Mandi! Maciej ??enczykowski
In chel di` si favelave...
> Try ssh-ing into the router and running "ping
> hostname-you-are-having-trouble-with",
> post the result of that, (is it the right ip?), the result of 'ip
> route get ip-ping-tried-to-talk-to' and the output of 'iptables-save'
> and 'ip rule' and 'ip route'.
> Most likely it should be possible to figure out what's up from that.
'ip' is not installed in my system, 'alice', i've used 'route' for now.
PING 10.172.1.1 (10.172.1.1): 56 data bytes
64 bytes from 10.172.1.1: seq=0 ttl=64 time=59.196 ms
64 bytes from 10.172.1.1: seq=1 ttl=64 time=59.443 ms
64 bytes from 10.172.1.1: seq=2 ttl=64 time=58.288 ms
64 bytes from 10.172.1.1: seq=3 ttl=64 time=58.097 ms
64 bytes from 10.172.1.1: seq=4 ttl=64 time=59.015 ms
--- 10.172.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 58.097/58.807/59.443 ms
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.172.3.254 * 255.255.255.255 UH 0 0 0 tun1
10.0.0.0 * 255.255.255.0 U 0 0 0 br-wan
10.172.3.0 * 255.255.255.0 U 0 0 0 br-lan
10.172.0.0 10.172.3.254 255.255.0.0 UG 0 0 0 tun1
default 10.0.0.2 0.0.0.0 UG 0 0 0 br-wan
# Generated by iptables-save v1.4.6 on Mon Jan 6 17:15:16 2014
*nat
:PREROUTING ACCEPT [3769:528678]
:POSTROUTING ACCEPT [2501:124253]
:OUTPUT ACCEPT [3477:193996]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_nat - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule
-A PREROUTING -i br-lan -j zone_lan_prerouting
-A PREROUTING -i br-wan -j zone_wan_prerouting
-A PREROUTING -i tun1 -j zone_vpn_prerouting
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o br-lan -j zone_lan_nat
-A POSTROUTING -o br-wan -j zone_wan_nat
-A POSTROUTING -o tun1 -j zone_vpn_nat
-A postrouting_rule -j nat_reflection_out
-A prerouting_rule -j nat_reflection_in
-A zone_lan_prerouting -j prerouting_lan
-A zone_vpn_prerouting -j prerouting_vpn
-A zone_wan_nat -j MASQUERADE
-A zone_wan_prerouting -j prerouting_wan
COMMIT
# Completed on Mon Jan 6 17:15:16 2014
# Generated by iptables-save v1.4.6 on Mon Jan 6 17:15:16 2014
*raw
:PREROUTING ACCEPT [83514:27196851]
:OUTPUT ACCEPT [50442:15854961]
:zone_lan_notrack - [0:0]
:zone_vpn_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack
-A PREROUTING -i br-wan -j zone_wan_notrack
-A PREROUTING -i tun1 -j zone_vpn_notrack
COMMIT
# Completed on Mon Jan 6 17:15:16 2014
# Generated by iptables-save v1.4.6 on Mon Jan 6 17:15:16 2014
*mangle
:PREROUTING ACCEPT [83525:27198624]
:INPUT ACCEPT [47428:11950563]
:FORWARD ACCEPT [35343:15121320]
:OUTPUT ACCEPT [50491:15861053]
:POSTROUTING ACCEPT [85835:30982701]
:zone_wan_MSSFIX - [0:0]
-A FORWARD -j zone_wan_MSSFIX
-A zone_wan_MSSFIX -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 6 17:15:16 2014
# Generated by iptables-save v1.4.6 on Mon Jan 6 17:15:16 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_vpn - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_vpn - [0:0]
:zone_vpn_ACCEPT - [0:0]
:zone_vpn_DROP - [0:0]
:zone_vpn_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j input
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j forward
-A FORWARD -j reject
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j output
-A forward -i br-lan -j zone_lan_forward
-A forward -i br-wan -j zone_wan_forward
-A forward -i tun1 -j zone_vpn_forward
-A forwarding_rule -j nat_reflection_fwd
-A input -i br-lan -j zone_lan
-A input -i br-wan -j zone_wan
-A input -i tun1 -j zone_vpn
-A output -j zone_lan_ACCEPT
-A output -j zone_wan_ACCEPT
-A output -j zone_vpn_ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan -j input_lan
-A zone_lan -j zone_lan_ACCEPT
-A zone_lan_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_DROP -o br-lan -j DROP
-A zone_lan_DROP -i br-lan -j DROP
-A zone_lan_REJECT -o br-lan -j reject
-A zone_lan_REJECT -i br-lan -j reject
-A zone_lan_forward -j zone_vpn_ACCEPT
-A zone_lan_forward -j zone_wan_ACCEPT
-A zone_lan_forward -j forwarding_lan
-A zone_lan_forward -j zone_lan_REJECT
-A zone_vpn -j input_vpn
-A zone_vpn -j zone_vpn_ACCEPT
-A zone_vpn_ACCEPT -o tun1 -j ACCEPT
-A zone_vpn_ACCEPT -i tun1 -j ACCEPT
-A zone_vpn_DROP -o tun1 -j DROP
-A zone_vpn_DROP -i tun1 -j DROP
-A zone_vpn_REJECT -o tun1 -j reject
-A zone_vpn_REJECT -i tun1 -j reject
-A zone_vpn_forward -j zone_lan_ACCEPT
-A zone_vpn_forward -j forwarding_vpn
-A zone_vpn_forward -j zone_vpn_REJECT
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan -p udp -m udp --dport 17201 -j ACCEPT
-A zone_wan -j input_wan
-A zone_wan -j zone_wan_REJECT
-A zone_wan_ACCEPT -o br-wan -j ACCEPT
-A zone_wan_ACCEPT -i br-wan -j ACCEPT
-A zone_wan_DROP -o br-wan -j DROP
-A zone_wan_DROP -i br-wan -j DROP
-A zone_wan_REJECT -o br-wan -j reject
-A zone_wan_REJECT -i br-wan -j reject
-A zone_wan_forward -j forwarding_wan
-A zone_wan_forward -j zone_wan_REJECT
COMMIT
# Completed on Mon Jan 6 17:15:16 2014
--
If you want to travel around the world and be invited to speak at a lot
of different places, just write a Unix operating system.
(Linus Torvalds)
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
