OpenWrt Forum Archive

Topic: Opening Ports in firewall.user

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
digler
22 Apr 2006, 02:09

Hi List

Great firmware. I've used a few but this one seems way ahead.

Anyway. I've read as many posts and guides as I can and before I perform the following I would like to run it by the experts on this forumn so I don't brick my router.

The goal:-

To open (forward) ports through the router.

My conclusions:-

Use iptables. the firewall.

The plan:-

1. ssh to the router and login

2. remove the firewall file in etc. 'rm /etc/firewall.user' (due to it being read-only and a symbolic link)

3. copy another firewall file 'cp /rom/etc/firewall.user' (not sure where this file is or where it is going)

4. use the text editor ,called VI, to edit the firewall file. 'vim /etc/firewall'

5. put the following code into the file (use port 12345 and ip 10.0.0.10 as example)
          #port 12345 TCP
          iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 12345 -j DNAT --to 10.0.0.10
          iptables        -A forwarding_rule -i $WAN -p tcp --dport 32459 -d 10.0.0.10 -j ACCEPT

          #port 12345 UDP
          iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 10000 -j DNAT --to 10.0.0.10
          iptables        -A forwarding_rule -i $WAN -p udp --dport 10000 -d 10.0.0.10 -j ACCEPT

6. save the file. I think you simply type ZZ to do this.

7. reboot the router. Simply type 'reboot' at the shell.

I know I have written out every step but I really need to know I'm doing the right thing. If it is correct maybe it will also help others.

Thanks for any advice given

Digler

Post #2
cabo
22 Apr 2006, 13:43

There is no need to restart the router, simply run /etc/init.d/S45firewall

if you want to temp. forward a port, you can do s.th. like this (udp and tcp example)

#!/bin/sh
#
# forward specific port (tcp and upd)
#

PortNo=20000

start() {
        echo -n "Starting custom firewall rules..."
        iptables -t nat -A prerouting_rule -i ppp0 -p udp --dport $PortNo -j DNAT --to 192.168.1.3
        iptables -t nat -A prerouting_rule -i ppp0 -p tcp --dport $PortNo -j DNAT --to 192.168.1.3
        iptables -A forwarding_rule -i ppp0 -p tcp --dport $PortNo -d 192.168.1.3 -j ACCEPT
        iptables -A forwarding_rule -i ppp0 -p udp --dport $PortNo -d 192.168.1.3 -j ACCEPT
        echo "...done"
}

stop() {
        echo -n "Stop custom firewall rules..."
        iptables -D forwarding_rule -i ppp0 -p tcp --dport $PortNo -d 192.168.1.3 -j ACCEPT
        iptables -D forwarding_rule -i ppp0 -p udp --dport $PortNo -d 192.168.1.3 -j ACCEPT
        iptables -t nat -D prerouting_rule -i ppp0 -p udp --dport $PortNo -j DNAT --to 192.168.1.3
        iptables -t nat -D prerouting_rule -i ppp0 -p tcp --dport $PortNo -j DNAT --to 192.168.1.3
        echo "...done"
}


case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  *)
        echo $"Usage: $0 {start|stop}"
        exit 1
esac

exit $?

Edit: I use ppp0 in the script, you need to adopt this to your WAN Interface, or better, fetch it from nvram (see e.g. S45firewall for that)

(Last edited by cabo on 22 Apr 2006, 13:49)

Post #3
joebagodoe
11 Sep 2006, 04:27

Good info in the post, but I still cannot get 3389 to open.

in /etc/firewall.user

### Forward RDP to the Exchange server
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 3389 -j DNAT --to 192.168.0.2
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.0.2
iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.0.2 -j ACCEPT
iptables -A forwarding_rule -i $WAN -p udp --dport 3389 -d 192.168.0.2 -j ACCEPT


In case you need it: router - WRT54GS v2 (cable modem)
What am I doing wrong?!?
This really doesn't seem hard, but it is kicking my ass!

Post #4
joebagodoe
11 Sep 2006, 05:10

even tried this one:
## Start by translating the destination address as the packet enters the WAN/Internet interface
  iptables -t nat -A prerouting_rule -i $WAN -p tcp -m multiport --dport 25,80,443,3389 -j DNAT --to 192.168.0.2
## Now forward the connection to the server on the LAN
  iptables -A forwarding_rule -p tcp -m multiport -d 192.168.0.2 --dport 25,80,443,3389 -j ACCEPT


Please keep in mind that I just flashed OpenWRT to it and this is the only thing I've changed so far. (Translate - total noob)
I've found two different ways to do this so far on the forums. Does the method change, are they wrong, or am I missing something that needs to be put into firewall.user to make it all work?

(Last edited by joebagodoe on 11 Sep 2006, 05:13)

Post #5
joebagodoe
13 Sep 2006, 02:23

So it's fixed
I ran this: (DANGEROUS: http://wiki.openwrt.org/OpenWrtDocs/Tro … 8476c1ec4)
mtd -r erase nvram

Then re-uploaded the RC5 firmware and erased the JFFS2 partition

Everything is good!

(Last edited by joebagodoe on 13 Sep 2006, 15:33)

The discussion might have continued from here.