OpenWrt Forum Archive

Topic: IPTABLES and PORTFORWARDING on LAN/WIRELESS side

The content of this topic has been archived on 14 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm attempting to understand IPTabales.. Myconfiguration right now is..

                                                                                <test computer wired to Linksys>
                                                                                  /
(!Internet!)-<Cable modem InternetIP>--<Stock Linksys WRT54g v4 192.168.1.2> * * * * * (!Wireless Connection!) **** <WRT54G WRrc2 v3.3 192.168.1.6>---(wired)---<WebServer 192.168.1.200:81>


Inside the network on the test computer I can connect to the webserver at 192.168.1.200:81 that is connected to the wireless bridge. This works great..

Now when I use port forwarding on my router.. to forward port 81 from the cable modem IP to the .200 computer I get nothing. I can connect the webserver directly to the Stock Linksys via wired and get this to work but over the wireless bridge the port is not being forwarded.

NOW, I'm not sure but I think maybe it is because the MAC address is not seen by the Stock Linksys. What I'm attemping to do now is configure the bridged WRT54G to forward LAN traffice from from port 81 to the webserver. Searching on how to do this.. all the examples show WAN traffic to be forward not LAN traffic.

My question is #1   Since port forwarding over the wireless bridge does not work... How I use IPTABLES to forward LAN traffic sent to 192.168.1.6:81 to 192.168.1.200:81.. If I can do this, then maybe I can configure the Stock Linksys to forward Internet:81 to 192.168.1.6:81 so I can then access the webserver.


Please answer as easy to understand as possible, I do not yet understand how IPTABLES work.

/usr/local/fox

have a look at /etc/firewall.user on your openwrt

I been at this all night.. firewall.user says I should be using

iptables -t nat -A prerouting_rule -p tcp -d 192.168.1.6 --dport 81 -j DNAT --to 192.168.1.200
iptables  -A forwarding_rule -p tcp --dport 81 -d 192.168.1.200 -j ACCEPT

This I have setup.. When I run iptables --list I get

Chain forwarding_rule (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.200       tcp dpt:81

Which I believe that means it is working..

YET.. when I do http://192.168.1.6:81 I should then get the webserver that is on http://192.168.1.200:81 correct? I get nothing..

I also tried with the $WAN by putting it directly into the firewall.user with a reboot ..

There is something that I haven't learned yet that is missing here.

/usr/local/fox

Here is my firewall script with port forwarding. I'm not using firewall.user at all.

#!/bin/sh

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT

/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F

/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -X

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT

/usr/sbin/iptables -A INPUT --fragment -p ICMP -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

/usr/sbin/iptables -A INPUT -p ALL -d 244.0.0.1 -j DROP

/usr/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
/usr/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -s <lan server ip> -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o br0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o vlan1 -j ACCEPT

/usr/sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST SYN,RST -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN SYN,FIN -j DROP

/usr/sbin/iptables -I FORWARD -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 127.0.0.0/8 -j DROP

/usr/sbin/iptables -A FORWARD -p tcp -i br0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT

/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP

/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT

/usr/sbin/iptables -I INPUT -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 127.0.0.0/8 -j DROP

/usr/sbin/iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to <web server ip>:80
/usr/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d <internet ip> -j DNAT --to <web server ip>:80
/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o vlan1 -j SNAT --to <internet ip>:80
/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o br0 -j SNAT --to <internet ip>:80
/usr/sbin/iptables -A FORWARD -i vlan1 -p tcp --dport 80 -d <web server ip> -j ACCEPT

/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

Thanks, I will start hacking after lunch.. Also.. I seen this before

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

What exactly does this do? Send's all output from the script to /proc ... /ip_forward ?

Also, since my router is a bridge I replace <internet ip> with the Bridge router ip?

/usr/local/fox

(Last edited by /usr/local/fox on 10 Oct 2005, 17:01)

I believe "/bin/echo 1 > /proc/sys/net/ipv4/ip_forward" turns on port forwarding in the kernel. Without it, port forwarding does not work.

I modifed your script and it is working great..

I get a few errors when I run it..

root@OpenWrt:/etc# ./firetest
./firetest: 38: cannot open lan: No such file
Bad argument `SYN,RST'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `SYN,FIN'
Try `iptables -h' or 'iptables --help' for more information.


I don't understand yet how it is working so I'll inch through it tonight to see if I can understand it.

/usr/local/fox

@/usr/local/fox
can u let me know your working script??? cz i want to know too....

The discussion might have continued from here.