where's my return traffic going?!?!

[Leonardo Rodrigues <leolistas@solutti.com.br>]

     I have updated a small OpenWRT based router, it's running on a 
simple network. It's running on a RB450 board

br-lan is the LAN side, 172.20.0.0/16
eth0 is the WAN side, 192.168.25.x/24 (dhcp provided)

     i have just a few iptables rules and NAT. Basically it's a 'allow 
everything' router with some very few exceptions:

-A FORWARD -d 192.168.25.1/32 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -s 172.20.1.0/24 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -i br-lan -o eth0 -j DROP
-A FORWARD -d 10.0.0.0/8 -i br-lan -o eth0 -j DROP
-A FORWARD -d 172.16.0.0/12 -i br-lan -o eth0 -j DROP
-A FORWARD -s 172.20.0.0/16 -i br-lan -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o br-lan -m state ! --state NEW -j ACCEPT

-A POSTROUTING -s 172.20.0.0/16 -o eth0 -j MASQUERADE


     traffic on br-lan (internal) and eth0 (external) interfaces is 
almost the same, only with RX and TX inverted, which is fine and 
expected, as this is a router with almost no traffic to/from itself


root@firewall:/# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr 00:0C:42:3D:FC:CD
           inet addr:172.20.1.1 Bcast:172.20.255.255  Mask:255.255.0.0
           UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
           RX packets:1862835 errors:0 dropped:0 overruns:0 frame:0
           TX packets:2704211 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:586769410 (559.5 MiB)  TX bytes:3337034105 (3.1 GiB)

root@firewall:/# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:42:3D:FC:CC
           inet addr:192.168.25.22 Bcast:192.168.25.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
           RX packets:2730189 errors:0 dropped:16202 overruns:0 frame:0
           TX packets:1847701 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:3348006946 (3.1 GiB)  TX bytes:609083798 (580.8 MiB)
           Interrupt:5


     However, when watching my iptables rules, i'm not seeing the 
'return' traffic hitting the 'in eth0 out br-lan' ruleand not hitting 
the default ACCEPT rule as well.


Chain FORWARD (policy ACCEPT 1278 packets, 91872 bytes)
     pkts      bytes target     prot opt in out     source               
destination
        6      412 ACCEPT     all  --  br-lan eth0    
0.0.0.0/0            192.168.25.1
     9609   552193 ACCEPT     all  --  br-lan eth0    
172.20.1.0/24        0.0.0.0/0
        0        0 DROP       all  --  br-lan eth0    
0.0.0.0/0            192.168.0.0/16
        0        0 DROP       all  --  br-lan eth0    
0.0.0.0/0            10.0.0.0/8
        0        0 DROP       all  --  br-lan eth0    
0.0.0.0/0            172.16.0.0/12
    23145  1562899 ACCEPT     all  --  br-lan eth0    
172.20.0.0/16        0.0.0.0/0
      231    21457 ACCEPT     all  --  eth0 br-lan  0.0.0.0/0 
0.0.0.0/0            ! state NEW



     Question: what is happening to my return traffic ? Where is it 
going to (which rule) ?? The network is working, so i'm sure the return 
traffic isnot being blocked. However, i'm not seeing it on the rules it 
was supposed to be 'hitting'.

     is this some new behavior from new iptables/netfilter versions ? is 
this some behavior exclusively to OpenWRT, maybe some patch they apply 
to iptables/netfilter ?

root@firewall:/# uname -r
3.10.49

root@firewall:/# iptables --version
iptables v1.4.21


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it