WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

NEW FIREWALL ZONE NOT INSERTED IN DEFAULT IPTABLES (FW RUT2_R_00.07.02)

0 votes
347 views 7 comments
by anonymous

Hello,
on RUT240 with FW RUT2_R_00.07.02, when I create a new firewall zone, it is not added to the iptables default tables (OUTPUT, INPUT, FORWARD).
For example, I have created the new zone "mobile" associated with interface mob1s1a1 and I see that the new iptables chains are created:

Chain zone_mobile_dest_ACCEPT (2 references)

 pkts bytes target     prot opt in     out     source               destination

Chain zone_mobile_dest_REJECT (2 references)

 pkts bytes target     prot opt in     out     source               destination


Chain zone_mobile_forward (0 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 forwarding_mobile_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom mobile forwarding rule chain */

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */

    0     0 zone_mobile_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_mobile_input (0 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 input_mobile_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom mobile input rule chain */

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */

    0     0 zone_mobile_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */


Chain zone_mobile_output (0 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 output_mobile_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom mobile output rule chain */

    0     0 zone_mobile_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_mobile_src_REJECT (1 references)

 pkts bytes target     prot opt in     out     source               destination

But, for example, the zone_mobile_output is not inserted in the OUTPUT chain, so the new zone will never be evaluated (same for INPUT and FORWARD):

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

   23  2036 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */

 2582 2153K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */

 2574 2153K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */

    0     0 ACCEPT     tcp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            tcp dpt:123 /* !fw3: O_NTP_MOBILE */

    0     0 ACCEPT     udp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            udp dpt:123 /* !fw3: O_NTP_MOBILE */

    0     0 ACCEPT     udp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* !fw3: O_OPENVPN_MOBILE */

    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    8   672 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_vpn_output  all  --  *      tun_+   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_vpn_output  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_l2tp_output  all  --  *      l2tp+   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_l2tp_output  all  --  *      xl2tp+  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_pptp_output  all  --  *      pptp+   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_gre_output  all  --  *      gre+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_output  all  --  *      tun1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_output  all  --  *      tun2    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_output  all  --  *      tun3    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_sstp_output  all  --  *      sstp-+  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_zero_output  all  --  *      zt+     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_openvpn_output  all  --  *      tun_+   0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_openvpn_output  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0            /* !fw3 */


Thanks,

M

1 Answer

0 votes
by anonymous

Hi, couldn't reproduce your issue. Created a new zone, added an interface to the zone. 

Made the output of the iptables -L command, below is the result.

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */

syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */

zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */

zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */

zone_newzone_input  all  --  anywhere             anywhere             /* !fw3 */

reject     all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)

target     prot opt source               destination

forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */

zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */

zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */

zone_newzone_forward  all  --  anywhere             anywhere             /* !fw3 */

reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */

zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */

zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

zone_newzone_output  all  --  anywhere             anywhere             /* !fw3 */

Tell me step by step what are you doing?

Best regards, Anton

by anonymous

Hello Anton,
I can reproduce the situation every time. I have also tried to factory reset the device before to retry the configuration.
This is the procedure:
1) Create the new firewall zone:

2) Associate the network interface MOB1S1A1 to the new firewall zone:

3) check the iptables:

root@Teltonika-RUT240:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain*/
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

by anonymous

I noted that if in step 2) I associate the interface WAN instead of MOB1S1A1, the rules on the iptables chains are correctly created.
Is the issue related only to the MOB1S1A1 interface?

by anonymous

Hello, my RUT200 behaves exactly the same. And what does it interfere with at work? In what situation does this cause a problem?

Best regards, Anton

by anonymous
In my case, I would like to set the mobile interface on a dedicated firewall zone with specific rules.
But it seems impossible since the new zones (i.e. zone_test_input, zone_test_output, zone_test_forward) are not inserted in the iptables chains INPUT, OUTPUT, and FORWARD. And the consequence is that the new firewall zone rules will never be evaluated.
For example, how can it be evaluated if I create a specific firewall rule on the "zone_test_output"?

Thanks,
M
by anonymous
Hello Massimo,

Thanks for your input and letting us know about this. The information has been passed on to R&D and will be fixed in the near future.

Regards.
by anonymous
Hello,
is there any news on this issue? Will it be fixed in some future FW versions?

Thanks,
M
by anonymous
In the FW RUT2_R_00.07.02.4 the issue seems to be solved.