iptables rules incorrect for router mode

2 posts / 0 new
Last post
russellr
russellr's picture
iptables rules incorrect for router mode

Using: DD-WRT Kong Mod for NETGEAR R7000 (2017-06-11)

My ADSL modem cannot work in Bridge mode, and I want to avoid double-NAT (i.e. router does NAT and modem does NAT).

So, I've set the router into Router mode (Setup -> Advanced Routing -> Operating Mode = Router).

It turns out the iptables rules are incorrect.  Specifically the FORWARD chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination               
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     47   --  *      vlan2   192.168.0.0/24       0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.0.0/24       0.0.0.0/0           tcp dpt:1723 
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  992  126K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            224.0.0.0/4         
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0 
  992  126K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
  992  126K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 
The DROP rule at the bottom catches incoming packets from the modem and drops them.
 
Removing the DROP rule fixes the problem, but I'll write back with an alternative once I figure out a more secure alternative (if required.)
 
russellr
russellr's picture
The correct solution is

The correct solution is probably to disable the firewall on the router, and rely on the firewall in the modem.

regards,

Russ