Setting up Port Forwarding: can't figure out how

I am trying to recreate the port forwarding rules I had set up in the manufacturer's firmware in OpenWrt now. But even after searching the forum and internet, I am unable to get it working.

In plain English, the rules are

open ports 4661-4662 for TCP and 4665-4666 for UDP for client with IP 192.168.1.2

But try as I might, the client still reports those ports as closed.

cat /etc/config/firewall gives

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option dest_port '4661'
	option proto 'tcp'
	option name 'eMule TCP Port 4661'
	option src_port '4661'
	option src_dport '4661'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option dest_port '4662'
	option name 'eMule TCP Port 4662'
	option proto 'tcp'
	option src_port '4662'
	option src_dport '4662'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option dest_port '4665'
	option proto 'udp'
	option src_port '4665'
	option src_dport '4665'
	option name 'eMule UDP Port 4665'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option dest_port '4666'
	option proto 'udp'
	option src_port '4666'
	option src_dport '4666'
	option name 'eMule UDP Port 4666'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '4661-4662'
	option name 'eMule TCP'
	option dest_ip '192.168.1.2'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '4665-4666'
	option name 'eMule UDP'
	option dest_ip '192.168.1.2'

Thanks for any help.

Unlikely the source port of remote packets is the same as the service port....

option src_port '4666'

Which guide did you follow?

1 Like

The extra rule sections are redundant as well. A port forward will implicitly create the required forwarding accept rules in iptables.

2 Likes

I thought I had made the same mistake, because Transmission complains about a closed port also in my setup. I see, however, that I had indeed used only "src_dport", not also "src_port":

config redirect                       
        option target 'DNAT'          
        option src 'wan'              
        option dest 'lan'                          
        option proto 'tcp udp'        
        option src_dport '51413'      
        option dest_ip 'x.x.x.x'  
        option dest_port '51413'       
        option name 'Torrent-x.x.x.x'

To rule out an issue with Transmission on my NAS, I wrote a similar rule to forward ssh from a high port to my desktop and... this works!

I'd say the logic used to test an open port in Transmission is not perfect :slight_smile:
Maybe eMule has a similar issue?
EDIT: nmap on lan also shows 51413 tcpwrapped... hmmmm.... guess the firewall is innocent ^^; ?

Please don't bother.
After I reverted the firewall settings suggested by the various guides back to default, deleted and re-added the forwarding rules, the eMule client sees the ports as open now.

Thank you for your time.

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.