IPTABLES & DD-WRT - IP Address Forwarding

Posted on 2007-12-05
Last Modified: 2012-05-05

I am trying to configure the forwarding of all traffic (udp, tcp) from an internet IP address to a specific LAN IP address behind my DD-WRT v23 SP2 router.  As the router runs a cut down version of Linux I have been trying the IPTABLES command without success.  I have tried the following command:

iptables -I FORWARD -p tcp -s -d -j logaccept
iptables -I FORWARD -p udp -s -d -j logaccept

The INPUT chain is configured to accept all, from anywhere, to anywhere.  However the router's log shows the packets as being 'DROPPED'.

Any ideas where I am going wrong??  Is it because I am not specifying a port, or do I need to amend another chain??  I have asked this on the official DD-WRT forum with limited success


Open in new window

Question by:WMFS_SUPPORT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 43

Expert Comment

ID: 20410870
Have You tried "-j ACCEPT" instead of "-j logaccept". You sure there's logaccept chain and does what You want?
iptables -L logaccept -N
LVL 19

Expert Comment

ID: 20410872
iptables -I FORWARD -p tcp -s -d -j logaccept
iptables -I FORWARD -p udp -s -d -j logaccept

Should be either

iptables -I FORWARD -p tcp -s -d -j LOG
iptables -I FORWARD -p udp -s -d -j LOG


iptables -I FORWARD -p tcp -s -d -j ACCEPT
iptables -I FORWARD -p udp -s -d -j ACCEPT

it might be that the packets are droped further up..use -A 1 to add them as the first packet and do echo "1" > /proc/sys/net/ipv4/ip_forward  to enable IP forwarding

Author Comment

ID: 20414149

Thanks for the prompt replies, however it is still not working.  I have tried using just -j ACCEPT and I have ensured that the entry is the first in the FORWARD chain.  I have also checked that /proc/sys/net/ipv4/ip_forward is set to 1.

The router log still shows the packet as dropped:

Source IP           Protocol       Destination Port Number       Rule       UDP            1147                                    Dropped

If I just use the Port Forward facility of the router to forward ports 1000-2000 to then the packet is allowed through without problem.  The FORWARD chain then has entries as follows:

14  logaccept     tcp     anywhere     tcp   dpts:1000:2000
15  logaccept     ucp     anywhere     udp  dpts:1000:2000

However the main reason for wanting to forward all data regardles of port from the source IP address to is that the destination port is random.

I have also placed the 'rule' in other line numbers just in case, but still no luck.

Any other suggestions???
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

LVL 19

Expert Comment

ID: 20414288
How are you managing the router....through a web interface or through command line ?

I think the router is flushing the iptables and applying it's own rules no matter what rules you are have checked iptables -nL right ?

Author Comment

ID: 20415595
Managing the router almost completely via telnet, but have used the web interface to view the logs and just to test the Port Forward as described earlier.

Yes, I have checked iptables -nL before and after applying the rule and it still shows as being in place.  I have applied the rule, checked the incoming log (which has shown data from the IP Address as Dropped) and then double checked iptables -nL and the rule is still there.

LVL 19

Expert Comment

ID: 20415691
Try to flush the iptables and repeat the whole process...maybe that would help.

Author Comment

ID: 20415839
Ahh, maybe getting somewhere now....

I have just tried creating a manual port forward for ports 1000-3000 using IPTABLES:

iptables -I FORWARD -p udp -d --dport 1000:3000 -j ACCEPT

which is accepted, and shows up using iptables -nL.  But still this doesn't work.  If I setup a Port Forward using the web interface the rule looks identical and works ok.

I removed the web interface rule and recreated the rule manually and then rebooted the router.... the rule was lost.

If there a command I need to enter to restart routing based on the rules I have applied, or to write the rules to the running config (similar to cisco routers)??
LVL 19

Expert Comment

ID: 20415889
I dont know about this particular router...bas it seems that it is ignoring your settings and it sticks to its own settings and your commands are not being taken into consideration ..the webcommands are ..

You could check the vendor support/forums/online documentation for more info.

Author Comment

ID: 20456183

After posting on 4 different forums and numerous attempts, I have now found a solution.  This also requires an entry in the PREROUTING chain within the nat table.

To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

iptables -I FORWARD -p all -s -d -j ACCEPT
iptables -t nat -I PREROUTING -p all -s -j DNAT --to

Thanks to MSTOMBS from

Merry Xmas!!

Accepted Solution

Computer101 earned 0 total points
ID: 20953278
PAQed with points refunded (125)

Community Support Moderator

Expert Comment

ID: 23905545

hi guys,
please if u  guys can help me?? how can i route my internet traffic via VPN ??? 

please answer me .... thankx

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question