ANSWERED Port Forward In Unifi

[Mytob 1]

14 hours ago, P.Bear said:

@Mytob do you use the wireguard protocol or the OpenVPN ?

So let's say your qBt server IP is 10.0.12.9, the port you want to forward is 4321 and the interface of the Wireguard client that you created is the wgclt3

1) You have to forward the port with a rule in the chain PREROUTING of the table nat:

iptables -t nat -I PREROUTING -i wgclt3 -p tcp --dport 4321 -j DNAT --to-destination 10.0.12.9
iptables -t nat -I PREROUTING -i wgclt3 -p udp --dport 4321 -j DNAT --to-destination 10.0.12.9

With WG I noticed that I had to add a rule in the forward chain to let the packets go through. (I don't know why, maybe it is the same with the OpenVPN because of something changed in the recent releases of the unifi OS).
2) So you add the following rule:

iptables -I FORWARD -i wgclt3 -p tcp --dport 4321 -d 10.0.12.9 -j ACCEPT
iptables -I FORWARD -i wgclt3 -p udp --dport 4321 -d 10.0.12.9 -j ACCEPT

Rmq:
a) I use INSERT to add my rules so I'm sure it's it placed at the top of the chains and proceed before everything elese.
b) I also noticed UDP packets coming from the airvpn server. It comes from the port used to connect on it (1637) and those are DROP by the firewall. The host's resolution changes from time to time. So I'm not sure how to deal with this problem. I'm considering opening a ticket to verify if this is a normal behavior, as I wonder why I get such UDP requests.
I could add a rule like:
iptables -I INPUT -i eth8 -p udp --sport 1637 -j ACCEPT
But it's too permissive. 🤔

Thanks very much for the info  Have been using OpenVPN without issue apart from the port forwards. Will have a go tomorrow and see what happens!

[zapoteknico 8]

My UDM finally restarted working and connected to AIRVPN so I am back but still with the issue that ports are not forwarded.
I was wondering if someone would be able to create a step by step guide to add the config via SSH as I am not very used to do that with commands (and I am sure many aren't).
I know i might be asking a lot, but such guide would help so many people other than benefit the entire AIRVPN Community allowing many Ubiquity users to also join the AIR VPN Community..
Thank you 

[Mytob 1]

On 11/19/2023 at 8:18 AM, P.Bear said:

@Mytob do you use the wireguard protocol or the OpenVPN ?

So let's say your qBt server IP is 10.0.12.9, the port you want to forward is 4321 and the interface of the Wireguard client that you created is the wgclt3

1) You have to forward the port with a rule in the chain PREROUTING of the table nat:

iptables -t nat -I PREROUTING -i wgclt3 -p tcp --dport 4321 -j DNAT --to-destination 10.0.12.9
iptables -t nat -I PREROUTING -i wgclt3 -p udp --dport 4321 -j DNAT --to-destination 10.0.12.9

With WG I noticed that I had to add a rule in the forward chain to let the packets go through. (I don't know why, maybe it is the same with the OpenVPN because of something changed in the recent releases of the unifi OS).
2) So you add the following rule:

iptables -I FORWARD -i wgclt3 -p tcp --dport 4321 -d 10.0.12.9 -j ACCEPT
iptables -I FORWARD -i wgclt3 -p udp --dport 4321 -d 10.0.12.9 -j ACCEPT

Rmq:
a) I use INSERT to add my rules so I'm sure it's it placed at the top of the chains and proceed before everything elese.
b) I also noticed UDP packets coming from the airvpn server. It comes from the port used to connect on it (1637) and those are DROP by the firewall. The host's resolution changes from time to time. So I'm not sure how to deal with this problem. I'm considering opening a ticket to verify if this is a normal behavior, as I wonder why I get such UDP requests.
I could add a rule like:
iptables -I INPUT -i eth8 -p udp --sport 1637 -j ACCEPT
But it's too permissive. 🤔

So just tried what you have posted with my own settings and as before I just get connection refused. Have tried turning off windows firewall just incase but no difference.The only thing I cant verify is the tunnel name s I cant work out how to find it 😃 I assume it should not have changed from the last attempt as I have not recreated it?

[P.Bear 2]

10 hours ago, Mytob said:

The only thing I cant verify is the tunnel name s I cant work out how to find it 😃 I assume it should not have changed from the last attempt as I have not recreated it?

I assume you use wireguard VPN client. From the UDM CLI, run the command:

ifconfig | grep -A1 wgclt

It will give you every WG tunnel interface and the ip associated. This ip is the tunnel IP that you can also find in the VPN client configuration through the web interface of the UDM. So you can identify the wgclt interface used for your AirVPN connection. This is the one you must use for your iptables rules.

(From the UDM CLI) give the output of :

iptables -t nat -S PREROUTING
iptables -S FORWARD

[Mytob 1]

On 11/23/2023 at 6:46 AM, P.Bear said:

I assume you use wireguard VPN client. From the UDM CLI, run the command:

ifconfig | grep -A1 wgclt

It will give you every WG tunnel interface and the ip associated. This ip is the tunnel IP that you can also find in the VPN client configuration through the web interface of the UDM. So you can identify the wgclt interface used for your AirVPN connection. This is the one you must use for your iptables rules.

(From the UDM CLI) give the output of :

iptables -t nat -S PREROUTING
iptables -S FORWARD

Thanks for the info! Have just tried again and can confirm it works under WireGuard but for some reason it seems to break DuckDuckGo and I have no idea why. Tried all the normal things like clearing the cache / rebooting the PC but no luck. Not sure if its the server I was connected to maybe but somthing to play areound with when I have a bit of time =)

[B3NJAMIN 2]

On 11/19/2023 at 9:18 AM, P.Bear said:

@Mytob do you use the wireguard protocol or the OpenVPN ?

So let's say your qBt server IP is 10.0.12.9, the port you want to forward is 4321 and the interface of the Wireguard client that you created is the wgclt3

1) You have to forward the port with a rule in the chain PREROUTING of the table nat:

iptables -t nat -I PREROUTING -i wgclt3 -p tcp --dport 4321 -j DNAT --to-destination 10.0.12.9
iptables -t nat -I PREROUTING -i wgclt3 -p udp --dport 4321 -j DNAT --to-destination 10.0.12.9

With WG I noticed that I had to add a rule in the forward chain to let the packets go through. (I don't know why, maybe it is the same with the OpenVPN because of something changed in the recent releases of the unifi OS).
2) So you add the following rule:

iptables -I FORWARD -i wgclt3 -p tcp --dport 4321 -d 10.0.12.9 -j ACCEPT
iptables -I FORWARD -i wgclt3 -p udp --dport 4321 -d 10.0.12.9 -j ACCEPT

Rmq:
a) I use INSERT to add my rules so I'm sure it's it placed at the top of the chains and proceed before everything elese.
b) I also noticed UDP packets coming from the airvpn server. It comes from the port used to connect on it (1637) and those are DROP by the firewall. The host's resolution changes from time to time. So I'm not sure how to deal with this problem. I'm considering opening a ticket to verify if this is a normal behavior, as I wonder why I get such UDP requests.
I could add a rule like:
iptables -I INPUT -i eth8 -p udp --sport 1637 -j ACCEPT
But it's too permissive. 🤔

Hi,
I have the same problem.

i can add the prerouting but when i want to add the forward rule i get a error

iptables -t nat -A PREROUTING -i tunovpnc2 -p tcp --dport 54930 -j DNAT --to-destination 192.168.30.135

iptables -A FORWARD -i tunovpnc2 -p tcp --dport 54930 -d 192.168.30.135 -j ACCEPT
iptables v1.8.7 (legacy): Couldn't load target `ACCEPT ':No such file or directory


i'm running Network 8.1.113

 

[B3NJAMIN 2]

This night I couldn't sleep and I've been searching a bit about iptables, I finally got it working


iptables -t nat -I PREROUTING -i tunovpnc2 -p tcp --dport 54930 -j DNAT --to-destination 192.168.30.135:54930
iptables -I FORWARD -d 192.168.30.135/32 -i tunovpnc2 -p tcp --dport 54930 -j ACCEPT

[P.Bear 2]

And be aware that sometimes UDM scripts reset iptables chains as it would like. So from time to time you have to check and reintroduce the rules.
Personally, I made a script in python (before it was in bash) that checks iptables rules and reinjects the rules if needed. The script runs periodically in crontab.

[B3NJAMIN 2]

thanks for the tip.
I haven't had my UDM for long, I'm still learning 🙂

Could you perhaps give me an example of how to do that?

[P.Bear 2]

You mean with python ?

I've created different python lists, for each iptables and ip6tables chains. In each list I've put all the rules that I want to add.

So the python script checks the rules in each chain and compares with the corresponding python list and then corrects what needs to be corrected.
(The script also creates some required ipsets and be careful not to add duplicate rules, which iptables allows without warning..).
The script runs every 30 minutes.

By the way with the iptables of the UDM includes the geoip module. So you can block countries per port/services, which the UDM interface does not allow! (With the UDM interface you can block countries, in IN, in OUT, or both, but it’s for the whole WAN connection, we can’t do it on a service basis). So I take the opportunity to do it via an iptables rules.
For example I block some countries on the qBt port of the airvpn:

iptables -A FORWARD -d 10.0.12.12/32 -i wgclt4 -p udp -m udp --dport 45781 -m geoip --source-country CN,RU,BY,DZ,CF,GA,GH,CI,ZA  -j BLOCK_BAD_COUNTRIES_QBT

 

[B3NJAMIN 2]

Thank you for the explanation.
But I can't seem to figure out how to get started with Python, I still have to do some research there.

[BogusBogey 0]

On 4/11/2024 at 8:18 PM, P.Bear said:

-m geoip --source-country CN,RU,BY,DZ,CF,GA,GH,CI,ZA  -j BLOCK_BAD_COUNTRIES_QBT

Can you share what's happening in/with BLOCK_BAD_COUNTRIES_QBT?

[P.Bear 2]

Hello,

I DROP. But I log at the same time, with a related log-prefix so if I have to do a search one day it’s easier.
 

root@UDM-SE-Home-FR:~# iptables -S BLOCK_BAD_COUNTRIES_QBT
-N BLOCK_BAD_COUNTRIES_QBT
-A BLOCK_BAD_COUNTRIES_QBT -j LOG --log-prefix "Block QBT bad countries: "
-A BLOCK_BAD_COUNTRIES_QBT -j DROP