1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP Tables - Address Forwarding

Discussion in 'DD-WRT Firmware' started by Bloat, Dec 10, 2007.

  1. Bloat

    Bloat LI Guru Member

    Hi,

    New to the forum so please be gentle!!!!

    Is it possible to forward all traffic (or just udp would suffice) from a WAN IP address to a specific LAN IP address?? It doesn't matter about specific ports, though if it is possible to specify this it would be helpful.

    e.g. forward all traffic from 192.245.12.228 to 192.168.0.5

    I have been trying to use the IPTABLES command both via telnet and the Command page of the web interface without success. I have tried the following:

    iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT

    My knowledge of iptables is very limited. Using IPTABLES -L FORWARD shows that the entry has been added into the chain but then the web interface logs show the packets from that IP address as 'DROPPED'.

    (I am running DD-WRT v23SP2 on a Linksys WRT54GLv1.1)

    Any suggestions / corrections??
     
  2. mstombs

    mstombs Network Guru Member

    Can't you do this from the GUI? The DMZ does "all" after any specific rules.

    If there's some reason you need to do it from the command line you normally need to use DNAT in the -t nat PREROUTING chain
     
  3. Bloat

    Bloat LI Guru Member

    Thanks for the prompt reply! I don't really want to use DMZ as it opens up too many holes.

    Could you elaborate on the use of DNAT in the PREROUTING chain please... if possible can you type the full command like what I was incorrectly using earlier??!! I'll have a look in the meanwhile to try and understand this command a bit more

    Help much appreciated

    Bloat

    Edit: Is this the correct command to use??

    iptables -t nat -A PREROUTING -p udp -s 192.245.12.228 -j DNAT --to 192.168.0.5
     
  4. mstombs

    mstombs Network Guru Member

    Looks good to me - I don't have that version of dd-wrt handy to check on syntax - dd-wrt also has the "ip" command doesn't it?

    You can also add "-i vlan1" to only check the rule if the packet arrives on the vlan1 interface (assuming that's the WAN interface name....)

    You will also need the FORWARD rule in the first post, unless it is accepted by some other rule.

    You seem to be learning fast! Use "iptables -L -vn" and "iptables -L -vn -t nat" to see the result of your work! Also check "route" to make sure router knows where to find all of the IP addresses referenced.
     
  5. Bloat

    Bloat LI Guru Member

    Hurray!!!

    After posting on 4 different forums and numerous attempts, thanks to your help it now works.

    To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

    iptables -I FORWARD -p all -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
    iptables -t nat -I PREROUTING -p all -s 192.245.12.228 -j DNAT --to 192.168.0.5

    The reason for this post was to enable me to host a network game of the recently released Unreal Tournament 3, which together with a port forward of 7777 now works flawlessly.

    I shall now be posting links to this forum on all the others, hopefully showing many others how to do what some said wouldn't work.

    MSTOMBS - Couldn't have done it without you... your title of Guru is truly justified.

    Merry Xmas!!

    Bloat
     

Share This Page