What on earth is going on here? It's driving me mad now.

Any settings changed in the web interface does not effect `iptables -L` including port forwarding DMZ and firewall.

Trying forwarding ports on the command line doesn't do it either when I actually test the port. How do you test the port without a remote machine anyway? At the moment I'm just trying to connect to the router on the port I'm trying to forward.


j@ethel:~$ nmap my.router

Starting Nmap 4.53 ( http://insecure.org ) at 2008-09-05 18:20 BST
Interesting ports on my.router (192.168.1.50):
Not shown: 1708 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
515/tcp open printer
9100/tcp open jetdirect
9101/tcp open jetdirect

Nmap done: 1 IP address (1 host up) scanned in 2.088 seconds


j@ethel:~$ nmap PUBLIC-INTERNET-IP

Starting Nmap 4.53 ( http://insecure.org ) at 2008-09-05 18:21 BST
Interesting ports on xxxx:
Not shown: 1709 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
1720/tcp filtered H.323/Q.931
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.056 seconds
j@ethel:~$


[admin@(none) root]$ iptables -A INPUT -p tcp --dport ssh -j ACCEPT
[admin@(none) root]$ iptables -A INPUT -p tcp --dport 8081 -j ACCEPT
[admin@(none) root]$ iptables -A FORWARD -i eth1 -p tcp --dport 8081:8081 --destination 192.168.1.3 -j ACCEPT
[admin@(none) root]$ iptables -A FORWARD -i eth1 -p tcp --dport 8081:8081 --destination 192.168.1.3 -j ACCEPT
[admin@(none) root]$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT tcp -- anywhere 192.168.1.3 tcp dpt:tproxy
ACCEPT tcp -- anywhere 192.168.1.3 tcp dpt:tproxy
ACCEPT tcp -- anywhere 192.168.1.3 tcp dpt:tproxy

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
DROP all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere
[admin@(none) root]$

Have you switch on Enable (Firewall, DMZ) on Web form?

If you already switch it on, custome iptables at post-firewall


[Eric@WL500g root]$ cat /usr/local/sbin/post-firewall
#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p udp --dport 23 -j ACCEPT

[Eric@WL500g root]$


don't forget save and commit by cmd flashfs

I test my router as remote by linking to my neighbor wireless network (we are all open system :D)

[admin@(none) root]$ cat /usr/local/sbin/post-firewall
cat: /usr/local/sbin/post-firewall: No such file or directory
[admin@(none) root]$ uname -a
Linux (none) 2.4.20 #61 Mon Oct 9 21:51:36 MSD 2006 mips unknown
[admin@(none) root]$

Release: 1.9.2.7-7f

Seems that you dont have a post-firewall script.
Refer to that post that explains how to setup the script etc. http://wl500g.info/showthread.php?t=10307

But i have another question, it seems that my iptable drop the settings i made with the script from time to time, is that normal?

Thanks for the help.

I don't really want to have to use the USB port and a thumb drive. I used to be able to forward ports without all that.

I also can't ping to the ADSL modem on 192.168.1.10 from behind the router (192.168.1.50) on a client like 192.168.101. But I can ping the modem from the router via telnet.

Surely issuing iptables commands on the command line should work?

When I get back from holiday I will instal a hub and buy a thumb drive on the USB so the printer can stay installed and go the whole hog of installing everything. But I'm not sure it will help.

In the screenshot attached, where are these settings saved?

It would be nice if I could open everything up and redirect everything to everwhere but alas I can't get it to work even doing this.

I think the problem could be the separate modem to the router. It has a separate IP 192.168.1.10, unlike the router, which is 192.168.1.50.

Could like be why I can't forward ports? - because I need to bridge the mdoem to the router?

If so how to I get to the modem? Do I have to really have to unplug it?

edit::

Think I have the solution.

I use a separate PPPOA modem. I think I need to bridge this to the router, and enter my PPPOA username and password on the WL500G router. There doesn't appear to be an option in the web interface for PPPOA however and selection of 0:38 UK encapsulation.... hmm...

going to try
iptables -t nat -A PREROUTING -i <public interface> -p tcp --sport <port> --dport <port> -j DNAT --to-destination <local ip> next

Now linux clients can connect over wifi but a windows box can't (it's ok on wired). I can't see anything in My Computer >manage>event viewer mentioned.

It just says `waiting for network`. Another windows laptop is the same...

iptables prerouting didn't work and I don't know what the modem IP is -it's *** starred out with traceroute.

I may have to throw away this wl500g and modem and buy something new.