port forwarding

Discussion in 'Tomato Firmware' started by Deathnight0069, May 4, 2014.

  1. Deathnight0069

    Deathnight0069 Network Newbie Member

    I have been using tomato for a while and really liked it, however my router broke (got hit during an electrical storm), so i got a new one. unfortunately it doesn't support tomato.

    My question is how does port forwarding work. I might be SOL on the new router, but if i can figure out how it was done on tomato, i might be able to get a hack on the new router.

    I had it setup to use a source DNS name, and it was working fine. My site is hosted on DDNS, and the external party is also using DDNS, so i set up the port forward to only allow his DNS name on the specified port. I had an old nvram dump of this before it got hit.

    Here is the sanitized version from NVram

    portforward=1<1<external.example.com<22<22<<DDNS 22>1<1<external.example.com<3396<3396<<DDNS 3396>

    I also found a very old copy of a back up, here is what is listed. This looks like the 2 ports were combined in this version.

    portforward=0<3<<1000:2000<<<ex: 1000 to 2000, restricted>1<1<external.example.com<22,3396<<<>0<2<<1000,2000<<<ex: 1000 and 2000>0<3<<1000:2000,3000<<<ex: 1000 to 2000, and 3000>0<1<<1000<2000<<ex: different internal port>

    i believe the relevant portion is
    and the others are just the examples.

  2. koitsu

    koitsu Network Guru Member

    First, start with decoding the NVRAM variable portforward -- your first example ("sanitized version") -- is decoded as follows (into their respective GUI fields (this is difficult because the forum broke on spaces and you didn't provide the single line within a code block, but I can still read it)). It breaks down into two rules. Please note this is tricky because of the delimiters used and so on:

    Rule #1:

    1 - On (enabled)
    1 - Proto TCP
    external.example.com - Src Address
    22 - Ext Ports
    22 - Int Port - Int Address
    DDNS 22 - Description

    Rule #2:

    1 - On (enabled)
    1 - Proto TCP
    external.example.com - Src Address
    3396 - Ext Ports
    3396 - Int Port - Int Address
    DDNS 3396 - Description

    The 2nd example you gave is a mish-mash of the stock default examples and a single rule that does the same thing as the above two rules combined. Decoded:

    1 - On (enabled)
    1 - Proto TCP
    external.example.com - Src Address
    22,3396 - Ext Ports
    {empty} - Int Port - Int Address
    {empty} - Description

    Which methodology you go with (a single rule for 2 ports, or two separate rules) doesn't matter -- they functionally do the exact same thing. Although, for the first 2 rules, I should note that you don't need to specify the Int Port number (if the field is left empty, it uses the same port number as Ext Ports).

    One point you need to be aware of:

    These rules are using DNS resolution, meaning at the time the firewall rule (port forward) is added (when the router boots up, etc.), DNS resolution of external.example.com is done. At no point past that is DNS resolution done again. Meaning: if the IP address for external.example.com ever changes, the above rules will stop functioning until the router is rebooted or the firewall is reloaded.

    DNS resolution cannot be done every time a packet comes through the router (to be examined for forwarding or not). There is nothing that can be done about this; it's how firewalls work. Just keep this in mind in the future if the IP address for external.example.com ever changes.

    Finally: I'll use this opportunity to drive home the point I've made in the past about keeping a text file of configuration changes (an example file is included at that link) so that you know what all your settings are compared to stock defaults. This is not only needed when going between firmwares or firmware versions, but also if/when hardware goes bad/gets damaged. So going forward, keep a text file of the settings you change, and update that file any time you make a change, and it'll make your life a lot easier.
  3. Deathnight0069

    Deathnight0069 Network Newbie Member

    First off, thanks for posting, and giving me some feedback.

    I apologize for not including the inserts using the code, but for whatever reason my ipad didnt have the code for this. on my PC now so i do see what you telling me.

    Yes this is correct, I found a copy of an NVRAM dump, and a much older backup cfg file.

    That is wired, I am not disagreeing with u as i have come here for help, and am most grateful for any incite, but i seem to remember the ip address changing at least dozen times that i can count, (external.example.com), and i have no recollection of rebooting the router to get this connection back up. My friend and I are doing synology backups to each others NAS every Sunday, so i do know its working (or was before the electrical storm).

    Anyway what you are describing below seems to be like using the IPtables -s switch where the DNS is looked up only once. Or at least thats what i think (im still doing a TON of research on this) I am SO new and green its not even funny.

    Question, what is contained in a packet? What info could i use to ID this incoming packet from external.example.com?

  4. koitsu

    koitsu Network Guru Member

    I can't answer this question because I do not know what the actual protocol is that you're forwarding; your "Description" fields just say "DDNS 22" and "DDNS 3396" which tell me absolutely nothing. In fact, I don't know what TCP port 22 has to do with DDNS, nor TCP port 3396 -- usually TCP port 22 is for SSH, and TCP port 3396 is just some arbitrary port number (not allocated per IANA). So I have no idea what you're truly shoving across those ports.

    From an iptables perspective, there is nothing you can reliably key off of other than source IP address, destination IP address, protocol, or port number. That's just how it works.

    If the source IP address you expect to be able to reach these forwarded ports changes rapidly, I would recommend you instead take a look at what I've told other people to do (make an iptables chain that contains multiple source addresses, or preferably larger network ranges, so that when the client IP gets into one of those multiple ranges, you don't have to worry about it). You would need to make your own custom iptables rules for this and not use the GUI, however.

    There's really no other solution for 95% of protocols out there, I'm sorry to say -- it's the reality of the situation, and how it works in the enterprise world too. Really.
  5. Deathnight0069

    Deathnight0069 Network Newbie Member

    Thank you again for taking the time to answer my question. I will give the link you mentioned a read.

    Thanks again,
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice