OpenWrt Forum Archive

Topic: Port forwarding..

The content of this topic has been archived on 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
bzkbee
25 Feb 2008, 15:04

Hi!

My router is Buffalo Wireless-G 125. I bye this router whith OpenWrt and now i try to open 2-3 ports for my local and internet. My network use 10.xx.xx.xx for local ip and use VPN for internet. Plus i have real ip - 212.56.17.196.

This is /etc/firewall.user

iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.1.2
iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j DNAT --to 192.168.1.2
iptables        -A FORWARD -i ppp+  -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A prerouting_wan -p tcp --dport 21 -j DNAT --to 192.168.1.2
iptables        -A forwarding_wan -p tcp --dport 21 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 21 -j DNAT --to 192.168.1.2
iptables        -A FORWARD -i ppp+  -p tcp --dport 21 -d 192.168.1.2 -j ACCEP

iptables -t nat -A prerouting_wan -p tcp --dport 14567 -j DNAT --to 192.168.1.2
iptables        -A forwarding_wan -p tcp --dport 14567 -d 192.168.1.2 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 14567 -j DNAT --to 192.168.1.2
iptables        -A FORWARD -i ppp+  -p tcp --dport 14567 -d 192.168.1.2 -j ACCEP

One of my friend try to open 10.21.17.25:80 or 212.56.17.196:80 and show this:

Forbidden

You don't have permission to access / on this server.

Computer why i want to open ports use this setings

pc1

IP: 192.1681.2
Mask: 255.255.255.0
Gateway: 192.168.1.1

What more i have to do?

Sorry, i am a noob whith linux and sorry for bad language. I am on Bulgaria.

Post #2
Wodin
25 Feb 2008, 16:08
bzkbee wrote:

One of my friend try to open 10.21.17.25:80 or 212.56.17.196:80 and show this:

Forbidden

You don't have permission to access / on this server.

This is not a problem with port forwarding.  It is a problem on the web server.  The web server is giving that  error.  You will need to configure the web server to allow your friend to access it.

Post #3
bzkbee
25 Feb 2008, 16:58
Wodin wrote:
bzkbee wrote:

One of my friend try to open 10.21.17.25:80 or 212.56.17.196:80 and show this:

Forbidden

You don't have permission to access / on this server.

This is not a problem with port forwarding.  It is a problem on the web server.  The web server is giving that  error.  You will need to configure the web server to allow your friend to access it.

Ok. Try another port - 14567. This is port for Battlefield 1942 Server. I start server and try to connect with 10.21.17.25:14567 and nothing, but 198.162.1.2:14567 i connect.. but my friends can't connect with 198.162.1.2..

Post #4
Wodin
25 Feb 2008, 18:53
bzkbee wrote:

Ok. Try another port - 14567. This is port for Battlefield 1942 Server. I start server and try to connect with 10.21.17.25:14567 and nothing, but 198.162.1.2:14567 i connect.. but my friends can't connect with 198.162.1.2..

From inside your LAN you will not be able to connect to the external IP unless you do more work.

Your friends should be able to connect to the external/public IP.

Tell them to connect to: 212.56.17.196:14567

If your friends are connected to the same external (ISP?) network as you, they might be able to connect to 10.21.17.25:14567 too, but other people on the internet will not be able to get to 10.x.x.x or 192.168.x.x.

By the way, it looks like your LAN is 192.168.1.0/24.  I assume the network you connect to is 10.x.x.x and that your public IP is connected to the VPN tunnel.  Is that correct?

What does "ifconfig -a" on the router show you?

Post #5
bzkbee
26 Feb 2008, 15:21
Wodin wrote:
bzkbee wrote:

Ok. Try another port - 14567. This is port for Battlefield 1942 Server. I start server and try to connect with 10.21.17.25:14567 and nothing, but 198.162.1.2:14567 i connect.. but my friends can't connect with 198.162.1.2..

From inside your LAN you will not be able to connect to the external IP unless you do more work.

Your friends should be able to connect to the external/public IP.

Tell them to connect to: 212.56.17.196:14567

If your friends are connected to the same external (ISP?) network as you, they might be able to connect to 10.21.17.25:14567 too, but other people on the internet will not be able to get to 10.x.x.x or 192.168.x.x.

By the way, it looks like your LAN is 192.168.1.0/24.  I assume the network you connect to is 10.x.x.x and that your public IP is connected to the VPN tunnel.  Is that correct?

What does "ifconfig -a" on the router show you?

Yes. I start apache and he work - http://212.56.17.196/ . For BF i use 192.168.1.2 for ip ,but my friends again can't connect.

This is ifconfig -a:

br0       Link encap:Ethernet  HWaddr 00:16:01:AF:D8:FA
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4597166 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5846853 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1252759173 (1.1 GiB)  TX bytes:3096666441 (2.8 GiB)

eth0      Link encap:Ethernet  HWaddr 00:16:01:AF:D8:FA
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:14591485 errors:0 dropped:35 overruns:0 frame:0
          TX packets:10589353 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:627229974 (598.1 MiB)  TX bytes:348169465 (332.0 MiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr 00:16:01:AF:D8:FB
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:2334
          TX packets:27575 errors:9 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1755787 (1.6 MiB)
          Interrupt:2 Base address:0x5000

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-Point Protocol
          inet addr:212.56.17.196  P-t-P:195.138.132.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4692265 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3716064 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:1640641892 (1.5 GiB)  TX bytes:704485851 (671.8 MiB)

vlan0     Link encap:Ethernet  HWaddr 00:16:01:AF:D8:FA
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4597181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5873454 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1271166349 (1.1 GiB)  TX bytes:3121756317 (2.9 GiB)

vlan1     Link encap:Ethernet  HWaddr 00:16:01:AF:D8:FB
          inet addr:10.21.17.25  Bcast:10.21.17.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9993802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4710599 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3387509227 (3.1 GiB)  TX bytes:1470634016 (1.3 GiB)


This is iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
input_wan  all  --  anywhere             anywhere
LAN_ACCEPT  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  192.168.1.0/24       anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     tcp  --  anywhere             pc1                 tcp dpt:80
ACCEPT     tcp  --  anywhere             pc1                 tcp dpt:14567

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             pc1                 tcp dpt:80
ACCEPT     tcp  --  anywhere             pc1                 tcp dpt:14567

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination



Wodin wrote:

If your friends are connected to the same external (ISP?) network as you, they might be able to connect to 10.21.17.25:14567 too, but other people on the internet will not be able to get to 10.x.x.x or 192.168.x.x.

Yes. We use same external, but again can connect.. Please help..

Post #6
Wodin
26 Feb 2008, 21:20
bzkbee wrote:

Yes. I start apache and he work - http://212.56.17.196/ . For BF i use 192.168.1.2 for ip ,but my friends again can't connect.

OK, so you say your friends can get to the web site now.

bzkbee wrote:

ACCEPT     tcp  --  anywhere             pc1                 tcp dpt:14567

According to this page Battlefield 1942 requires UDP port 14567 to be forwarded.  Not TCP port 14567.

So change the "tcp" to "udp" in that rule and also in your NAT rules and see if that helps.

The discussion might have continued from here.