1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

forward port depending on source ip

Discussion in 'HyperWRT Firmware' started by silviemeis, Feb 23, 2005.

  1. silviemeis

    silviemeis Network Guru Member

    In D-link routers I can make a firewall rule. as..
    RDP forward rule. source ip: (wan) 82.12.57.14 port: tcp 3390 destination ip: (lan) 192.168.0.100 port: tcp 3389.

    I know it is possible to do a port translation, but it's about the source ip that's important to my company.

    Is this possible with the linksys WRT54G-EU (originall or Hyperwrt firmware?)
    If so, how? This is very important for me. Thank You.
     
  2. linksysonline

    linksysonline Network Guru Member

    In your firewall rules, add these lines:

    iptables -A FORWARD -p TCP -i vlan1 --dport 20000 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i vlan1 --dport 20000 --to-destination 10.0.0.100:10000

    iptables -A FORWARD -p TCP -i vlan1 --dport 8080 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i vlan1 --dport 8080 --to-destination 10.0.0.100:80

    The 'vlan1' depends on your version of router. I think if its prior to version 2, you have to put 'eth1' instead. Also this will only redirect incoming connections from outside your lan. if you're using PPPoE dialin' you have to exchange 'vlan1' with 'ppp0'
     
  3. silviemeis

    silviemeis Network Guru Member

    Thanks for the fast replay.
    But this is also possible in the web browser management.

    I can't find the source adres in your example. This way all adresses on the internet can access port 80 trough port 8080 on the intern webserver.

    I wan't to say only address 81.14.12.44 may access my webserver or ftpserver or whatever.

    Is there maybe a --from flag?
     
  4. linksysonline

    linksysonline Network Guru Member

    Basically its taking whatever your router IP is and routing it to where you have setup... i'm guessing by the way you are questioning you have more then 1 static ip address?
     
  5. silviemeis

    silviemeis Network Guru Member

    Yes I have a LAN. about 10 computers. With 2 servers. 1 server is windows 2003 server. I want that server's port 3389 (terminal server) to be reachable from only a few WAN (internet) ip addresses.

    You have a destination ip adres. Your inernal adres (10.0.0.1) and a source adres. Your external adres. e.a. 213.13.124.19 (holland address).
     
  6. swinn

    swinn Network Guru Member

    You might try this in your firewall script:

    iptables -A FORWARD -p TCP -i vlan1 -s 82.12.57.14/0 --dport 3390 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i vlan1 -s 82.12.57.14/0 --dport 3390 --to-destination 192.168.0.100:3389

    The other example that was given will only redirect ports from any IP. The above should only accept it and redirect it if its from that IP.
     
  7. silviemeis

    silviemeis Network Guru Member

    I tried it by using 2 computers. It doesn't work. When I make a port range forward it does work. But with the firewallscript it doesn't.

    @swinn did you got this to work yourself?

    I hope this will be a feature in the web browser management and the firmware from hyperwrt. The only thing that has to be done is to make an extra field in the Port range forward menu. A field that names (source ip adress). If you want to give access to all ip's you use *. And program it offcourse.
     
  8. sillygoose

    sillygoose Network Guru Member

    You might need to change swinn's suggested changes so that the new rules come before any drop rules. You can use a -I to insert the rule in a specific slot in the chain. Telnet to the router and run /sbin/iptables -L -v and /sbin/iptables -t nat -L -v to see what your current rules are. Then change the firewall script to use inserts with the appropriate values.
     
  9. swinn

    swinn Network Guru Member

    It also depends on what model router you have or if you use PPPoE. You might try changing 'vlan1' to 'eth1', or if you use PPPoE, try changing it to 'ppp0'. That's specifying which nic is used for WAN traffic. For my WRT54G v2.0, it uses 'vlan1'.
     
  10. swinn

    swinn Network Guru Member

    Oh, add '-j DNAT' right before the --to-destination parameter..

    iptables -A FORWARD -p TCP -i vlan1 -s 82.12.57.14/0 --dport 3390 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i vlan1 -s 82.12.57.14/0 --dport 3390 -j DNAT --to-destination 192.168.0.100:3389
     
  11. silviemeis

    silviemeis Network Guru Member

    My final solution

    Here is the working situation that I tested.

    [​IMG]

    The script that I used in the administration – firewall menu:

    iptables -t nat -A PREROUTING -p tcp -s 192.168.111.1/0 -i vlan1 --dport 3390 -j DNAT --to-destination 192.168.222.100:3389
    iptables -I FORWARD 10 -p TCP -i vlan1 -s 192.168.111.1 -d 192.168.222.100 --dport 3389 -j ACCEPT

    Ws1 may acces the RDP server by connecting at 192.168.111.254:3390
    Ws2 may not access the RDP server on any port.

    It doesn’t matter in what sequence you put these iptable rules.

    My thanks to Fabjan.
    I found this tread verry helpful http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=1965
     
  12. sillygoose

    sillygoose Network Guru Member

    The order of rules can matter. In your case it apparently didn't but if the packet you wanted to apply a rule to was caught by and earlier rule that has a drop target then it would never be processed by the new rule. This is why iptables allows you to insert rules (-I) as well as append them (-A).
     

Share This Page