Port forwarding for an EXTERNAL DynDNS host

Discussion in 'Tomato Firmware' started by br41n, Nov 17, 2009.

  1. br41n

    br41n Guest

    Finally got this script sorted out, and thought I'd share.

    What it does: Looks up the current IP address of a hostname, and updates Tomato's port forwarding rules accordingly.

    Why: This allows you to be able to access your internal network from wherever you are, regardless of your IP address, without opening up ports to the entire world.

    #! /bin/sh
    STOREDIPFILE="/cifs1/mydyndns.txt" ;
    HOSTNAMETOFOLLOW="yourhostname.dyndns.com" ; # dyndns hostname 
    HOMEIP="" ;   # home outside ip is included in BASEPORTFORWARD
    HOMEINIP="" ;     # home inside ip
    WORKIP="" ;             # work ip is included in BASEPORTFORWARD
    # default rules.  these will always be in effect
    BASEPORTFORWARD="1<1<"$WORKIP"<80<<"$HOMEINIP"<www-wk>1<1<"$WORKIP"<22<<"$HOMEINIP"<ssh-wk>" ;     
    STOREDIP=`cat $STOREDIPFILE 2>/dev/null` ;  # get previous ip from file
    NEWIP=`nslookup $HOSTNAMETOFOLLOW | awk 'NR!=2 && /Address/ {print $3}'` ; # Lookup current ip address for HOSTNAMETOFOLLOW
    # now compare IPs, and if different, update portforwarding accordingly 
    if [ "$NEWIP" != "$STOREDIP" ] ; then
            case "$NEWIP" in
                    "$HOMEIP") # set portforwarding to base
                            nvram set portforward="$BASEPORTFORWARD" 
                            logger -t dyndns $HOSTNAMETOFOLLOW is on home network. Default firewall rules applied.
                    "$WORKIP") # set portforwarding to base
                            nvram set portforward="$BASEPORTFORWARD"
                            logger -t dyndns $HOSTNAMETOFOLLOW is on work network. Default firewall rules applied.
                    *)         # set portforwarding to base+newip
                            nvram set portforward=$BASEPORTFORWARD\1\<1\<$NEWIP\<22\<\<$HOMEINIP\<ssh-follow\>1\<1\<$NEWIP\<80\<\<$HOMEINIP\<www-follow\>
                            logger -t dyndns $HOSTNAMETOFOLLOW now has IP $NEWIP - Firewall rules updated.
            echo $NEWIP > $STOREDIPFILE ;  # save the new ip to file
            rc restart ;

    Now just name the script whatever you want (e.g. followmydyndns.sh), chmod +x it so it's executable, and have it run however frequently you'd like via Administration->Custom #-> /cifs1/followmydyndns.sh

    • This script assumes you've already configured a working DynDNS (or No-IP or whatever) client on your external client that you want to connect FROM.
    • I've mounted this on /cifs1, but it would work fine from a jffs mount, too.
    • What is shown below works for ssh (port 22) and http (port 80). It's easily reconfigurable for whatever other ports you may want.
    • Be aware that an IP in $WORKIP is always forwarded for the configured ports.
    • If you don't syslog your tomato firewall, you can take out the "logger -t dyndns..." lines.

    The result:
    In conjunction with a script that runs on my iphone periodically to update my dyndns hostname with the iphone's current IP address, I'm able to access my file server on my home network any place, any time, without opening up any ports to the world, and without having to run any other programs or commands first (e.g. VPN).
  2. jan.n

    jan.n LI Guru Member

    Interesting script, thank you for sharing it.
    Although I do everything over ssh tunnels and just have a single port open on the router... plus some ports forwarded, but that's another story.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice