I believe the issue I'm seeing is very similar to the one described in this thread, so rather than starting a new one, I'll continue here.
I'm running packetprotector (openwrt-based) version 3.2 in an ASUS w500G Premium v2 router.
I've tried a ton of things to get my port forwarding to work, and I can't seem to make it work. I'm not a guru at this stuff, but I know my way around at least a bit...
The situation: I'm trying to set up my firewall to allow selected ports to be open for email access. I want to open non-standard ports externally and forward them to standard ports for security reasons.
I have the following /etc/firewall.user:
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
# The following chains are for traffic directed at the IP of the
# WAN interface
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 51143 -j DNAT --to 192.168.1.50:143
# make sure we are accepting connections for the mail port(s)
iptables -A forwarding_rule -p tcp --dport 51143 -d 192.168.1.50:143 -j ACCEPT
iptables -A forwarding_wan -p tcp --dport 51143 -d 192.168.1.50:143 -j ACCEPT
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT
the following /etc/config/firewall:
config 'include'
option 'path' '/etc/firewall.user'
config 'redirect'
option 'name' 'my mail port redirect'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_dport' '51143'
option 'dest_ip' '192.168.1.50'
option 'dest_dport' 143
option 'target' 'DNAT'
option 'dest' 'LAN'
config 'rule'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'dest_ip' ''
option 'dest_port' '143'
option 'target' 'ACCEPT'
and the following /etc/config/network:
config 'switch' 'eth0'
option 'vlan0' '0 1 2 3 5*'
option 'vlan1' '4 5'
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'type' 'bridge'
option 'ifname' 'eth0.0'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'macaddr' ''
option 'ip6addr' ''
option 'gateway' '192.168.1.1'
option 'ip6gw' ''
option 'dns' ''
config 'interface' 'wan'
option 'ifname' 'eth0.1'
option 'proto' 'dhcp'
option 'gateway' '192.168.1.1'
option 'macaddr' ''
option 'ipaddr' ''
option 'ip6addr' ''
option 'netmask' ''
option 'ip6gw' ''
option 'dns' ''
If I run the command "tcpdump -n -i eth0.1 port 51143", and then in a separate window run the command "telnet <external IP> 51143", I get the following output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.1, link-type EN10MB (Ethernet), capture size 96 bytes
19:35:21.138140 IP 192.168.2.100.4059 > <myremoteIP>.51143: SWE 2535294579:2535294579(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
19:35:21.139061 IP <myremoteIP>.51143 > 192.168.2.100.4059: R 0:0(0) ack 2535294580 win 0
I don't know what all of this means, but I'm curious where the 192.168.2.100 IP is coming from -- my telnet command is actually being run from the router (which is 192.168.1.1). The telnet command also returns "Connection refused" but the above tcpdump seems to indicate that the command is actually hitting the router before being rejected...
Help, please! Thanks for any guidance you can provide!
EDIT: I am also able to telnet to the desired destination machine (192.168.1.50) on port 143 from the router, so internal communications seem to be fine...
(Last edited by avsfan on 12 Jun 2012, 07:19)