Hi there.
Previously I was using D-Link DIR-620 with its original firmware. There was a problem in the web-interface: I couldn't configure port forwarding using it, that's why those commands helped me (192.168.1.2 — internal server, 77.77.77.77 — external IP):
iptables -t nat -A PREROUTING -p tcp -i br0 -d 77.77.77.77 --dport 21 -j DNAT --to 192.168.1.2:21
iptables -A FORWARD -p tcp -i br0 -d 192.168.1.2 --dport 21 -j ACCEPT
And it was working: if I try to connect from the outside to 77.77.77.77:21, I reach the internal 192.168.1.2:21 ftp-server.
Now I've got TP-Link MR3420. It runs OpenWrt via this doc.
I've got this ifconfig output:
br-lan Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::f6ec:38ff:feab:427d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83903 errors:0 dropped:0 overruns:0 frame:0
TX packets:147151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5172397 (4.9 MiB) TX bytes:156452191 (149.2 MiB)
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1177 errors:0 dropped:0 overruns:0 frame:0
TX packets:1295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:303415 (296.3 KiB) TX bytes:121845 (118.9 KiB)
Interrupt:5
eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:77.77.77.77 Bcast:XX.XX.XX.XX Mask:XXX.XXX.XXX.XXX
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:196816 errors:0 dropped:0 overruns:0 frame:0
TX packets:75108 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:160544778 (153.1 MiB) TX bytes:5708921 (5.4 MiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8373 (8.1 KiB) TX bytes:8373 (8.1 KiB)
mon.wlan0 Link encap:UNSPEC HWaddr XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11173 (10.9 KiB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:85049 errors:0 dropped:0 overruns:0 frame:0
TX packets:148133 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6458396 (6.1 MiB) TX bytes:159699844 (152.3 MiB)
I've tried different configurations using /etc/config/firewall, but I've got always "21/tcp closed ftp" nmap output. So I don't trust this firewall script 'cause I see a lot of errors, when I restart it. Here they are with iptables settings and sysctl: http://dumpz.org/93721/nixtext/
So, it doesn't make any sense anyway. I want to configure iptables manually.
I reset iptables settings and simply set my own rules:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i br-lan -d 77.77.77.77 --dport 21 -j DNAT --to 192.168.1.2:21
iptables -A FORWARD -p tcp -i br-lan -d 192.168.1.2 --dport 21 -j ACCEPT
Now, if I nmap my external IP — I get this: "21/tcp filtered ftp"
Any suggestions? Thank you!