The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hello,
I am trying to forward all port 80 traffic to an IIS server located at 192.168.1.3. I entered the following in /etc/firewall.user, but it is not working. I am new to Linux, so I am sure it is a syntax error. Any help would be appreciated.
### Port forwarding
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.3
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.3 -j ACCEPT
TIA,
Jon
did you reboot or do a 'ifup wan'?
or re-execute /etc/init.d/S45firewall
I rebooted the router after making these changes...
Jon
You may try this:
iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
in which $WAN_IF is what you find under 'nvram get wan_ifname', or the lan equivalent depending on where the html service requests come from.
Still no joy :-( ("nvram get wan_ifname" = vlan1). Here is my entire firewall.user file in case I have it all hosed up. It is pretty much the same one that came with OpenWRT with the two lines under the forwarding section added.
root@OpenWrt:~# cat /etc/firewall.user
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.
### Allow SSH from WAN
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
### Port forwarding
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
iptables -t nat -A prerouting_rule -i vlan1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:80
iptables -A forwarding_rule -i vlan1 -p tcp --dport 80 -d 192.168.1.3 -j ACCEPT
### DMZ (should be placed after port forwarding / accept rules)
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
Thanks,
Jon
Remember, if you want to test that the forwarding is working you most probably have to do it from a machine outside your lan. And if you are using some type of modem to connect to the net, it may be possible that it actually is a router, in this case you need to configure the forwarding there too.
Not certain but thought that PREROUTING is a predefined term in iptables. So give it a try to do away with the _rule bits.
from Iptables Tutorial 1.1.19:
6.5.2. DNAT target
...... Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table, and any of the chains called upon from any of those listed chains. Note that chains containing DNAT targets may not be used from any other chains, such as the POSTROUTING chain.
(Last edited by doddel on 30 Aug 2005, 11:27)
Well don't I feel bad. I forgot all about needing to test this from the outside (duh WAN means the WAN connection). Anyway, I went back to the original sample:
### Port forwarding
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.3 -j ACCEPT
tried it from a new location, and it worked. Thanks everyone for all of your input, and thanks Grimson for reminding me about testing from the WAN port! I definitely learned on this one.
Jon
I tried exactly what was described and it does not work with White Russian 2. It does not work from the internet or from the internal lan. My hardware is wrt54gs v1.1. When I say it does not work, I mean "port fowarding" does not work.
I got the same hardware with a firewall created with http://easyfwgen.morizot.net/gen/ and it works great, but i'm using a firmware created back in 10/31/2004.
But with White Russian 2, the firewall that is generated works all accept "Port Forwarding".
The following script port fowards to my internal machine, but does nothing else.
#!/bin/sh
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -F
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i vlan0 -p udp --dport 67 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A INPUT -i vlan0 -p tcp --dport 22 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.10.83:80
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
The only problem is that from the internal lan there is no internet access.
I've many different scripts with no luck
I just setup a wrt54gs V2.0 with a fresh install of white russian 2. Both the wan and lan interface are static ip. All i did was edit the firewall.sh uncommenting the port forward to a internal ip address on port 80 and the port forwarding doesn't work. The wrt54gs is hooked up to a T1 and i'm trying to gain access from a cable modem. Both services have static ip address. Why can't something this basic work?
(Last edited by rfisher1968 on 7 Sep 2005, 21:21)
This is how I route my pckts.
EXTIP=$(ifconfig vlan1 | head -2 | tail -1 | awk '{print $2}' | sed s/addr://)
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to 192.168.1.3:22
iptables -t nat -A POSTROUTING -s 192.168.1.3 -p tcp --dport 22 -o vlan1 -j SNAT --to $EXTIP:22
iptables -A forwarding_rule -i vlan1 -p tcp --dport 22 -d 192.168.1.3 -j ACCEPT
Revslowmo, I'll try anything. But just so I do it right. Does this code go in firewall.user.
thank you
Hi,
I have a strange problem related to this topic...
My setup:
((Internet)) -> ADSL Router (NAT) -> WLAN Base Station (NAT, OpenWRT) -> My Computer
**Don't ask why there's two NATs :-)
So, I want to open+forward a port from the internet to My Computer. I've configured ADSL Router to forward the port 6999 to the WLAN Base Station IP. Also added a rule about that port to the firewall settings of the ADSL Router just to make sure.
In the OpenWRT running WLAN Base Station, I've run these commands:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 6999 -j DNAT --to-destination 192.168.2.xxx
iptables -A FORWARD -i vlan1 -p tcp --dport 6999 -d 192.168.2.xxx -j ACCEPT
Now, when I ask a friend to test the port on the IP that shows to internet, result is TIMEOUT.
Extra info:
root@OpenWrt:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:6999 to:192.168.2.xxx
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
..
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.2.xxx tcp dpt:6999
..
this is not a huge issue but since i've started tackling this i'd like to get this done. this is only a temporary setup anyway, and i'll probably get the proper setup up just when i've solved this but i have an obsession now :-D
thanks for your help!
oh and also opened this (dunno if needed??):
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:6999
(Last edited by switchone on 24 Nov 2006, 03:59)
describe this test
>> Now, when I ask a friend to test the port on the IP that shows to internet, result is TIMEOUT.
What protocol is on port 6999?
If you put your computer in place of the wlan base station, does the test work?
unfortunately i have no access to physically get to the wlan base station. i am configuring it wirelessly over ssh.........
i am using os x and have opened the port in the firewall on my puter.
i am now using a web-based tcp/ip test to see if the port works... timeout...
The fastest way is to install X-Wrt to your OpenWRT and then foward your port using webif.
The fastest way is to install X-Wrt to your OpenWRT and then foward your port using webif.
ok mate, got the x-wrt webif ting installed ok. when i try to login using my browser, it wont accept any logins. have tried my ssh login as well as root/root, admin/root, admin/admin and everything imaginable..
also tried nvram set http_passwd="somethin" / nvram set http_username = "something" .. but with no luck :-S
i'm losing my sanity... please let me know how i can login or set the login/pw.
Ok, right, I finally managed to solve this with a little bit of help from a friend... We noticed that the FORWARD rule (obviously) needs to go first, hence the lines become:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 6999 -j DNAT --to-destination 192.168.2.xxx
iptables -I FORWARD -i vlan1 -p tcp --dport 6999 -d 192.168.2.xxx -j ACCEPT
(so the only difference is having "-I" to insert the FORWARD rule as 1. rule, instead of "-A", which appends it as the last rule)
The discussion might have continued from here.