Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IPTABLES & DD-WRT - IP Address Forwarding

Posted on 2007-12-05
12
Medium Priority
?
7,067 Views
Last Modified: 2012-05-05
Hi,

I am trying to configure the forwarding of all traffic (udp, tcp) from an internet IP address to a specific LAN IP address behind my DD-WRT v23 SP2 router.  As the router runs a cut down version of Linux I have been trying the IPTABLES command without success.  I have tried the following command:

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

The INPUT chain is configured to accept all, from anywhere, to anywhere.  However the router's log shows the packets as being 'DROPPED'.

Any ideas where I am going wrong??  Is it because I am not specifying a port, or do I need to amend another chain??  I have asked this on the official DD-WRT forum with limited success

Thanks

Open in new window

0
Comment
Question by:WMFS_SUPPORT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 20410870
Have You tried "-j ACCEPT" instead of "-j logaccept". You sure there's logaccept chain and does what You want?
iptables -L logaccept -N
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 20410872
iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

Should be either

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j LOG
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j LOG

or

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT

it might be that the packets are droped further up..use -A 1 to add them as the first packet and do echo "1" > /proc/sys/net/ipv4/ip_forward  to enable IP forwarding
0
 

Author Comment

by:WMFS_SUPPORT
ID: 20414149
Hi,

Thanks for the prompt replies, however it is still not working.  I have tried using just -j ACCEPT and I have ensured that the entry is the first in the FORWARD chain.  I have also checked that /proc/sys/net/ipv4/ip_forward is set to 1.

The router log still shows the packet as dropped:

Source IP           Protocol       Destination Port Number       Rule
192.245.12.228       UDP            1147                                    Dropped

If I just use the Port Forward facility of the router to forward ports 1000-2000 to 192.168.0.5 then the packet is allowed through without problem.  The FORWARD chain then has entries as follows:

14  logaccept     tcp     anywhere     192.168.0.5     tcp   dpts:1000:2000
15  logaccept     ucp     anywhere     192.168.0.5     udp  dpts:1000:2000

However the main reason for wanting to forward all data regardles of port from the source IP address to 192.168.0.5 is that the destination port is random.

I have also placed the 'rule' in other line numbers just in case, but still no luck.

Any other suggestions???
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 20414288
How are you managing the router....through a web interface or through command line ?

I think the router is flushing the iptables and applying it's own rules no matter what rules you are applying....you have checked iptables -nL right ?
0
 

Author Comment

by:WMFS_SUPPORT
ID: 20415595
Managing the router almost completely via telnet, but have used the web interface to view the logs and just to test the Port Forward as described earlier.

Yes, I have checked iptables -nL before and after applying the rule and it still shows as being in place.  I have applied the rule, checked the incoming log (which has shown data from the IP Address as Dropped) and then double checked iptables -nL and the rule is still there.

?
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 20415691
Try to flush the iptables and repeat the whole process...maybe that would help.
0
 

Author Comment

by:WMFS_SUPPORT
ID: 20415839
Ahh, maybe getting somewhere now....

I have just tried creating a manual port forward for ports 1000-3000 using IPTABLES:

iptables -I FORWARD -p udp -d 192.168.0.5 --dport 1000:3000 -j ACCEPT

which is accepted, and shows up using iptables -nL.  But still this doesn't work.  If I setup a Port Forward using the web interface the rule looks identical and works ok.

I removed the web interface rule and recreated the rule manually and then rebooted the router.... the rule was lost.

If there a command I need to enter to restart routing based on the rules I have applied, or to write the rules to the running config (similar to cisco routers)??
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 20415889
I dont know about this particular router...bas it seems that it is ignoring your settings and it sticks to its own settings and your commands are not being taken into consideration ..the webcommands are ..

You could check the vendor support/forums/online documentation for more info.
0
 

Author Comment

by:WMFS_SUPPORT
ID: 20456183
Hurray!!!

After posting on 4 different forums and numerous attempts, I have now found a solution.  This also requires an entry in the PREROUTING chain within the nat table.

To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

iptables -I FORWARD -p all -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -t nat -I PREROUTING -p all -s 192.245.12.228 -j DNAT --to 192.168.0.5

Thanks to MSTOMBS from www.linksysinfo.org

Merry Xmas!!
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 20953278
PAQed with points refunded (125)

Computer101
Community Support Moderator
0
 
LVL 4

Expert Comment

by:onlyamir007
ID: 23905545
 

hi guys,
 
please if u  guys can help me?? how can i route my internet traffic via VPN ???
 
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24220326.html 

 
please answer me .... thankx
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question