168.2.148
DST=192.168.2.1 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=58998 DF PROTO=UDP
SPT=58128 DPT=9053 LEN=48
3. `netstat -nat |grep :53` or `lsof -i :53` shows listening on port 53 ? (
https://www.debian-administration.org/article/184/How_to_find_out_which_
process_is_listening_upon_a_port)
4. Did you try host (dig, nslookup) on the router?
5. Doest `dig @ROUTER_IP google.com` work?
6. You could also try watch into the DNS traffic with ` tcpdump -vvv -s 0
-l -n port 53` (http://jontai.me/blog/2011/11/monitoring-dns-queries-
with-tcpdump/)
route -n was strange
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
br-lan
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
wlan0
netstat -pantu says the ports are right
netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 192.168.2.1:9040 0.0.0.0:*
LISTEN 734/tor
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 756/uhttpd
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN 1059/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 699/dropbear
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN 734/tor
tcp 0 248 192.168.2.1:22 192.168.2.171:44694
ESTABLISHED 1062/dropbear
tcp 0 0 :::80 :::*
LISTEN 756/uhttpd
tcp 0 0 :::53 :::*
LISTEN 1059/dnsmasq
tcp 0 0 :::22 :::*
LISTEN 699/dropbear
udp 0 0 0.0.0.0:53 0.0.0.0:*
1059/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:*
1059/dnsmasq
udp 0 0 192.168.2.1:9053 0.0.0.0:*
734/tor
udp 0 0 :::546
:::* 812/odhcp6c
udp 0 0 :::547
:::* 669/odhcpd
udp 0 0 :::53
:::* 1059/dnsmasq
~
here is iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
5/min burst 5 LOG level debug prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
delegate_forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all -- anywhere anywhere
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- anywhere anywhere /* user
chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
input_rule all -- anywhere anywhere /* user
chain for input */
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
syn_flood tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN
zone_lan_input all -- anywhere anywhere
zone_wan_input all -- anywhere anywhere
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere /* user
chain for output */
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
zone_lan_output all -- anywhere anywhere
zone_wan_output all -- anywhere anywhere
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_transtor_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_transtor_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_transtor_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- anywhere anywhere /*
user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port forwards */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- anywhere anywhere /* user
chain for input */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port redirections */
zone_lan_src_ACCEPT all -- anywhere anywhere
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- anywhere anywhere /* user
chain for output */
zone_lan_dest_ACCEPT all -- anywhere anywhere
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_transtor_dest_ACCEPT (1 references)
target prot opt source destination
Chain zone_transtor_dest_REJECT (1 references)
target prot opt source destination
Chain zone_transtor_forward (0 references)
target prot opt source destination
forwarding_transtor_rule all -- anywhere
anywhere /* user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port forwards */
zone_transtor_dest_REJECT all -- anywhere
anywhere
Chain zone_transtor_input (0 references)
target prot opt source destination
input_transtor_rule all -- anywhere anywhere /*
user chain for input */
ACCEPT udp -- anywhere anywhere udp
dpt:bootps /* Allow-Tor-DHCP */
ACCEPT tcp -- anywhere anywhere tcp dpt:9040
/* Allow-Tor-Transparent */
ACCEPT udp -- anywhere anywhere udp dpt:9053
/* Allow-Tor-DNS */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port redirections */
zone_transtor_src_REJECT all -- anywhere anywhere
Chain zone_transtor_output (0 references)
target prot opt source destination
output_transtor_rule all -- anywhere anywhere /*
user chain for output */
zone_transtor_dest_ACCEPT all -- anywhere
anywhere
Chain zone_transtor_src_REJECT (1 references)
target prot opt source destination
Chain zone_wan_dest_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan_rule all -- anywhere anywhere /*
user chain for forwarding */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port forwards */
zone_wan_dest_REJECT all -- anywhere anywhere
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- anywhere anywhere /* user
chain for input */
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT icmp -- anywhere anywhere icmp
echo-request /* Allow-Ping */
ACCEPT tcp -- anywhere anywhere tcp dpt:https
/* @rule[5] */
ACCEPT all -- anywhere anywhere ctstate DNAT
/* Accept port redirections */
zone_wan_src_REJECT all -- anywhere anywhere
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- anywhere anywhere /* user
chain for output */
zone_wan_dest_ACCEPT all -- anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
I started to lost my Internet connection for other adsl users. When they
connected to normal adsl ssid while the tor router is plugged, they started
to lost connection.
Seems there is a firewall or network problem.
Anyone can figure it out?