OpenWrt Forum Archive

Topic: Portforwarding with iptables

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Helidude73
17 Aug 2009, 15:06

Hello again smile

Okay.. i managed to install OpenWrt Firmware Kamikaze (r16206) and openvpn on my Linksys WRT54GL v1.1.
All connecting and working on my VPN host.

Only one challenge left.. port forwarding!

As i understand on various forums, i must use iptable rules to achieve this.
I have tried many suggestions around on the net, but none seems to work.

My setup is as follows:
ifconfig:

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:23:69:AA:96:9C  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:418746 errors:0 dropped:0 overruns:0 frame:0
          TX packets:322919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:178375079 (170.1 MiB)  TX bytes:151689704 (144.6 MiB)

eth0      Link encap:Ethernet  HWaddr 00:23:69:AA:96:9C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:343681 errors:0 dropped:0 overruns:0 frame:0
          TX packets:437220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:183047114 (174.5 MiB)  TX bytes:225587934 (215.1 MiB)
          Interrupt:4 

eth0.0    Link encap:Ethernet  HWaddr 00:23:69:AA:96:9C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14517 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16762 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4522439 (4.3 MiB)  TX bytes:4971167 (4.7 MiB)

eth0.1    Link encap:Ethernet  HWaddr 00:23:69:AA:96:9C  
          inet addr:85.89.13.xx  Bcast:255.255.255.255  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:329165 errors:0 dropped:0 overruns:0 frame:0
          TX packets:420442 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:172338467 (164.3 MiB)  TX bytes:218771308 (208.6 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.91.42  P-t-P:10.0.91.41  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:309995 errors:0 dropped:0 overruns:0 frame:0
          TX packets:401020 errors:0 dropped:254 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:139449613 (132.9 MiB)  TX bytes:174605432 (166.5 MiB)

wl0       Link encap:Ethernet  HWaddr 00:23:69:AA:96:9E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4413192 errors:0 dropped:0 overruns:0 frame:80384
          TX packets:4321631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2105552352 (1.9 GiB)  TX bytes:2107971118 (1.9 GiB)
          Interrupt:2 Base address:0x5000

route -n:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.91.41      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.0.91.1       10.0.91.41      255.255.255.255 UGH   0      0        0 tun0
195.254.134.10  85.89.13.1      255.255.255.255 UGH   0      0        0 eth0.1
85.89.13.0      0.0.0.0         255.255.255.192 U     0      0        0 eth0.1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
0.0.0.0         10.0.91.41      128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.0.91.41      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         85.89.13.1      0.0.0.0         UG    0      0        0 eth0.1

What i want to do is forward, say port 40041 from the VPN to my local ip 192.168.2.102
Any suggestions on how to do this?
My host is using remote port forwarding, so the server side is setup correct.

Best regards
Ivar

Post #2
Helidude73
17 Aug 2009, 20:58

Hello

Some additional info.
My "/etc/firewall.user" already contains this set of rules:

# openvpn spesefic setting
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

Is this kind of port forwarding I want even possible?

//Ivar

Post #3
Helidude73
18 Aug 2009, 08:04

SOLVED smile

Finlay I solved the problem all by my self smile

After trying many different forwarding rules the last few days, i started t look at and analyze the existing rules.
It turned out one rule blocked all non ESTABLISHED,RELATED connections.. so when a new connection occurs it's simply not getting through. 

I changed the above rule set to this: 

## Set tun device to act as connection to the Internet.                                      
## Notice the -o tun+. This indicates that it is looking for outbound packets on tun+
iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE  

## Accept all outgoing traffic to the Internet
iptables -I OUTPUT -o tun+ -j ACCEPT

## Allow all outgoing forwarding
iptables -I FORWARD -o tun+ -j ACCEPT

## Allow only ESTABLISHED incoming packets. 
## I guess this is for normal web browsing
iptables -I INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

## The below line blocks port forwarding and caused my problems ##
#iptables -I FORWARD -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

## Changed it to accept all incoming forwarded packets
iptables -I FORWARD -i tun+ -j ACCEPT

## Defining specific routes
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 40066 -j DNAT --to 192.168.2.102

I'll have to look into this to see if my change was to liberal/unsafe, later.

Best regards
Ivar

The discussion might have continued from here.