Port Forwarding - Hostname instead of IP address

Discussion in 'Tomato Firmware' started by back0rifice, Apr 3, 2009.

  1. back0rifice

    back0rifice Network Guru Member


    I'm using Tomato 1.23 and really enjoying it. However, there's one thing I'm missing:

    I would like to use host names instead of IP addresses for the "source address" in the port forwarding settings?

    I know it can't be done via the web interface but I believe there must be at least a (hopefully simple) iptables solution?!

    Would be great if someone could help me out with this....

    Example: I'm forwarding port 12345 to internal PC but only want to allow this for fu@somedyndns.com and bar@somedyndns.com...

    Thanks! :)
  2. rhester72

    rhester72 Network Guru Member

    The TCP/IP stack layer doesn't know anything about authentication. Short version: No.

    If, instead, you meant you only want to forward ports for certain source IPs, yes, that can be done 'by hand' in iptables - see the existing iptables chain and add "-s <source IP>" to the rule as part of the firewall script.

  3. back0rifice

    back0rifice Network Guru Member

    No, of course it has nothing to do with authentication. It would be only a slight modification to the already existing functionality of entering source IP addresses as part of the port forwarding rules.

    I looked at the /etc/iptables file but to be honest I don't really understand it and don't know how to alter it in order to make it suit my needs...

    ATM it looks like:

    -A PREROUTING -p tcp -d 90.129.x.x --dport 123456 -j DNAT --to-destination
    -A wanin -p tcp -m tcp -d --dport 12000 -j ACCEPT

    If I understand this correctly I should now add these lines to Administration > Scripts?! If so, I'm wondering what value to enter for my public (dynamic) IP address (as it's used in the first line above) and what "wanin" is standing for?

    --- ??? ---
    iptables -A PREROUTING -p tcp -d ?.?.?.? --dport 123456 -j DNAT --to-destination
    iptables -A wanin -p tcp -m tcp -d --dport 123456 -s fu@somedyndns.com -j ACCEPT
    iptables -A wanin -p tcp -m tcp -d --dport 123456 -s bar@somedyndns.com -j ACCEPT
    --- ??? ---

    TIA for your help! :)
  4. phuque99

    phuque99 LI Guru Member

    If you're asking the question what wanin means, crafting iptables by hand to firewall would be a daunting task. Here's a better suggestion, setup port forwarding using the web interface that would allow anyone to access your desired port.

    You can then add the follow set of "firewall" to refine the allowed list (using port 1234 es example):

    iptables -I FORWARD -p tcp --dport 1234 -j DROP
    iptables -I FORWARD -p tcp -s --dport 1234 -m state --state NEW ACCEPT
    iptables -I FORWARD -p tcp --dport 1234 -m state --state RELATED,ESTABLISHED -j ACCEPT
    Those rules above would accept access to your forwarded port only if it came from IP You can add more IP or IP/netmask range in the center, between the first and last iptable rules, using the same format.

    The "fu@somedyndns.com" is an email address but if you wanna add some dynamic DNS IP, there might be a way. All I see for iptables is only IP/netmask thus I'll leave it to other scripting expert that might be able to resolve an IP for your hostname.

    You can add the iptables lines into the Firewall section of the tomato firmware and it will be your effective allowed list firewall.
  5. back0rifice

    back0rifice Network Guru Member

    Ooops, stupid me.... Of course NOT fu@somedyndns.com but fu.somedyndns.com! My apologies for causing unnecessary confusion! :)

    @phuque99: Execellent, many thanks! I think this is exactly what I've been searching for and I'm sure that will work! :) Will try asap...


    I just tried and it doesn't seem to work... What I've done is to add

    iptables -I FORWARD -p tcp --dport 12000 -j DROP

    to the Scripts > Firewall section. I've tried with and withput "iptables" at the beginning and even restarted the router. Whatever I do, I'm still able to telnet this port from any IP...

  6. phuque99

    phuque99 LI Guru Member

    I'm not sure about that as I've used the FORWARD chain and it worked for me. I've corrected the syntax of the iptables above. You could try the wanin chain this way and see if it works for you:
    iptables -I wanin -p tcp -d --dport 12000 -j DROP
    iptables -I wanin -p tcp -s -d --dport 12000 -m state --state NEW -j ACCEPT
    iptables -I wanin -p tcp -d --dport 12000 -m state --state RELATED,ESTABLISHED -j ACCEPT
  7. back0rifice

    back0rifice Network Guru Member

    Nope... doesn't work either... :(

    I just tried the first line. Given that I understand it correctly adding this line should block all requests to destination port 12000, right?!

    Any other ideas? :)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice