Internal to internal port forward

Discussion in 'Tomato Firmware' started by chilly2, Aug 17, 2008.

  1. chilly2

    chilly2 Addicted to LI Member


    I have a WRT54GL running Tomato 1.21. It was upgraded from Linksys's most recent firmware The settings transferred across perfectly as far as I can see. The WRT54GL is on There is a squid proxy box on

    My other half has a laptop home from her job where the Firefox and IE proxy setup points to an http proxy, coincidentally on too, port 800 (!) I don't want her to have to change any settings, so I am trying to set it up so that connecting to on port 800 will redirect to port 3128.

    I tried this...

    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s -d -p tcp --dport 800 -j ACCEPT
    /usr/sbin/iptables -t nat -A PREROUTING -i br0 -s ! -p tcp --dport 800 -j DNAT --to
    /usr/sbin/iptables -t nat -A POSTROUTING -o br0 -s -p tcp -d -j SNAT --to
    /usr/sbin/iptables -t filter -I FORWARD -s -d -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

    So, above should do...
    box on lan > : 800 > : 3128 -> out to web.

    Unfortunately telnetting from a box on the LAN to port 800 is giving a connection refused. I was pretty certain iptables changes happened instantly, so what am I doing wrong?

    If the above isn't going to work, what other ways are there to do it? The emphasis here is on not having to change the work laptop settings. has to give the appearance of having a squid / http proxy on port 800.

    All help gratefully received.

    Thanks in advance.
  2. HennieM

    HennieM Network Guru Member

    Have not got time to help w everything now, but your first rule
    jumps out of the PREROUTING chain, so your other statements are not executed.
  3. skiv71

    skiv71 Addicted to LI Member

    hi, did you manage to get this working? lan to lan port forwarding would suit me for my application. thanks, neil
  4. chilly2

    chilly2 Addicted to LI Member

    Hennie M's suggestion did the trick. It works perfectly now, so to answer your question, yes.
  5. chilly2

    chilly2 Addicted to LI Member

    Following up, I later found out I had no access to my DMZ machine with the above rules (minus the first line). As soon as I enabled the DMZ again the rules above stopped working. Not sure what to try next :(
  6. fryfrog

    fryfrog Network Guru Member

    Why not just run your proxy server with the ip/port that hers is expecting? No local port forwarding madness required, just change (or add) the IP to the current proxy server and either have the proxy server listen on both ports or just change to that one port.

    When you manually add iptables rules they are only going to stay until *something* happens. I suspect (with 99.9% surety) that DMZ is done via iptables, which would probably wipe everything you change out.

    It is a shame her work doesn't use a proxy auto discovery script.
  7. rhester72

    rhester72 Network Guru Member

    DMZ is most definitely done with iptables, and cleared/refreshed every time the firewall service is restarted.

  8. chilly2

    chilly2 Addicted to LI Member

    The network is laid out like so...

    Cable modem -> Linksys WRT54GL (gateway,
    Linux box with Squid (, port 3128), set as DMZ host on the WRT54GL.

    Your suggestion works great if the requesting host is on the WAN / public Internet side.

    It doesn't work from the LAN side. e.g. If I telnet to on 3128 or 800 the connection fails. The laptop expects, port 800.

    I quite agree! :(
  9. chilly2

    chilly2 Addicted to LI Member

    I cleared the existing rules and tried this. It worked! :)

    iptables -t nat -A PREROUTING -d -p tcp --dport 800 -j DNAT --to
    # iptables -t nat -A POSTROUTING -s -p tcp -d -j MASQUERADE
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice