iptables problem

Discussion in 'HyperWRT Firmware' started by fabjan, Jan 5, 2005.

  1. fabjan

    fabjan Network Guru Member


    I have a WRT54G with HyperWRT 2.0b3. I would like to connect remotely to my pc with remote desktop. I changed the listen port of remote destkop to 443 to allow my connexion from work and add in the Application and Gaming tab the correct entry :
    Application : remote
    start and stop : 443
    protocol : TCP
    IP Address :
    Everything works perfectly but I want to allow only the source address from my work, so I try to do it with iptables.
    First, I try to do the same thing that I can do with the Application and Gaming tab. In a telnet session, #iptables --list FORWARD --line-number give :
    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT all -- anywhere anywhere
    2 DROP all -- anywhere anywhere state INVALID
    3 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match
    1453:65535TCPMSS set 1452
    4 logaccept udp -- anywhere BASE-ADDRESS.MCAST.NET/4udp
    5 TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
    6 trigger_out all -- anywhere anywhere
    7 lan2wan all -- anywhere anywhere
    8 logaccept tcp -- anywhere tcp dpt:6462
    9 logaccept udp -- anywhere udp dpt:6472
    10 logaccept tcp -- anywhere tcp dpt:https
    11 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    12 logaccept all -- anywhere anywhere state NEW
    13 DROP all -- anywhere anywhere
    If I remove the rule in the tab Applications and gaming, the line number 10 is removed. Then I try to recreate it with that command :
    iptables -I FORWARD 10 -p tcp -d --dport 443 -j logaccept
    I have exactly the same things that before when I do a iptables --list FORWARD --line-number, but it does not work anymore.
    Do I forgot something ??


  2. fabjan

    fabjan Network Guru Member

    Ok, I found.
    I have to add a rule in the nat table :

    iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 443 -j DNAT -to-destination

    where x.x.x.x is my public address.
    But I have another problem, the public address is a dynamic address. How can I create the rule whith a dynamic address ? The rules create with the web admin can do that !


  3. zaphod

    zaphod Network Guru Member

    search the iptables help for using a variable something like $WAN or so...

    i think u can use it like that...

    so the variable will be replaced with the value of the ip it has.....
  4. fabjan

    fabjan Network Guru Member

    Don't seem this king of variable on the WRT54G. The variable with the wan address is a nvram i can get with "nvram get wan_ipaddr", but I can't use this in an iptables command.

  5. harry5555

    harry5555 Network Guru Member


    Inside an shellscript you can simply create a variable by using the ` "backtick" character E.G.:

    WAN=`nvram get wan_ipaddr`
    echo $WAN

    If you enter your Commands under Administration -> Management -> Firewall your script is stored under /tmp/firewall.sh in HyperWRT 2.03b.

    I didn't try that but maybe it works for you.
  6. zaphod

    zaphod Network Guru Member

    hi harry5555,

    if you use your way to get the wan-adress the variable must be filled every time you get a new ip-adress (every 24h is common in germany)..

    so you must use a rc-script which runs every 24h which fills you the "global" variable $WAN and exports it.

    after that you must drop all iptables things and restart the firewall-script so that the new wan adress will be replaced in it...

    it could work... just a matter of syncing the rc-script with the time you get a new wan-adress....


  7. fabjan

    fabjan Network Guru Member


    I've aleready tried the command with backtick, but backtick does not work as expected on this kind of linux.
    I think that every time the wan address is changed, a program /tmp/ppp/ip-up is run and re-create the firewall rules (they are in the file /tmp/.ipt).
    So I think there is no way to have the wan address in a variable every times it change.
    I found another way to solve my problem with the following command :
    iptables -t nat -I PREROUTING 6 -p tcp -i ppp+ --dport 443 -j DNAT --to-destination
    The "-i ppp+" means that only packets coming from the wan interface will be concern by that rule.

    Here is my firewall script to allow the connection to my home computer with remote desktop (3389) from work using https (443) :

    /usr/sbin/iptables -t nat -I PREROUTING 6 -p tcp -i ppp+ --dport 443 -j DNAT --to-destination
    /usr/sbin/iptables -I FORWARD 10 -p tcp -s x.x.x.x -d --dport 3389 -j ACCEPT

    where x.x.x.x is the public address of my work pc.

  8. zaphod

    zaphod Network Guru Member

    great you find that out. so no matter what ip your wan got...

    rtfm ;-)


  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice