Solved

IPTABLES & DD-WRT - IP Address Forwarding

Posted on 2007-12-05
12
6,984 Views
Last Modified: 2012-05-05
Hi,

I am trying to configure the forwarding of all traffic (udp, tcp) from an internet IP address to a specific LAN IP address behind my DD-WRT v23 SP2 router.  As the router runs a cut down version of Linux I have been trying the IPTABLES command without success.  I have tried the following command:

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

The INPUT chain is configured to accept all, from anywhere, to anywhere.  However the router's log shows the packets as being 'DROPPED'.

Any ideas where I am going wrong??  Is it because I am not specifying a port, or do I need to amend another chain??  I have asked this on the official DD-WRT forum with limited success

Thanks

Open in new window

0
Comment
Question by:WMFS_SUPPORT
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
Have You tried "-j ACCEPT" instead of "-j logaccept". You sure there's logaccept chain and does what You want?
iptables -L logaccept -N
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
Comment Utility
iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j logaccept
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j logaccept

Should be either

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j LOG
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j LOG

or

iptables -I FORWARD -p tcp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -I FORWARD -p udp -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT

it might be that the packets are droped further up..use -A 1 to add them as the first packet and do echo "1" > /proc/sys/net/ipv4/ip_forward  to enable IP forwarding
0
 

Author Comment

by:WMFS_SUPPORT
Comment Utility
Hi,

Thanks for the prompt replies, however it is still not working.  I have tried using just -j ACCEPT and I have ensured that the entry is the first in the FORWARD chain.  I have also checked that /proc/sys/net/ipv4/ip_forward is set to 1.

The router log still shows the packet as dropped:

Source IP           Protocol       Destination Port Number       Rule
192.245.12.228       UDP            1147                                    Dropped

If I just use the Port Forward facility of the router to forward ports 1000-2000 to 192.168.0.5 then the packet is allowed through without problem.  The FORWARD chain then has entries as follows:

14  logaccept     tcp     anywhere     192.168.0.5     tcp   dpts:1000:2000
15  logaccept     ucp     anywhere     192.168.0.5     udp  dpts:1000:2000

However the main reason for wanting to forward all data regardles of port from the source IP address to 192.168.0.5 is that the destination port is random.

I have also placed the 'rule' in other line numbers just in case, but still no luck.

Any other suggestions???
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
Comment Utility
How are you managing the router....through a web interface or through command line ?

I think the router is flushing the iptables and applying it's own rules no matter what rules you are applying....you have checked iptables -nL right ?
0
 

Author Comment

by:WMFS_SUPPORT
Comment Utility
Managing the router almost completely via telnet, but have used the web interface to view the logs and just to test the Port Forward as described earlier.

Yes, I have checked iptables -nL before and after applying the rule and it still shows as being in place.  I have applied the rule, checked the incoming log (which has shown data from the IP Address as Dropped) and then double checked iptables -nL and the rule is still there.

?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 19

Expert Comment

by:http:// thevpn.guru
Comment Utility
Try to flush the iptables and repeat the whole process...maybe that would help.
0
 

Author Comment

by:WMFS_SUPPORT
Comment Utility
Ahh, maybe getting somewhere now....

I have just tried creating a manual port forward for ports 1000-3000 using IPTABLES:

iptables -I FORWARD -p udp -d 192.168.0.5 --dport 1000:3000 -j ACCEPT

which is accepted, and shows up using iptables -nL.  But still this doesn't work.  If I setup a Port Forward using the web interface the rule looks identical and works ok.

I removed the web interface rule and recreated the rule manually and then rebooted the router.... the rule was lost.

If there a command I need to enter to restart routing based on the rules I have applied, or to write the rules to the running config (similar to cisco routers)??
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
Comment Utility
I dont know about this particular router...bas it seems that it is ignoring your settings and it sticks to its own settings and your commands are not being taken into consideration ..the webcommands are ..

You could check the vendor support/forums/online documentation for more info.
0
 

Author Comment

by:WMFS_SUPPORT
Comment Utility
Hurray!!!

After posting on 4 different forums and numerous attempts, I have now found a solution.  This also requires an entry in the PREROUTING chain within the nat table.

To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

iptables -I FORWARD -p all -s 192.245.12.228 -d 192.168.0.5 -j ACCEPT
iptables -t nat -I PREROUTING -p all -s 192.245.12.228 -j DNAT --to 192.168.0.5

Thanks to MSTOMBS from www.linksysinfo.org

Merry Xmas!!
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (125)

Computer101
Community Support Moderator
0
 
LVL 4

Expert Comment

by:onlyamir007
Comment Utility
 

hi guys,
 
please if u  guys can help me?? how can i route my internet traffic via VPN ???
 
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24220326.html

 
please answer me .... thankx
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now