1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing port forwarding

Discussion in 'Tomato Firmware' started by Ezrem, Mar 14, 2007.

  1. Ezrem

    Ezrem LI Guru Member

    On my old Netgear FWAG114 router (great unit, just needed QoS to be perfect) I had the option of authorizing a specific IP range to access an incoming port on my router.

    I would like to do this on my WRT54GL running Tomato, but don't see the option in the Port Forwarding menu.

    Is this something I could do with a startup script? I am thinking it would just be some custom iptables commands, but am unsure.

    For instance, let's say I want to enable ssh access to a server inside my network by forwarding port 1234 to port 22 on internal host 192.168.1.5, but I only want external ip address 1.2.3.4 to be able to be forwarded inside.

    Any and all help will be appreciated. :)
     
  2. roadkill

    roadkill Super Moderator Staff Member Member

    iptables -A PREROUTING -t nat -i vlan1 -p tcp --source 1.2.3.4 \
    --dport 1234 -j DNAT --to 192.168.1.5:22

    I think that will do the trick....
     
  3. Ezrem

    Ezrem LI Guru Member

    Shouldn't that all be one command line? And I just put it in one of the scripts, or ssh in and run it and then commit nvram?
     
  4. bokh

    bokh Network Guru Member

    Yes it should!
    The "\" in a Unix-script marks that the line should in fact continue, but is wrapped at that point. Should work in a script (too) though.
     
  5. Ezrem

    Ezrem LI Guru Member

    This doesn't seem to work. If I just run that command in an ssh window, and then do an iptables --list, I don't see it listed?
     
  6. Ezrem

    Ezrem LI Guru Member

    Where would I find the firewall script that is already running for all my existing port forwarding and such if I were to ssh into the router?
     
  7. roadkill

    roadkill Super Moderator Staff Member Member

    give the real IP addresses and ports maybe something went wrong in the process... :ninja:
     
  8. Ezrem

    Ezrem LI Guru Member

    Ports especially are relatively academic for a pursuit such as this since I can just put my service wherever I want it...

    For the sake of argument let's just say the source (external) IP will be 68.115.43.84, the port I want to use really is 80, and I really want to forward it to port 80 on my internal host, as I have a webserver running with some super secret photos I only want to show to a friend or something.

    And thus, I pasted the following line into the Firewall script in Tomato:
    iptables -A PREROUTING -t nat -i vlan1 -p tcp --source 68.115.43.84 --dport 80 -j DNAT --to 192.168.1.5:80

    ssh'ing in and running iptables --list (even after a reboot) showed no such route. All the ones that I configured on the normal port forwarding page were displayed properly.
     
  9. roadkill

    roadkill Super Moderator Staff Member Member

    your input device is the DIALER bridge VLAN1... do you dial at all or you have dhcp?
     

Share This Page