On Mon, Jan 20, 2014 at 8:33 PM, Randy Bush <[email protected]> wrote:
> > I'm too lazy to log into my box and dump iptables but I'm 99% sure 53
> > isn't open on the wan.
>
> i am willing to believe that you have iptables that block incoming 53
> on the wan. otoh, from my testing it seemed pretty clear that my three
> boxes were open on the wan.
>
> if you would be so kind as to un-laze and dump your iptables, maybe
> that will help me sort it out.
>
Sure. It's not blocked so much as never opened. Trunk from a few days ago.
root@OpenWrt:~# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4844K 498M delegate_input all -- * * 0.0.0.0/0
0.0.0.0/0
root@OpenWrt:~# iptables -vnL delegate_input
Chain delegate_input (1 references)
pkts bytes target prot opt in out source
destination
418K 37M ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
4426K 461M input_rule all -- * * 0.0.0.0/0
0.0.0.0/0 /* user chain for input */
2533K 308M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
354K 19M DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
290K 17M syn_flood tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x17/0x02
1382K 124M zone_lan_input all -- br-lan * 0.0.0.0/0
0.0.0.0/0
154K 9550K zone_wan_input all -- pppoe-wan * 0.0.0.0/0
0.0.0.0/0
root@OpenWrt:~# iptables -vnL zone_lan_input
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source
destination
1382K 124M input_lan_rule all -- * * 0.0.0.0/0
0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate DNAT /* Accept port redirections */
1382K 124M zone_lan_src_ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
root@OpenWrt:~# iptables -vnL zone_wan_input
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source
destination
154K 9550K input_wan_rule all -- * * 0.0.0.0/0
0.0.0.0/0 /* user chain for input */
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68 /* Allow-DHCP-Renew */
32094 2764K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 /* Allow-Ping */
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate DNAT /* Accept port redirections */
122K 6787K zone_wan_src_REJECT all -- * * 0.0.0.0/0
0.0.0.0/0
root@OpenWrt:~# iptables -vnL zone_lan_src_ACCEPT
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source
destination
1382K 124M ACCEPT all -- br-lan * 0.0.0.0/0
0.0.0.0/0
root@OpenWrt:~#
root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded=1
dhcp.@dnsmasq[0].boguspriv=1
dhcp.@dnsmasq[0].filterwin2k=1
dhcp.@dnsmasq[0].localise_queries=1
dhcp.@dnsmasq[0].rebind_protection=1
dhcp.@dnsmasq[0].rebind_localhost=1
dhcp.@dnsmasq[0].local=/lan/
dhcp.@dnsmasq[0].domain=lan
dhcp.@dnsmasq[0].expandhosts=1
dhcp.@dnsmasq[0].nonegcache=1
dhcp.@dnsmasq[0].cachesize=4096
dhcp.@dnsmasq[0].authoritative=1
dhcp.@dnsmasq[0].readethers=1
dhcp.@dnsmasq[0].leasefile=/tmp/dhcp.leases
dhcp.@dnsmasq[0].resolvfile=/etc/resolv.conf.opendns
dhcp.@dnsmasq[0].server=/netflix.com/192.95.16.109 /hulu.com/192.95.16.109 /
pandora.com/69.197.169.9 /cbs.com/192.95.16.109 /abc.go.com/192.95.16.109 /
mtv.com/192.95.16.109 /tunlr.net/69.197.169.9
dhcp.lan=dhcp
dhcp.lan.interface=lan
dhcp.lan.start=150
dhcp.lan.limit=50
dhcp.lan.leasetime=3h
dhcp.wan=dhcp
dhcp.wan.interface=wan
dhcp.wan.ignore=1
Default config ignores wan. Since like forever.
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
