Port Forwarding problem (missing something ?)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
ob2s
DD-WRT Novice


Joined: 04 Dec 2012
Posts: 16
PostPosted: Fri Jun 05, 2020 18:44    Post subject: Port Forwarding problem (missing something ?) Reply with quote
If I implement this rule in the UI


iptables looks like this

Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       icmp --  anywhere             c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
DNAT       tcp  --  anywhere             c-73-67-111-111.hsd1.or.comcast.net tcp dpt:8443 to:10.1.10.101:443
TRIGGER    0    --  anywhere             c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  10.1.10.0/24         anywhere            to:73.67.111.111
MASQUERADE  0    --  anywhere             anywhere            mark match 0x80000000/0x8000000


Then from an internet server I can do this

Code:
$ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 OPEN


Then I remove the rule



and I verify from the server and iptables is thus

Code:
$ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 CLOSED

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       icmp --  anywhere             c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
TRIGGER    0    --  anywhere             c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  10.1.10.0/24         anywhere            to:73.67.111.111
MASQUERADE  0    --  anywhere             anywhere            mark match 0x80000000/0x80000000


From the wiki I use these 2 commands via ssh to create that same rule and iptables looks essentially the same as when I did the rule in the UI
Code:
~ # iptables -I INPUT -p tcp -m tcp -d 10.1.10.110 --dport 443 -j logaccept
~ # iptables -t nat -I PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 8443 -j DNA
T --to-destination 10.1.10.110:443

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             c-73-67-111-111.hsd1.or.comcast.net tcp dpt:8443 to:10.1.10.110:443
DNAT       icmp --  anywhere             c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
TRIGGER    0    --  anywhere             c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  10.1.10.0/24         anywhere            to:73.67.111.111
MASQUERADE  0    --  anywhere             anywhere            mark match 0x80000000/0x80000000


but I can't reach the port

Code:
$ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 CLOSED


What am I am failing to do or where did I fail in RTFM ?
Thanks

Last edited by ob2s on Fri Jun 05, 2020 23:38; edited 1 time in total
Back to top View user's profile Send private message
Sponsor
ob2s
DD-WRT Novice


Joined: 04 Dec 2012
Posts: 16
PostPosted: Fri Jun 05, 2020 23:20    Post subject: Reply with quote
While I would like to know why I can't effect this via ssh, if anyone is interested [ I searched first and didn't see much about cURL commands ]

Forward router internet facing port 8443 to internal port 443 on 10.1.10.101 with name foo, router LAN interface 10.1.10.1

Here is the curl command that works to turn off the port forwarding:
Code:
curl --user admin:your_passwd -H "Content-Type: application/x-www-form-urlencoded" "http://10.1.10.1/apply.cgi?submit_button=ForwardSpec&action=ApplyTake&change_action=&submit_type=&forward_spec=13&name0=foo&pro0=tcp&src0=
&from0=8443&ip0=10.1.10.101&to0=443"


The ON command is exactly the same you, just append the bold

.......to0=443&enable0=on"

Works a trick. you can replace the --user command with the auth token. You might need wireshark to see it.
Code:
swap --user admin:your_passwd
for
-H "Authorization: Basic YWRtjhkjhN0YzAwbA=="


I hope that helps someone.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Sat Jun 06, 2020 8:06    Post subject: Reply with quote
These questions can better be posted in the right forum (Advanced networking) see the forum guide lines, link in my signature at the bottom of this post

To view/show iptables you can better use:
Code:
iptables -vnL


Not sure if this is the problem but the extended match -m tcp is not needed.

https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1416
PostPosted: Sat Jun 06, 2020 13:10    Post subject: Re: Port Forwarding problem (missing something ?) Reply with quote
ob2s wrote:

Code:
~ # iptables -I INPUT -p tcp -m tcp -d 10.1.10.110 --dport 443 -j logaccept



Mistake is right there, the chain should be FORWARD and not INPUT. The router is passing the packets through to 10.1.10.110.
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Sat Jun 06, 2020 13:32    Post subject: Reply with quote
Did not had my morning coffee yet

But thanks @Wildlion Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
ob2s
DD-WRT Novice


Joined: 04 Dec 2012
Posts: 16
PostPosted: Sat Jun 06, 2020 14:41    Post subject: Re: Port Forwarding problem (missing something ?) Reply with quote
Wildlion wrote:
chain should be FORWARD and not INPUT. The router is passing the packets through to 10.1.10.110.


Thanks, sorry for the wrong forum.
Back to top View user's profile Send private message
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1416
PostPosted: Sat Jun 06, 2020 19:07    Post subject: Reply with quote
egc wrote:
Did not had my morning coffee yet

But thanks @Wildlion Smile


lol. Hope it was a good cup Smile The only reason I caught this is because I have done the same thing before.
Back to top View user's profile Send private message
ob2s
DD-WRT Novice


Joined: 04 Dec 2012
Posts: 16
PostPosted: Thu Jun 18, 2020 5:39    Post subject: Reply with quote
There was still some errors in the rule command, for the archive, this worked.
Code:

# iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 8443 -j DNAT --to 10.1.10.110:443

# iptables -I FORWARD -p tcp -d 10.1.10.111 --dport 443 -j ACCEPT
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum