1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it possible to set up a port forward via the command line?

Discussion in 'Tomato Firmware' started by zhenya, Oct 25, 2007.

  1. zhenya

    zhenya LI Guru Member

    I have a router running Tomato at a remote location. I have ssh access to a server behind that firewall, and from there, telnet access to the Tomato router. I've configured another server there to host OpenVPN, but I need to set up the proper port forward in Tomato. I don't have access to the Tomato gui, so my question is if there is a way to set up the necessary port forward from the command line. Thanks!
  2. roadkill

    roadkill Super Moderator Staff Member Member

    maybe this will work but I'm no good with iptables so it might not... ;)
    iptables -t nat -A PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport <outside port> -j DNAT --to <inside ip>:<inside port>
  3. zhenya

    zhenya LI Guru Member

    hmm, that doesn't seem to be doing it, but it does seem to be getting me on the right track. Thanks! Let me work on it some more, and I'll check back if I need more assistance. :)
  4. zhenya

    zhenya LI Guru Member

    Ok so
    iptables -A wanin -p udp -d --dport 1194 -j ACCEPT
    seems to make the appropriate entry in iptables as compared to making the same change via the web interface on another router I have here locally. It also matches the ssh forward rule that is working on the remote router. However it still isn't working. I can't see that making the change via the web interface makes any other changes to iptables, so I'm stumped as to what the problem is. Anybody have any other suggestions?
  5. mstombs

    mstombs Network Guru Member

    To compare firewall config you need to look at both the normal and nat tables with

    iptables -L -vn
    iptables -L -vn -t nat
  6. u3gyxap

    u3gyxap Network Guru Member

    This is how portforwarding via command line works:

    iptables -t nat -I PREROUTING -p tcp --dport 12345 -j DNAT --to
    iptables -I FORWARD -p tcp -d --dport 12345 -j ACCEPT

    Substitute IP and port 12345 with real numbers.
  7. zhenya

    zhenya LI Guru Member

    Great! Thanks for the help everybody. Not only do I have it working, but this exercise has forced me to finally take the time to start figuring out how iptables works; something I've been meaning to do for a long time now, but have thus far been able to avoid. :) Thanks again!
  8. u3gyxap

    u3gyxap Network Guru Member

    Most welcome :)
  9. Matt Burkett

    Matt Burkett Serious Server Member

    so the posts here are quite old I hope that they are still viewed ..
    I used this in a pinch where my vpn would not allow me to log into my house.
    Now I need to erase the two commands so that my tomato firmware RT-N66U goes back to how it was.
    Can anyone help me remove the above modifications to a tomato firmware router ?
  10. USNetboy

    USNetboy Networkin' Nut Member


    The simplest solution is just to go to the GUI: Port Forwarding->Basic and Save. The rules you added through the command line are not saved in NVRAM. Once you click "save" all the current rules are flushed and reloaded from NVRAM.

    If you insist clearing each rule at the command line do the following:
    iptables -L FORWARD -vn --line-numbers
    This will list the rules in the FORWARD chain with rule numbers at the far left column. Now identify the rule you want to delete and:
    iptables -D FORWARD <X>
    (replace <X> with the rule number you want deleted)
    Next repeat the process for the PREROUTING chain in the nat table:
    iptables -t nat -L PREROUTING -vn --line-numbers
    iptables -D PREROUTING <Y>
    (replace <Y> with the rule number you want deleted)

Share This Page