Sometimes you may want add a static routing for accessing another network.
When you done the static routing table, you found the ip routing was working fine, but the connection can’t be established. The problem caused by firewall rule.
#update1: I made a new firmware based on 1.4.38, the iptables rule will load automatically. @2012.01.12
WNR854T custom firmware
Here I want show you how to fix the problem in the case of NetGear WNR854T.
go to: http://www.routerlogin.net/cmd.htm
then run: ‘iptables -L -n –line-numbers’ for the print whole iptables rules.
the result(possible):
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:520 dpt:520 2 ACCEPT tcp -- 192.168.0.96/27 0.0.0.0/0 tcp dpt:81 3 ACCEPT icmp -- 0.0.0.0/0 192.168.0.93 icmp type 8 4 ACCEPT all -- 192.168.0.96/27 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 8 DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW,INVALID Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 PORT_FW all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW,INVALID Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain PORT_FW (1 references) num target prot opt source destination ...
In index 8 of Chain INPUT and index 3 of Chain FORWARD, New state will be dropped by.
So, we need modify these rules
like:
iptables -R INPUT 8 -i eth0 -m state --state INVALID -j DROP iptables -R FORWARD 3 -i eth0 -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT iptables -A FORWARD -i eth0 -m state --state NEW -j ACCEPT
Change the number(8, 3) in your case.
the new rule table like this:
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:520 dpt:520 2 ACCEPT tcp -- 192.168.0.96/27 0.0.0.0/0 tcp dpt:81 3 ACCEPT icmp -- 0.0.0.0/0 192.168.0.93 icmp type 8 4 ACCEPT all -- 192.168.0.96/27 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 8 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 PORT_FW all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain PORT_FW (1 references) num target prot opt source destination ...
now, test the connection via ping or anything you like. 🙂
Special thanks to Masaki わふー.