Author
Message
ob2s DD-WRT Novice Joined: 04 Dec 2012 Posts: 16
Posted: Fri Jun 05, 2020 18:44 Post subject: Port Forwarding problem (missing something ?)
If I implement this rule in the UI
iptables looks like this
Code: Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT icmp -- anywhere c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
DNAT tcp -- anywhere c-73-67-111-111.hsd1.or.comcast.net tcp dpt:8443 to:10.1.10.101:443
TRIGGER 0 -- anywhere c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 10.1.10.0/24 anywhere to:73.67.111.111
MASQUERADE 0 -- anywhere anywhere mark match 0x80000000/0x8000000
Then from an internet server I can do this
Code: $ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 OPEN
Then I remove the rule
and I verify from the server and iptables is thus
Code: $ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 CLOSED
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT icmp -- anywhere c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
TRIGGER 0 -- anywhere c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 10.1.10.0/24 anywhere to:73.67.111.111
MASQUERADE 0 -- anywhere anywhere mark match 0x80000000/0x80000000
From the wiki I use these 2 commands via ssh to create that same rule and iptables looks essentially the same as when I did the rule in the UI
Code: ~ # iptables -I INPUT -p tcp -m tcp -d 10.1.10.110 --dport 443 -j logaccept
~ # iptables -t nat -I PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 8443 -j DNA
T --to-destination 10.1.10.110:443
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere c-73-67-111-111.hsd1.or.comcast.net tcp dpt:8443 to:10.1.10.110:443
DNAT icmp -- anywhere c-73-67-111-111.hsd1.or.comcast.net to:10.1.10.1
TRIGGER 0 -- anywhere c-73-67-111-111.hsd1.or.comcast.net TRIGGER type:dnat match:0 relate:0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 10.1.10.0/24 anywhere to:73.67.111.111
MASQUERADE 0 -- anywhere anywhere mark match 0x80000000/0x80000000
but I can't reach the port
Code: $ tcping.pl farko.duckdns.org 8443
farko.duckdns.org:8443 CLOSED
What am I am failing to do or where did I fail in RTFM ?
Thanks Last edited by ob2s on Fri Jun 05, 2020 23:38; edited 1 time in total
Back to top
Sponsor
ob2s DD-WRT Novice Joined: 04 Dec 2012 Posts: 16
Posted: Fri Jun 05, 2020 23:20 Post subject:
While I would like to know why I can't effect this via ssh, if anyone is interested [ I searched first and didn't see much about cURL commands ]
Forward router internet facing port 8443 to internal port 443 on 10.1.10.101 with name foo, router LAN interface 10.1.10.1
Here is the curl command that works to turn off the port forwarding:
Code: curl --user admin:your_passwd -H "Content-Type: application/x-www-form-urlencoded" "http://10.1.10.1/apply.cgi?submit_button=ForwardSpec&action=ApplyTake&change_action=&submit_type=&forward_spec=13&name0=foo&pro0=tcp&src0=
&from0=8443&ip0=10.1.10.101&to0=443"
The ON command is exactly the same you, just append the bold
.......to0=443&enable0=on "
Works a trick. you can replace the --user command with the auth token. You might need wireshark to see it.
Code: swap --user admin:your_passwd
for
-H "Authorization: Basic YWRtjhkjhN0YzAwbA=="
I hope that helps someone.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Sat Jun 06, 2020 8:06 Post subject:
These questions can better be posted in the right forum (Advanced networking) see the forum guide lines, link in my signature at the bottom of this post
To view/show iptables you can better use:
Not sure if this is the problem but the extended match -m tcp is not needed.
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
Wildlion DD-WRT Guru Joined: 24 May 2016 Posts: 1413
Posted: Sat Jun 06, 2020 13:10 Post subject: Re: Port Forwarding problem (missing something ?)
ob2s wrote:
Code: ~ # iptables -I INPUT -p tcp -m tcp -d 10.1.10.110 --dport 443 -j logaccept
Mistake is right there, the chain should be FORWARD and not INPUT. The router is passing the packets through to 10.1.10.110.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Back to top
ob2s DD-WRT Novice Joined: 04 Dec 2012 Posts: 16
Posted: Sat Jun 06, 2020 14:41 Post subject: Re: Port Forwarding problem (missing something ?)
Wildlion wrote: chain should be FORWARD and not INPUT. The router is passing the packets through to 10.1.10.110.
Thanks, sorry for the wrong forum.
Back to top
Wildlion DD-WRT Guru Joined: 24 May 2016 Posts: 1413
Posted: Sat Jun 06, 2020 19:07 Post subject:
egc wrote: Did not had my morning coffee yet
But thanks @Wildlion
lol. Hope it was a good cup The only reason I caught this is because I have done the same thing before.
Back to top
ob2s DD-WRT Novice Joined: 04 Dec 2012 Posts: 16
Posted: Thu Jun 18, 2020 5:39 Post subject:
There was still some errors in the rule command, for the archive, this worked.
Code:
# iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 8443 -j DNAT --to 10.1.10.110:443
# iptables -I FORWARD -p tcp -d 10.1.10.111 --dport 443 -j ACCEPT
Back to top