For some reason I can't get this fix to work for me. I have an E3000 running build 16785. On my Administration -> Commands page, in the Firewall section, the below is listed:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
I've rebooted the router several times, but still cannot access my SABnzbd server internally using the public URL. I've connected to my computer at work, and I can access it fine from there, so I know the port is forwarded properly.
For some reason I can't get this fix to work for me. I have an E3000 running build 16785. On my Administration -> Commands page, in the Firewall section, the below is listed:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
I've rebooted the router several times, but still cannot access my SABnzbd server internally using the public URL. I've connected to my computer at work, and I can access it fine from there, so I know the port is forwarded properly.
Anyone have any ideas?
Thanks
Sorry to hear the fix isn't working for the E3000 for you. It's working properly for me. I added the commands to the Firewall Script then rebooted the router via the configuration website. I have the standard ROM from the initial flashing.
Posted: Sat Apr 07, 2012 14:24 Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
None of these methods works for me anymore on my E4200 since I upgraded to DD-WRT v24-sp2 (03/19/12) big.
Before that I used the oneliner with several DD-WRT builds:
Posted: Sun Apr 08, 2012 19:32 Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback.
If it's left unfixed could this contribute to security in some way? In other words, what are the security implications of this lookback matter and if there are no server needs whatsoever, doesn't that help secure the router/network better in the absence of loopback?
Posted: Mon Apr 09, 2012 20:01 Post subject: Re: NAT Loopback fix for 15760 and higher, (Port forward iss
phuzi0n wrote:
I spent some time thinking about the best way to fix loopback. Despite some bad documentation throwing me off before, I found that it's possible to mark traffic destined to the WAN IP and then only masquerade the marked traffic. This should allow loopback to work for all local interfaces without causing problems when ebtables is loaded.
Save the following commands to the Firewall Script on the Administration->Commands page to fix loopback.
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
If you have a block of static IP's using 1:1 NAT then you also need to add another iptables rule to cover your IP block. Edit the bolded netblock to be your static IP block.
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d 1.1.1.0/24 -j MARK --set-mark 0xd001
The one known caveat is that badly written QoS scripts will prevent it from working but that's a problem with the scripts that needs to be fixed...