IPTABLES & DD-WRT - IP Address Forwarding

Posted on 2007-12-05
Last Modified: 2012-05-05

I am trying to configure the forwarding of all traffic (udp, tcp) from an internet IP address to a specific LAN IP address behind my DD-WRT v23 SP2 router.  As the router runs a cut down version of Linux I have been trying the IPTABLES command without success.  I have tried the following command:

iptables -I FORWARD -p tcp -s -d -j logaccept
iptables -I FORWARD -p udp -s -d -j logaccept

The INPUT chain is configured to accept all, from anywhere, to anywhere.  However the router's log shows the packets as being 'DROPPED'.

Any ideas where I am going wrong??  Is it because I am not specifying a port, or do I need to amend another chain??  I have asked this on the official DD-WRT forum with limited success


Open in new window

Question by:WMFS_SUPPORT
LVL 43

Expert Comment

ID: 20410870
Have You tried "-j ACCEPT" instead of "-j logaccept". You sure there's logaccept chain and does what You want?
iptables -L logaccept -N
LVL 19

Expert Comment

ID: 20410872
iptables -I FORWARD -p tcp -s -d -j logaccept
iptables -I FORWARD -p udp -s -d -j logaccept

Should be either

iptables -I FORWARD -p tcp -s -d -j LOG
iptables -I FORWARD -p udp -s -d -j LOG


iptables -I FORWARD -p tcp -s -d -j ACCEPT
iptables -I FORWARD -p udp -s -d -j ACCEPT

it might be that the packets are droped further up..use -A 1 to add them as the first packet and do echo "1" > /proc/sys/net/ipv4/ip_forward  to enable IP forwarding

Author Comment

ID: 20414149

Thanks for the prompt replies, however it is still not working.  I have tried using just -j ACCEPT and I have ensured that the entry is the first in the FORWARD chain.  I have also checked that /proc/sys/net/ipv4/ip_forward is set to 1.

The router log still shows the packet as dropped:

Source IP           Protocol       Destination Port Number       Rule       UDP            1147                                    Dropped

If I just use the Port Forward facility of the router to forward ports 1000-2000 to then the packet is allowed through without problem.  The FORWARD chain then has entries as follows:

14  logaccept     tcp     anywhere     tcp   dpts:1000:2000
15  logaccept     ucp     anywhere     udp  dpts:1000:2000

However the main reason for wanting to forward all data regardles of port from the source IP address to is that the destination port is random.

I have also placed the 'rule' in other line numbers just in case, but still no luck.

Any other suggestions???
LVL 19

Expert Comment

ID: 20414288
How are you managing the router....through a web interface or through command line ?

I think the router is flushing the iptables and applying it's own rules no matter what rules you are have checked iptables -nL right ?

Author Comment

ID: 20415595
Managing the router almost completely via telnet, but have used the web interface to view the logs and just to test the Port Forward as described earlier.

Yes, I have checked iptables -nL before and after applying the rule and it still shows as being in place.  I have applied the rule, checked the incoming log (which has shown data from the IP Address as Dropped) and then double checked iptables -nL and the rule is still there.

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 19

Expert Comment

ID: 20415691
Try to flush the iptables and repeat the whole process...maybe that would help.

Author Comment

ID: 20415839
Ahh, maybe getting somewhere now....

I have just tried creating a manual port forward for ports 1000-3000 using IPTABLES:

iptables -I FORWARD -p udp -d --dport 1000:3000 -j ACCEPT

which is accepted, and shows up using iptables -nL.  But still this doesn't work.  If I setup a Port Forward using the web interface the rule looks identical and works ok.

I removed the web interface rule and recreated the rule manually and then rebooted the router.... the rule was lost.

If there a command I need to enter to restart routing based on the rules I have applied, or to write the rules to the running config (similar to cisco routers)??
LVL 19

Expert Comment

ID: 20415889
I dont know about this particular router...bas it seems that it is ignoring your settings and it sticks to its own settings and your commands are not being taken into consideration ..the webcommands are ..

You could check the vendor support/forums/online documentation for more info.

Author Comment

ID: 20456183

After posting on 4 different forums and numerous attempts, I have now found a solution.  This also requires an entry in the PREROUTING chain within the nat table.

To confirm I entered the following two commands: (Note I used the protocol 'all' in the end although udp did work fine too)

iptables -I FORWARD -p all -s -d -j ACCEPT
iptables -t nat -I PREROUTING -p all -s -j DNAT --to

Thanks to MSTOMBS from

Merry Xmas!!

Accepted Solution

Computer101 earned 0 total points
ID: 20953278
PAQed with points refunded (125)

Community Support Moderator

Expert Comment

ID: 23905545

hi guys,
please if u  guys can help me?? how can i route my internet traffic via VPN ??? 

please answer me .... thankx

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Squid Connection Pools 3 43
pfSense IP Helper 4 137
New TWC modem/router breaks network 53 67
configure ASA Vlan Interface 14 42
New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now