1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port Forwarding to External IP

Discussion in 'Tomato Firmware' started by mymurat, May 6, 2009.

  1. mymurat

    mymurat Addicted to LI Member

    Is there a way to setup Port Forwarding where the WRTG55(Tomato) listens to udp port 2000 in lan for example and redirects all the traffic from port 2000 to an external ip?
    Don`t know how to do this with iptables. Perhaps someone can help?
     
  2. paped

    paped LI Guru Member

    Not quite sure what you are trying to do here but the router should not need any configuration to do this. Basically you need to configure your application to contact the external IP address directly on port 2000, normally this is done by <ipaddress>:2000 or your application may have separate fields for the address and port.

    The only time you need to port forward is for inbound connections the are initiated in the internet, as by default all inbound traffic is blocked unless there is a corresponding initial request from a pc in the LAN or a port forward. i.e. for browser traffic to a www site your pc requests the information so the return from the website is allowed in and back to the same pc. But if you run a website on your LAN then port forwarding is needed as an external pc will be making the initial request thus this would be blocked.
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Give this a shot. In your firewall script:
    Code:
    iptables -t nat -I PREROUTING -p udp -s 192.168.0.0/24 ! -d 192.168.0.0/24 --dport 1234 -j DNAT --to-destination 172.22.22.22
    Replace udp with tcp if appropriate, 192.168.0.0 with your LAN subnet (both places), 1234 with the port you want to capture, and 172.22.22.22 with the destination IP you want.

    This is the same kind of thing Tomato does when you enable "Intercept DNS Port" in the GUI, except it sends it to an external ip rather than to itself.
     
  4. mymurat

    mymurat Addicted to LI Member

    Will try the script tommorow. My problem is that i have audiostream hardware where you can't set gateway. It was built for local network streaming. But i need to stream to an external ip and have to use this hardware. So thats the reason i'm looking for solution via iptables
     
  5. mymurat

    mymurat Addicted to LI Member


    Unfortunally it didn't work. I also tried an internal ip. But nothing receives at the destination. :(
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing it to (same substitutions as before, and reboot needed)
    Code:
    iptables -t nat -N logredirect
    iptables -t nat -I logredirect -j DNAT --to-destination 172.22.22.22
    iptables -t nat -I logredirect -j LOG --log-prefix "REDIRECT "
    iptables -t nat -I PREROUTING -p udp --dport 1234 -j LOG --log-prefix "AFTER "
    iptables -t nat -I PREROUTING -p udp -s 192.168.0.0/24 ! -d 192.168.0.0/24 --dport 1234 -j logredirect
    iptables -t nat -I PREROUTING -p udp --dport 1234 -j LOG --log-prefix "BEFORE "
    
    Then post the entries that appear in your router log when you try to run this traffic.

    You can also try getting rid of the "-s 192.168.0.0/24 ! -d 192.168.0.0/24" part, but the output I mention above will let us know if that would even work.

    Also, just to check, you did reboot the router after placing it in the Firewall script, right?
     
  7. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I just used these commands to redirect all port 80 tcp traffic to google's servers, and it worked (kind of a strange feeling to type in yahoo.com and see google's homepage :smile:). So, I don't see any reason why it wouldn't work for you. Make sure you substitute all the right values and reboot the router. Then let me know how it goes.
     
  8. mymurat

    mymurat Addicted to LI Member

    still doesn't work

    Dec 31 16:00:10 ? user.info kernel: NET4: Linux TCP/IP 1.0 for NET4.0
    Dec 31 16:00:10 ? user.info kernel: IP Protocols: ICMP, UDP, TCP, IGMP
    Dec 31 16:00:10 ? user.info kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
    Dec 31 16:00:10 ? user.info kernel: TCP: Hash tables configured (established 1024 bind 2048)
    Dec 31 16:00:10 ? user.info kernel: Linux IP multicast router 0.06 plus PIM-SM
    Dec 31 16:00:10 ? user.warn kernel: ip_conntrack version 2.1 (8092 buckets, 4096 max) - 368 bytes per conntrack
    Dec 31 16:00:10 ? user.warn kernel: ip_tables: (C) 2
    Dec 31 16:00:10 ? user.info kernel: 000-2002 Netfilter core team
    Dec 31 16:00:10 ? user.info kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
    Dec 31 16:00:10 ? user.info kernel: NET4: Ethernet Bridge 008 for NET4.0
    Dec 31 16:00:10 ? user.alert kernel: 802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
    Dec 31 16:00:10 ? user.alert kernel: All bugs added by David S. Miller <davem@redhat.com>
    Dec 31 16:00:10 ? user.warn kernel: VFS: Mounted root (squashfs filesystem) readonly.
    Dec 31 16:00:10 ? user.info kernel: Mounted devfs on /dev
    Dec 31 16:00:10 ? user.info kernel: Freeing unused kernel memory: 64k freed
    Dec 31 16:00:10 ? user.warn kernel: Algorithmics/MIPS FPU Emulator v1.5
    Dec 31 16:00:10 ? user.warn kernel: ip_conntrack_pptp version 1.9 loaded
    Dec 31 16:00:10 ? user.warn kernel: ip_nat_pptp version 1.5 loaded
    Dec 31 16:00:10 ? user.warn kernel: ip_conntrack_rtsp v0.01 loading
    Dec 31 16:00:10 ? user.warn kernel: ip_nat_rtsp v0.01 loading
    Dec 31 16:00:10 ? user.warn kernel: eth0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.90.38.0
    Dec 31 16:00:10 ? user.warn kernel: eth1: Broadcom BCM4320 802.11 Wireless Controller 3.90.38.0
    Dec 31 16:00:10 ? user.warn kernel: tomato_ct.c [Dec 14 2008 03:09:32]
    Dec 31 16:00:10 ? user.info kernel: vlan0: dev_set_promiscuity(master, 1)
    Dec 31 16:00:10 ? user.info kernel: device eth0 entered promiscuous mode
    Dec 31 16:00:10 ? user.info kernel: device vlan0 entered promiscuous mode
    Dec 31 16:00:10 ? user.info kernel: device eth1 entered promiscuous mode
    Dec 31 16:00:10 ? user.info kernel: br0: port 2(eth1) entering learning state
    Dec 31 16:00:10 ? user.info kernel: br0: port 1(vlan0) entering learning state
    Dec 31 16:00:10 ? user.warn kernel: vlan1: Setting MAC address to 00 23 69 25 be 90.
    Dec 31 16:00:10 ? user.info kernel: vl
    Dec 31 16:00:10 ? user.info kernel: an1: add 01:00:5e:00:00:01 mcast address to master interface
    Dec 31 16:00:10 ? user.info kernel: br0: port 2(eth1) entering forwarding state
    Dec 31 16:00:10 ? user.info kernel: br0: topology change detected, propagating
    Dec 31 16:00:10 ? user.info kernel: br0: port 1(vlan0) entering forwarding state
    Dec 31 16:00:10 ? user.info kernel: br0: topology change detected, propagating
    Dec 31 16:00:10 ? user.info kernel: vlan1: dev_set_promiscuity(master, 1)
    Dec 31 16:00:10 ? user.info kernel: device vlan1 entered promiscuous mode
    Dec 31 16:00:10 ? user.info kernel: vlan1: dev_set_allmulti(master, 1)
    Dec 31 16:00:10 ? user.info kernel: vlan1: add 01:00:5e:00:00:02 mcast address to master interface
    Dec 31 16:00:10 ? user.info kernel: device br0 entered promiscuous mode
    Dec 31 16:00:11 ? daemon.info dnsmasq[231]: started, version 2.46 cachesize 150
    Dec 31 16:00:11 ? daemon.info dnsmasq[231]: compile time options: no-IPv6 GNU-getopt no-RTC no-DBus no-I18N no-TFTP
    Dec 31 16:00:11 ? daemon.info dnsmasq[231]: reading /etc/resolv.dnsmasq
    Dec 31 16:00:12 ? daemon.info dnsmasq[231]: using nameserver 192.8.194.60#53
    Dec 31 16:00:12 ? daemon.info dnsmasq[231]: read /etc/hosts - 0 addresses
    Dec 31 16:00:12 ? daemon.info dnsmasq[231]: read /etc/hosts.dnsmasq - 0 addresses
    Dec 31 16:00:12 ? cron.err crond[235]: crond (busybox 1.12.3) started, log level 9
    Dec 31 16:00:12 ? user.info init[1]: Tomato 1.23.1607
    Dec 31 16:00:12 ? user.info init[1]: Linksys WRT54G/GS/GL
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I've confirmed the method works, so we just need to know what's different on your end. Could you provide the exact firewall rules you added, and telnet/ssh into the router and provide the output of
    Code:
    route -n;ifconfig;iptables -t nat -vL
     
  10. mymurat

    mymurat Addicted to LI Member

    ssh results

    Tomato v1.23.1607


    BusyBox v1.12.3 (2008-12-14 02:54:58 PST) built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    # route -n;ifconfig;iptables -t nat -vL
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    87.79.6.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 87.79.6.1 0.0.0.0 UG 0 0 0 vlan1
    br0 Link encap:Ethernet HWaddr 00:23:69:25:BE:8F
    inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:360 errors:0 dropped:0 overruns:0 frame:0
    TX packets:452 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:40027 (39.0 KiB) TX bytes:163705 (159.8 KiB)

    eth0 Link encap:Ethernet HWaddr 00:23:69:25:BE:8F
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:515 errors:0 dropped:0 overruns:0 frame:0
    TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:59191 (57.8 KiB) TX bytes:167486 (163.5 KiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:23:69:25:BE:91
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:13
    TX packets:0 errors:111 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:2 Base address:0x5000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:28 errors:0 dropped:0 overruns:0 frame:0
    TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1876 (1.8 KiB) TX bytes:1876 (1.8 KiB)

    vlan0 Link encap:Ethernet HWaddr 00:23:69:25:BE:8F
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:361 errors:0 dropped:0 overruns:0 frame:0
    TX packets:452 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:41567 (40.5 KiB) TX bytes:165513 (161.6 KiB)

    vlan1 Link encap:Ethernet HWaddr 00:23:69:25:BE:90
    inet addr:87.79.6.21 Bcast:87.79.6.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:154 errors:0 dropped:0 overruns:0 frame:0
    TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:8354 (8.1 KiB) TX bytes:1973 (1.9 KiB)

    Chain PREROUTING (policy ACCEPT 35 packets, 2330 bytes)
    pkts bytes target prot opt in out source destination

    0 0 LOG udp -- any any anywhere anywhere
    udp dpt:1234 LOG level warning prefix `BEFORE '
     
  11. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The more important part of what I asked for was the exact rules you are putting in your firewall script. Please copy them from there to here so I can double-check them.

    However, from the iptables -nat -vL output you provided, I can tell they are not right. Make sure you substitute all the values as appropriate (port, protocol, ip...).
     
  12. mymurat

    mymurat Addicted to LI Member

    First of all thank you for your help and quick replies SgtPepperKSU . I post all the data as soon as possible. too much work to this time. but i have to get this thing to work ;)
     

Share This Page