OpenWrt Forum Archive

Topic: /etc/config/firewall

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Tobias
26 Jul 2007, 16:58

While the UMTS connection on my WRT54G3G is running now (see http://forum.openwrt.org/viewtopic.php?id=11797 ), I have some trouble with the port forwarding.

I need port 22 access to the router from the outside and I need to forward the ports 2030 and 2031 to port 2030 on different machines. In /etc/config/firewall I did:

accept:proto=tcp dport=22
forward:dport=2030:192.168.1.10:2030
forward:dport=2031:192.168.1.11:2030

But this doesn't seem to work at all.

Any suggestions?

Tobias

(Last edited by Tobias on 26 Jul 2007, 17:00)

Post #2
Tobias
27 Jul 2007, 10:13

I've now removed the changes in /etc/config/firewall and tried it with /etc/firewall.user:

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
iptables -t nat -A prerouting_wan -p udp --dport 2031 -j DNAT --to 192.168.1.11:2030
iptables        -A forwarding_wan -p udp --dport 2030 -d 192.168.1.11 -j ACCEPT

SSH access over port 22 is ok now, but forwarding of port 2031 to 2030 still doesn't work.

One strange thing is, that I can't ping the 192.168.1.11 from within the router. But 192.168.1.11 can be ping from every other machine attached to the router's LAN. And from inside the router I can ping to 192.1.168.50, which is the machine that connects to the router via SSH. So why can't 192.168.1.11 be pinged?

Post #3
candlerb
2 Aug 2007, 13:55

You definitely want to forward *udp* port 2031, not tcp ?

What you've done looks OK to me (apart from the comment which doesn't match the rules :-)

Can you run tcpdump or wireshark on machine 192.168.1.11? Does it show any incoming UDP packets on port 2030?

The discussion might have continued from here.