[Solved] Iptables FORWARD command is not working but worked before

Popsicle · January 12, 2022, 11:54am

I'm trying to control my mqtt clients connected at my router from outside of the network.
I planned opening 1883 TCP port and accessing to my Router's WAN IP, and this is the right way unless i use VPN

So, using following command WAS working well.

iptables -I FORWARD -i eth1 tcp --dport 1883 -d 192.168.0.1 -j ACCEPT

i've tested well and made a new firmware.

It's not working now. i have no idea why. Nothing is changed, including firewall setting at my router.

So, i tried turning my firewall off with following service firewall stop command.
when i use iptables -S, here is the following print.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

with these condition, without using iptables -I FORWARD -i eth1 tcp --dport 1883 -d 192.168.0.1 -j ACCEPT command, obviously i can access to my mqtt broker and i can control my mqtt broker.

I have no idea why i cannot access it. it worked without any errors before.
My boss told me i can redirect to configure iptables to work it.

So, i tried entering following command

iptables -t nat -I PREROUTING -p tcp --dport 1883 -j DNAT --to-destination 192.168.0.1:1883
# or...
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1883 -j DNAT --to-destination 192.168.0.1:1883

i cannot see any differences when i entered iptables -S.

root@myrouter:/# service firewall stop
root@myrouter:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@myrouter:/# iptables -t nat -I PREROUTING -p tcp --dport 1883 -j DNAT --to-destination 192.168.0.1:1883
root@myrouter:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@myrouter:/# iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1883 -j DNAT --to-destination 192.168.0.1:1883
root@myrouter:/# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

like this. also that command is not applying well even if the firewall is on via service firewall start.

is there anyway that i can solve this problem?

grrr2 · January 12, 2022, 12:23pm

are you sure this was copy-pasted from cli directly? "-S" is for list rules but "-s" used as source specification.

anyhow, if you add a rule to NAT table via "-t" you should also use -t if you want to list rules in NAT table. so iptables -t nat -S you are looking for. this obviously will not solve your problem just a hint how to verify iptables.

Popsicle · January 12, 2022, 12:24pm

my mistake. it is -S, not -s. Thank you for letting me know that

Also for the iptables -t nat -S, i clearly forgot to use that. Thanks and i will try it now

Popsicle · January 12, 2022, 12:38pm

So there is a solution at the question.

using following command works.

iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 1883 -j DNAT --to-destination 192.168.0.1:1883

However, i need to check this out via iptables -t nat -S.
NOT iptables -S.

Thank you for letting me remember that command.

system · January 22, 2022, 12:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.