Hi all,

I am battling to get port forwarding to work using Kamikaze with the 2.4 kernel. I am using 2.4 because I need the pcmcia support of the WRT54G3G router.

What is strange is that opening up a local port works/ eg enabling port 22 in /etc/config/firewall or in /etc/firewall.user will allow one to get into the router but as soon as the port is forwarded to another machine on the lan it doesn't work. I have the following in /etc/firewall.user.

--------------------------------------------------------------------------------
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

##switch on some logging
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j LOG --log-level debug --log-prefix "IN http:"
iptables        -A forwarding_wan -p tcp --dport 80 -j LOG --log-level debug --log-prefix "FOR http:"
# iptables -A FORWARD -j LOG --log-level debug
# iptables -A INPUT -j LOG --log-level debug

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.12.216:80
iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.12.216 -j ACCEPT

-----------------------------------------------------------------------------------------------------------------

I installed ulog and the following is output to logread.

Jan  1 01:29:34 OpenWrt user.debug kernel: IN http:IN=eth0.1 OUT= MAC=00:16:b6:d8:ef:63:00:1b:77:26:5b:89:08:00:45:00:00:3c SRC=192.168.1.3 DST=192.168.1.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10558 DF PROTO=TCP SPT=53207 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan  1 01:29:34 OpenWrt user.debug kernel: FOR http:IN=eth0.1 OUT=br-lan SRC=192.168.1.3 DST=192.168.12.216 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10558 DF PROTO=TCP SPT=53207 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

So the port is being forwarded properly but there is no response back to the client. Anyone got any ideas? I managed to get it working once but then it never worked again on reboot. Accessing local port like ssh on the router always works.

thanks

What does tcpdump show?  Is the packet *actually* making it to the server?

iptables -t nat -A PREROUTING -i ppp1 -p tcp --dport 5005 -j DNAT --to 192.168.11.214:5005
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 5005 -d 10.10.10.8 -j DNAT --to 192.168.11.214:5005
iptables -t nat -A POSTROUTING -s 192.168.11.214 -p tcp --dport 5005 -o ppp1 -j SNAT --to 10.10.10.8:5005
iptables -t nat -A POSTROUTING -s 192.168.11.214 -p tcp --dport 5005 -o br0 -j SNAT --to 10.10.10.8:5005
iptables -A FORWARD -i ppp1 -p tcp --dport 5005 -d 192.168.11.214 -j ACCEPT

Hi there,

I get the following on the target machines with wireshark

1875    534.641879    192.168.1.3    192.168.12.216    TCP    37013 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=50927 TSER=0 WS=7
1876    534.641932    192.168.12.216    192.168.1.3    ICMP    Destination unreachable (Host administratively prohibited)

I am not sure what rule to add to the firewall to allow the response through? The target machine uses the wrt54g as it default gateway and can reach the internet fine,

BTW for testing purposes I have the testing (client) machine sitting on the network attached to the wan port of the wrt54g router. I.e. I am not testing from the the lan side of the wrt54g router.

I have looked a the additional rule provided by yhgroup but it looks like the first two prerouting  rules are covered by my one
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.12.216:80

The only rule that looks new to me is the post routing rule.

iptables -t nat -A POSTROUTING -s 192.168.11.214 -p tcp --dport 5005 -o ppp1 -j SNAT --to 10.10.10.8:5005
iptables -t nat -A POSTROUTING -s 192.168.11.214 -p tcp --dport 5005 -o br0 -j SNAT --to 10.10.10.8:5005

It dont have a fixed IP so I tried adding the rule as follows:

iptables -t nat -A prerouting_wan -p tcp --dport 80 -j DNAT --to 192.168.12.216:80                                         
iptables -t nat -A POSTROUTING -s 192.168.12.216 -p tcp -j MASQUERADE                                                       
iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.12.216 -j ACCEPT     

But not luck. Wireshark reports the same as above.

thanks for any help./

This capture basically says that your target host (192.168.12.216) is blocking the connection.   The first packet shows the connection request coming to your host via the router, and the second packet shows your host actively blocking any form of response.  "Administratively prohibited" is an active block response from some form of host based Firewall in this case.  If the block was coming from your WRT54g, the block response (if any) would be different; the current method in OpenWRT is to send a TCP "RESET" to blocked TCP connections.  Since you're getting an ICMP unreachable, I'm pretty sure it's a host-based Firewall on your HTTP server.

Find out the answers to the following:

- Is the HTTP server host running a Firewall of some sort such as rules in xinetd or TCPWrappers (if Linux or UNIX), or the Windows Firewall?
- Are connections to port 80 allowed at all?  If not, are they only allowed from the LAN (192.168.12.X)

(Last edited by kaldek on 11 Jul 2008, 04:57)