1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port Forwarding not working

Discussion in 'HyperWRT Firmware' started by spepi, Sep 24, 2006.

  1. spepi

    spepi Network Guru Member

    Here is my setup.

    Comcast Cable coming into a Linksys Modem ----> Linksys WRT54G V2 running Firmware Version: v4.71.1, Hyperwrt 2.1b1 + Thibor15c

    All is working, except the port forwarding. Before upgrading to Firmware Version: v4.71.1, Hyperwrt 2.1b1 + Thibor15c, I was using Alchemy Pre7, and port forwarding was working fine.

    On the insidew, I have an FTP server, Webserver, Remote Desktop, and VNC software.

    Nothing is different, except my the new firmware.

    Any suggestions? Any more info needed?

    I have tried everything...I like the Firmware Version: v4.71.1, Hyperwrt 2.1b1 + Thibor15c, and I dont want to go back...
     
  2. Thibor

    Thibor Super Moderator Staff Member Member

    reset your router to defaults and configure it manually. port forwarding works just fine.
     
  3. spepi

    spepi Network Guru Member

    I actually just brought it back from the life of a brick, so I had it to Default settings.....then I flashed it....should I reset again, after the flash?

    Thanks

    spepi
     
  4. swinn

    swinn Network Guru Member

    Yes. It is more important to reset it after the flash than before.. though you should do both if moving from one firmware to another.
     
  5. GhaladReam

    GhaladReam Network Guru Member

    Yes again. You should definitely reset to factory defaults whenever switching firmwares. The "factory defaults" of one firmware may differ completely from another, thus causing problems. The NVRAM should always be cleared when swicthing firmwares. Period.
     
  6. spepi

    spepi Network Guru Member

    All set...I reset...forwarded ports to my webserver, ftp, and other ports I need access to from outside my network.

    thanks
     
  7. grcore

    grcore Network Guru Member

    Are you redirecting ports? (ie port 80 outside to port 8888 inside).

    run this from the shell: cat /tmp/.ipt
    and post the results here

    g
     
  8. spepi

    spepi Network Guru Member

    NO...ai am just forwarding port 80 from the outside to the host running port 80 inside.......

    it's hard to have multiple websites running on the inside...because port 80 is the default http port.....unless you are running IIS with Host Headers to get to it......which I am going to add back....so my Websites sit on an IIS box,
     
  9. grcore

    grcore Network Guru Member

    You did not post the results of your .ipt file.....

    You can try manually adding the forwards through firewall_script.
    Add the IP of your server to this script:
    Code:
    WANIF=$(nvram get wan_ifname)
    WANIP=$(nvram get wan_ipaddr)
    SERVIP='put the IP of your server here'
    iptables -t nat -A PREROUTING -i $WANIF -p udp -m udp -d $WANIP --dport 80 -j DNAT --to-destination $SERVIP
    iptables -t nat -A PREROUTING -i $WANIF -p tcp -m tcp -d $WANIP --dport 80 -j DNAT --to-destination $SERVIP
    iptables -I FORWARD -p udp -m udp -d $SERVIP --dport 80 -j ACCEPT
    iptables -I FORWARD -p tcp -m tcp -d $SERVIP --dport 80 -j ACCEPT
    IMPORTANT: Make sure you remove the forward for port 80 from the GUI, don't just uncheck the enable box because that will then specifically block port 80.
     
  10. slamcat

    slamcat Network Guru Member

    Are you sure port 80 isn't being blocked by your ISP? I know a lot (most) do block port 80 unless you're using a business class account.
     
  11. spepi

    spepi Network Guru Member

    Here is the output from the .ipt file.
    **************************************
    # cat /tmp/.ipt

    *mangle
    :pREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i br0 -j MARK --set-mark 256
    -I PREROUTING -i br0 -m mac --mac-source 00:16:B6:5E:31:F4 -j DSCP --set-dscp-class EF
    -I PREROUTING -m layer7 --l7proto worldofwarcraft -j DSCP --set-dscp-class AF11
    -I PREROUTING -m layer7 --l7proto xboxlive -j DSCP --set-dscp-class AF11
    -I PREROUTING -m layer7 --l7proto ftp -j DSCP --set-dscp-class AF41
    COMMIT
    *nat
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d 192.168.1.0/24 -j DROP
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 8080 -j DNAT --to-destination 192.168.1.1:443
    -A PREROUTING -p icmp -d xx.xx.xx.xx-j DNAT --to-destination 192.168.1.1
    -A PREROUTING -i vlan1 -p udp -m udp -d xx.xx.xx.xx --dport 25137 -j DNAT --to-destination 192.168.1.137:25137
    -A PREROUTING -i vlan1 -p udp -m udp -d xx.xx.xx.xx --dport 25062 -j DNAT --to-destination 192.168.1.62:25062
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 80:80 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 21:21 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 7220:7228 -j DNAT --to-destination 192.168.1.7
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 3389:3389 -j DNAT --to-destination 192.168.1.7
    -A PREROUTING -p udp -m udp -d xx.xx.xx.xx --dport 3389:3389 -j DNAT --to-destination 192.168.1.7
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 5631:5632 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p udp -m udp -d xx.xx.xx.xx --dport 5631:5632 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 5900:5901 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p udp -m udp -d xx.xx.xx.xx --dport 5900:5901 -j DNAT --to-destination 192.168.1.3
    -A PREROUTING -p tcp -m tcp -d xx.xx.xx.xx --dport 25:25 -j DNAT --to-destination 192.168.1.7
    -A PREROUTING -d xx.xx.xx.xx -j TRIGGER --trigger-type dnat
    -A POSTROUTING -o vlan1 -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
    COMMIT
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    :logreject - [0:0]
    :trigger_out - [0:0]
    :lan2wan - [0:0]
    :grp_1 - [0:0]
    :advgrp_1 - [0:0]
    :grp_2 - [0:0]
    :advgrp_2 - [0:0]
    :grp_3 - [0:0]
    :advgrp_3 - [0:0]
    :grp_4 - [0:0]
    :advgrp_4 - [0:0]
    :grp_5 - [0:0]
    :advgrp_5 - [0:0]
    :grp_6 - [0:0]
    :advgrp_6 - [0:0]
    :grp_7 - [0:0]
    :advgrp_7 - [0:0]
    :grp_8 - [0:0]
    :advgrp_8 - [0:0]
    :grp_9 - [0:0]
    :advgrp_9 - [0:0]
    :grp_10 - [0:0]
    :advgrp_10 - [0:0]
    :grp_11 - [0:0]
    :advgrp_11 - [0:0]
    :grp_12 - [0:0]
    :advgrp_12 - [0:0]
    :grp_13 - [0:0]
    :advgrp_13 - [0:0]
    :grp_14 - [0:0]
    :advgrp_14 - [0:0]
    :grp_15 - [0:0]
    :advgrp_15 - [0:0]
    :grp_16 - [0:0]
    :advgrp_16 - [0:0]
    :grp_17 - [0:0]
    :advgrp_17 - [0:0]
    :grp_18 - [0:0]
    :advgrp_18 - [0:0]
    :grp_19 - [0:0]
    :advgrp_19 - [0:0]
    :grp_20 - [0:0]
    :advgrp_20 - [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 443 -j logaccept
    -A INPUT -p icmp -j logdrop
    -A INPUT -p igmp -j logdrop
    -A INPUT -j logdrop
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
    -A FORWARD -i vlan1 -o br0 -j TRIGGER --trigger-type in
    -A FORWARD -i br0 -j trigger_out
    -A FORWARD -i br0 -j lan2wan
    -A FORWARD -p udp -m udp -d 192.168.1.137 --dport 25137 -j logaccept
    -A FORWARD -p udp -m udp -d 192.168.1.62 --dport 25062 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.3 --dport 80:80 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.3 --dport 21:21 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.7 --dport 7220:7228 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.7 --dport 3389:3389 -j logaccept
    -A FORWARD -p udp -m udp -d 192.168.1.7 --dport 3389:3389 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.3 --dport 5631:5632 -j logaccept
    -A FORWARD -p udp -m udp -d 192.168.1.3 --dport 5631:5632 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.3 --dport 5900:5901 -j logaccept
    -A FORWARD -p udp -m udp -d 192.168.1.3 --dport 5900:5901 -j logaccept
    -A FORWARD -p tcp -m tcp -d 192.168.1.7 --dport 25:25 -j logaccept
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i br0 -m state --state NEW -j logaccept
    -A FORWARD -j logdrop
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logreject -p tcp -m tcp -j REJECT --reject-with tcp-reset
    COMMIT
     
  12. spepi

    spepi Network Guru Member

    I am sure.....I get to my website without any problems....

    I use DynDnS, to keep my ip updated and I have my domain name pointed to that, so I always get it
     
  13. tiagoespinha

    tiagoespinha Network Guru Member

    Ok, I don't want to sound stupid here but wasn't it HyperWRT in which the port forwarding (per se) didn't really work and we had to use the port range forwarding with just one port?

    Well, I use Thibor15c myself and I always used the port range forwarding either for ranges or single ports, always worked fine, you could try that.
     
  14. slack---line

    slack---line LI Guru Member

    Bit late, but make sure that "Filter Internet NAT Redirection" is unchecked under the Security tag.
     

Share This Page