API tools faq
paste
xxorza

doesnt work

xxorza
Sep 7th, 2019
142
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.81 KB | None | 0 0
raw download clone embed print report
  1. root@OpenWrt:~# swconfig list; swconfig dev switch0 help; swconfig dev switch0 show; ip a; ip r; ip ru; iptables-save;
  2. Found: switch0 - 10.mvsw61xx
  3. switch0: 10.mvsw61xx(MV88E6352), ports: 7 (cpu @ 5), vlans: 64
  4. --switch
  5. Attribute 1 (int): enable_vlan (Enable 802.1q VLAN support)
  6. Attribute 2 (none): apply (Activate changes in the hardware)
  7. Attribute 3 (none): reset (Reset the switch)
  8. --vlan
  9. Attribute 1 (int): port_based (Use port-based (non-802.1q) VLAN only)
  10. Attribute 2 (int): vid (Get/set VLAN ID)
  11. Attribute 3 (ports): ports (VLAN port mapping)
  12. --port
  13. Attribute 1 (string): mask (Port-based VLAN mask)
  14. Attribute 2 (int): qmode (802.1q mode: 0=off/1=fallback/2=check/3=secure)
  15. Attribute 3 (int): pvid (Primary VLAN ID)
  16. Attribute 4 (unknown): link (Get port link information)
  17. Global attributes:
  18. enable_vlan: 1
  19. Port 0:
  20. mask: 0x0000: (0)
  21. qmode: 3
  22. pvid: 1
  23. link: port:0 link:down
  24. Port 1:
  25. mask: 0x0000: (1)
  26. qmode: 3
  27. pvid: 1
  28. link: port:1 link:down
  29. Port 2:
  30. mask: 0x0000: (2)
  31. qmode: 3
  32. pvid: 1
  33. link: port:2 link:up speed:1000baseT full-duplex
  34. Port 3:
  35. mask: 0x0000: (3)
  36. qmode: 3
  37. pvid: 1
  38. link: port:3 link:up speed:1000baseT full-duplex
  39. Port 4:
  40. mask: 0x0000: (4)
  41. qmode: 3
  42. pvid: 2
  43. link: port:4 link:up speed:100baseT full-duplex
  44. Port 5:
  45. mask: 0x0000: (5)
  46. qmode: 3
  47. pvid: 0
  48. link: port:5 link:up speed:1000baseT full-duplex
  49. Port 6:
  50. mask: 0x0000: (6)
  51. qmode: 3
  52. pvid: 0
  53. link: port:6 link:up speed:1000baseT full-duplex
  54. VLAN 1:
  55. port_based: 0
  56. vid: 1
  57. ports: 0 1 2 3 5t
  58. VLAN 2:
  59. port_based: 0
  60. vid: 2
  61. ports: 4 6t
  62. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
  63. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  64. inet 127.0.0.1/8 scope host lo
  65. valid_lft forever preferred_lft forever
  66. inet6 ::1/128 scope host
  67. valid_lft forever preferred_lft forever
  68. 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
  69. link/ether 24:f5:a2:c4:7a:d0 brd ff:ff:ff:ff:ff:ff
  70. inet6 fe80::26f5:a2ff:fec4:7ad0/64 scope link
  71. valid_lft forever preferred_lft forever
  72. 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
  73. link/ether 26:f5:a2:c4:7a:d0 brd ff:ff:ff:ff:ff:ff
  74. inet6 fe80::24f5:a2ff:fec4:7ad0/64 scope link
  75. valid_lft forever preferred_lft forever
  76. 7: mlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
  77. link/ether 24:f5:a2:c4:7a:d3 brd ff:ff:ff:ff:ff:ff
  78. 8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
  79. link/ether 26:f5:a2:c4:7a:d0 brd ff:ff:ff:ff:ff:ff
  80. inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
  81. valid_lft forever preferred_lft forever
  82. inet6 fd55:f0a5:8ae9::1/60 scope global
  83. valid_lft forever preferred_lft forever
  84. inet6 fe80::24f5:a2ff:fec4:7ad0/64 scope link
  85. valid_lft forever preferred_lft forever
  86. 9: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
  87. link/ether 26:f5:a2:c4:7a:d0 brd ff:ff:ff:ff:ff:ff
  88. 10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
  89. link/ether 24:f5:a2:c4:7a:d0 brd ff:ff:ff:ff:ff:ff
  90. inet6 fe80::26f5:a2ff:fec4:7ad0/64 scope link
  91. valid_lft forever preferred_lft forever
  92. 11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
  93. link/ether 24:f5:a2:c4:7a:d1 brd ff:ff:ff:ff:ff:ff
  94. inet6 fe80::26f5:a2ff:fec4:7ad1/64 scope link
  95. valid_lft forever preferred_lft forever
  96. 12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
  97. link/ether 24:f5:a2:c4:7a:d2 brd ff:ff:ff:ff:ff:ff
  98. inet6 fe80::26f5:a2ff:fec4:7ad2/64 scope link
  99. valid_lft forever preferred_lft forever
  100. 192.168.1.0/24 dev br-lan scope link src 192.168.1.1
  101. 0: from all lookup local
  102. 32766: from all lookup main
  103. 32767: from all lookup default
  104. # Generated by iptables-save v1.6.2 on Sun Sep 8 03:21:28 2019
  105. *nat
  106. :PREROUTING ACCEPT [1184:214855]
  107. :INPUT ACCEPT [86:6293]
  108. :OUTPUT ACCEPT [162:10832]
  109. :POSTROUTING ACCEPT [0:0]
  110. :postrouting_lan_rule - [0:0]
  111. :postrouting_rule - [0:0]
  112. :postrouting_wan_rule - [0:0]
  113. :prerouting_lan_rule - [0:0]
  114. :prerouting_rule - [0:0]
  115. :prerouting_wan_rule - [0:0]
  116. :zone_lan_postrouting - [0:0]
  117. :zone_lan_prerouting - [0:0]
  118. :zone_wan_postrouting - [0:0]
  119. :zone_wan_prerouting - [0:0]
  120. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  121. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  122. -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
  123. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  124. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  125. -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
  126. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  127. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: rpi80 (reflection)" -j SNAT --to-source 192.168.1.1
  128. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: rpi443 (reflection)" -j SNAT --to-source 192.168.1.1
  129. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 853 -m comment --comment "!fw3: privatedns853 (reflection)" -j SNAT --to-source 192.168.1.1
  130. -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p udp -m udp --dport 853 -m comment --comment "!fw3: privatedns853 (reflection)" -j SNAT --to-source 192.168.1.1
  131. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  132. -A zone_lan_prerouting -s 192.168.1.0/24 -d 162.211.151.92/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: rpi80 (reflection)" -j DNAT --to-destination 192.168.1.3:80
  133. -A zone_lan_prerouting -s 192.168.1.0/24 -d 162.211.151.92/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: rpi443 (reflection)" -j DNAT --to-destination 192.168.1.3:443
  134. -A zone_lan_prerouting -s 192.168.1.0/24 -d 162.211.151.92/32 -p tcp -m tcp --dport 853 -m comment --comment "!fw3: privatedns853 (reflection)" -j DNAT --to-destination 192.168.1.3:853
  135. -A zone_lan_prerouting -s 192.168.1.0/24 -d 162.211.151.92/32 -p udp -m udp --dport 853 -m comment --comment "!fw3: privatedns853 (reflection)" -j DNAT --to-destination 192.168.1.3:853
  136. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  137. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  138. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  139. -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: rpi80" -j DNAT --to-destination 192.168.1.3:80
  140. -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: rpi443" -j DNAT --to-destination 192.168.1.3:443
  141. -A zone_wan_prerouting -p tcp -m tcp --dport 853 -m comment --comment "!fw3: privatedns853" -j DNAT --to-destination 192.168.1.3:853
  142. -A zone_wan_prerouting -p udp -m udp --dport 853 -m comment --comment "!fw3: privatedns853" -j DNAT --to-destination 192.168.1.3:853
  143. COMMIT
  144. # Completed on Sun Sep 8 03:21:28 2019
  145. # Generated by iptables-save v1.6.2 on Sun Sep 8 03:21:28 2019
  146. *mangle
  147. :PREROUTING ACCEPT [14826:4384595]
  148. :INPUT ACCEPT [1896:220942]
  149. :FORWARD ACCEPT [9560:3569885]
  150. :OUTPUT ACCEPT [1840:421310]
  151. :POSTROUTING ACCEPT [11371:3987637]
  152. -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  153. COMMIT
  154. # Completed on Sun Sep 8 03:21:28 2019
  155. # Generated by iptables-save v1.6.2 on Sun Sep 8 03:21:28 2019
  156. *filter
  157. :INPUT ACCEPT [0:0]
  158. :FORWARD DROP [0:0]
  159. :OUTPUT ACCEPT [0:0]
  160. :forwarding_lan_rule - [0:0]
  161. :forwarding_rule - [0:0]
  162. :forwarding_wan_rule - [0:0]
  163. :input_lan_rule - [0:0]
  164. :input_rule - [0:0]
  165. :input_wan_rule - [0:0]
  166. :output_lan_rule - [0:0]
  167. :output_rule - [0:0]
  168. :output_wan_rule - [0:0]
  169. :reject - [0:0]
  170. :syn_flood - [0:0]
  171. :zone_lan_dest_ACCEPT - [0:0]
  172. :zone_lan_forward - [0:0]
  173. :zone_lan_input - [0:0]
  174. :zone_lan_output - [0:0]
  175. :zone_lan_src_ACCEPT - [0:0]
  176. :zone_wan_dest_ACCEPT - [0:0]
  177. :zone_wan_dest_REJECT - [0:0]
  178. :zone_wan_forward - [0:0]
  179. :zone_wan_input - [0:0]
  180. :zone_wan_output - [0:0]
  181. :zone_wan_src_REJECT - [0:0]
  182. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  183. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  184. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  185. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  186. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  187. -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
  188. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  189. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  190. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  191. -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
  192. -A FORWARD -m comment --comment "!fw3" -j reject
  193. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  194. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  195. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  196. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  197. -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
  198. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  199. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  200. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  201. -A syn_flood -m comment --comment "!fw3" -j DROP
  202. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  203. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  204. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  205. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  206. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  207. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  208. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  209. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  210. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  211. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  212. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  213. -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  214. -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
  215. -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
  216. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  217. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  218. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  219. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  220. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  221. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  222. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  223. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  224. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  225. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  226. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  227. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  228. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  229. -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
  230. COMMIT
  231. # Completed on Sun Sep 8 03:21:28 2019
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!