• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

OpenWRT - can't reach machines behind router or open up any ports

Started by tenspd137, January 29, 2011, 05:47:12 PM

Previous topic - Next topic

tenspd137

Hi all

I am having trouble opening up ports and seeing machines behind my router.  I am pretty sure I have the router and tunnel set up correctly because I can ping6 ipv6.google.com from both my machine on my lan and router itself.  When I do a port scan though with the port scan tools here, no matter if it is the tunnel end, my router, or machine on my lan - I can't reach them at all.
Following are my ip6tables rules


iptables -I INPUT 1 -s 216.218.226.238  -p 41 -j ACCEPT
iptables -A input_wan -s 216.218.226.238 -p 41 -j ACCEPT

ip6tables -F

# Allow ICMPv6 everywhere
ip6tables -A INPUT  -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT

#Allow tcp everywhere
#ip6tables -A INPUT -p tcp -j ACCEPT
#ip6tables -I OUTPUT -p tcp -j ACCEPT
#ip6tables -I FORWARD -p tcp -j ACCEPT



# Allow anything on the local loopback link
ip6tables -A INPUT  -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o henet -j ACCEPT

# Allow the localnet access us:
ip6tables -A INPUT  -i br-lan -j ACCEPT
ip6tables -A OUTPUT -o br-lan -j ACCEPT

# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow forwarding
#ip6tables -A FORWARD -m state --state NEW -i br-lan -o 6in4-henet -s 2001:470:b:314::/64  -j ACCEPT
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow MLDHT packects
ip6tables -A FORWARD -p tcp --dport 49001:49001 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 49001:49001 -j ACCEPT

ip6tables -A FORWARD -p tcp --dport 22:22 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 22:22 -j ACCEPT

#drop priviledged ports
#ip6tables -A INPUT -p tcp --dport 1:1024 -j DROP
#ip6tables -A INPUT -p udp --dport 1:1024 -j DROP

#log the activity that will get dropped (optional)
#ip6tables -A INPUT -j LOG
#ip6tables -A FORWARD -j LOG
#ip6tables -A OUTPUT -j LOG

# Set the default policy
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP



I thought that the following lines would open up port 22:

ip6tables -A FORWARD -p tcp --dport 22:22 -j ACCEPT
ip6tables -A FORWARD -p udp --dport 22:22 -j ACCEPT

and that because there is no NAT in ipv6, that it would get routed to the right place depending on the address I put into the tool.
(Either  2001:470:b:314::1 (router) or  2001:470:b:314:204:4bff:fe05:5eea (machine behind router)  I ssh into them all the time otherwise.  Also, if I add the lines

#Allow tcp everywhere
ip6tables -A INPUT -p tcp -j ACCEPT
ip6tables -I OUTPUT -p tcp -j ACCEPT
ip6tables -I FORWARD -p tcp -j ACCEPT

then the port scan tool shows all the ports that my router is listening on (not a good long term solution).  Can someone point me to some working examples or help me figure out how I open up ports with rules I have now.  I can't seem to find any real good examples.  Thanks!

jimb

You may want to look at /var/log/messages to see if ip6tables is dropping stuff (after putting a LOG rule in as the last rule in each chain).

You don't need UDP for SSH.  also, you don't need to specify a port range, just --dport 22.  For your router itself to accept SSH, you need to put a rule in the INPUT chain.  For anything behind the router, it's the FORWARD chain (should work as is as long as nothing before it is blocking).

Also, check the obvious things, like, is ip6 forwarding turned on, are you using the right /64 for the LAN, etc.

tenspd137

Thanks - I think that was the piece I was missing.  When I think about it in terms of INPUT=router, FORWARD=behind router, and output=stuff generated to go out combined with the fact that order in the chain matters - it all makes a lot more sense.

Thanks!

jimb

Yes.

INPUT=input to router itself
OUTPUT=output from router itself
FORWARD=anything that passes through the router in either direction