IPTABLES & DD-WRT - IP Address Forwarding

Hi,

I am trying to configure the forwarding of all traffic (udp, tcp) from an internet IP address to a specific LAN IP address behind my DD-WRT v23 SP2 router.  As the router runs a cut down version of Linux I have been trying the IPTABLES command without success.  I have tried the following command:

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

The INPUT chain is configured to accept all, from anywhere, to anywhere.  However the router's log shows the packets as being 'DROPPED'.

Any ideas where I am going wrong??  Is it because I am not specifying a port, or do I need to amend another chain??  I have asked this on the official DD-WRT forum with limited success

Thanks

Open in new window

WMFS_SUPPORTAsked:
Who is Participating?
 
Computer101Connect With a Mentor Commented:
PAQed with points refunded (125)

Computer101
Community Support Moderator
0
 
ravenplCommented:
Have You tried "-j ACCEPT" instead of "-j logaccept". You sure there's logaccept chain and does what You want?
iptables -L logaccept -N
0
 
http:// thevpn.guruCommented:
iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

Should be either

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j LOG
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j LOG

or

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT

it might be that the packets are droped further up..use -A 1 to add them as the first packet and do echo "1" > /proc/sys/net/ipv4/ip_forward  to enable IP forwarding
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
WMFS_SUPPORTAuthor Commented:
Hi,

Thanks for the prompt replies, however it is still not working.  I have tried using just -j ACCEPT and I have ensured that the entry is the first in the FORWARD chain.  I have also checked that /proc/sys/net/ipv4/ip_forward is set to 1.

The router log still shows the packet as dropped:

Source IP           Protocol       Destination Port Number       Rule
192.245.12.228       UDP            1147                                    Dropped

If I just use the Port Forward facility of the router to forward ports 1000-2000 to 192.168.0.5 then the packet is allowed through without problem.  The FORWARD chain then has entries as follows:

14  logaccept     tcp     anywhere     192.168.0.5     tcp   dpts:1000:2000
15  logaccept     ucp     anywhere     192.168.0.5     udp  dpts:1000:2000

However the main reason for wanting to forward all data regardles of port from the source IP address to 192.168.0.5 is that the destination port is random.

I have also placed the 'rule' in other line numbers just in case, but still no luck.

Any other suggestions???
0
 
http:// thevpn.guruCommented:
How are you managing the router....through a web interface or through command line ?

I think the router is flushing the iptables and applying it's own rules no matter what rules you are applying....you have checked iptables -nL right ?
0
 
WMFS_SUPPORTAuthor Commented:
Managing the router almost completely via telnet, but have used the web interface to view the logs and just to test the Port Forward as described earlier.

Yes, I have checked iptables -nL before and after applying the rule and it still shows as being in place.  I have applied the rule, checked the incoming log (which has shown data from the IP Address as Dropped) and then double checked iptables -nL and the rule is still there.

?
0
 
http:// thevpn.guruCommented:
Try to flush the iptables and repeat the whole process...maybe that would help.
0
 
WMFS_SUPPORTAuthor Commented:
Ahh, maybe getting somewhere now....

I have just tried creating a manual port forward for ports 1000-3000 using IPTABLES:

iptables -I FORWARD -p udp -d 192.168.0.5 --dport 1000:3000 -j ACCEPT

which is accepted, and shows up using iptables -nL.  But still this doesn't work.  If I setup a Port Forward using the web interface the rule looks identical and works ok.

I removed the web interface rule and recreated the rule manually and then rebooted the router.... the rule was lost.

If there a command I need to enter to restart routing based on the rules I have applied, or to write the rules to the running config (similar to cisco routers)??
0
 
http:// thevpn.guruCommented:
I dont know about this particular router...bas it seems that it is ignoring your settings and it sticks to its own settings and your commands are not being taken into consideration ..the webcommands are ..

You could check the vendor support/forums/online documentation for more info.
0
 
WMFS_SUPPORTAuthor Commented:
Hurray!!!

After posting on 4 different forums and numerous attempts, I have now found a solution.  This also requires an entry in the PREROUTING chain within the nat table.

To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

iptables -I FORWARD -p all -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -t nat -I PREROUTING -p all -s 192.245.12.228 -j DNAT --to 192.168.0.5

Thanks to MSTOMBS from www.linksysinfo.org

Merry Xmas!!
0
 
onlyamir007Commented:
 

hi guys,
 
please if u  guys can help me?? how can i route my internet traffic via VPN ???
 
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24220326.html 

 
please answer me .... thankx
0
All Courses

From novice to tech pro — start learning today.