Hi,

How do I proceed in mapping an internet facing port 5080 to port 80 of another server in my LAN ?

I have spent hours on Google, on this and other forums, but can't find any clue...

The set-up: my server (100.100.100.110) runs a webserver on port 80, I want to access it via the internet facing address of my WL500G router (e.g. 81.83.48.01).

I tried via the virtual server page, but problem is that I can't specify the destination port...

example: "100.100.100.110 5080 TCP/UDP Webserver"

I'm running a standard WL500G router, in Home Gateway mode, firmware 1.6.5.3.


Thanks,

Stef

Oh, come on, can't you read or are you just lazy :confused:

... but maybe a bit stupid ;-)

I really can't figure it out...

Can you help this poor man ?

Big O

Ok, so you've done some homework, good. I restored your topic.

First: Upgrade to firmware 1.7.5.9 preferably CR5, the firmware you're using now is old and buggy.

Second: After upgrading, reset to factory defaults and reconfigure the router.

Third: Configure the port forwarding using Virtual Server. Read the manual on how-to setup that one. Note that the external port (5080) is the same port on the 'virtual server', so configure your webserver to run on port 5080 as well.

I hope this helps...

I don't think that will help him, as he explicitly asked how to redirect the external port 5080 to the internal port 80.

Sorry, I might not have been detailed enough.

Lexi is right; my problem is that the *internal* port (80) cannot be put the same as the *external* port (5080)... It is a black-boxed device with a fixed port 80.

Is there really no way to set it up like this:
81.83.48.01:5080 ----> [router] ----> 100.100.100.110:80 ?

re: the firmware upgrade ("1.7.5.9 preferably CR5"), does it only fix stability issues or also portmapping-related issues ?

Thanks a lot Styno & Lexi

I really don't know if this is possible using the web-interface, but you can simply issue the following command (via telnet or ssh):

iptables -t nat -A PREROUTING -i ppp0 -d 81.83.48.01 -p tcp --dport 5080 -j DNAT --to-destination 100.100.100.110:80 (assuming you are connected to the internet on ppp0)
If this works, add it to your /usr/local/init/post-firewall (or post-boot) script.

I concur with wtzm. His option will do. If you upgrade to 1.7.5.9 CR5 then you'll have:
-telnet
-flashfs-boot
-post-boot scripts
-vi
-Lots of bugs fixed

Which will make it easyer to implement wtzm' solution.

Hi,

thanks all for the tips. I've finally found time to upgrade the firmware to 1.8.1.7, and I must say, it works nice (I especially like the telnet service)

Now, to come back to my problem of mapping an "outside" port 5080 to an "inside" port 80 on one of the machines in my LAN: I can't get it to work...

I want to connect to my router's WAN address (via dyndns.org) on port 5080 and have all (HTTP) traffic redirected to 100.100.100.110 port 80. Note: For technical reasons, I cannot change the port 80 into something else.

Here's what I tried:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080 -j DNAT --to 100.100.100.110:80
iptables -A FORWARD -d 100.100.100.10 -p tcp --dport 5080 -j ACCEPT

What am I doing wrong here ?

Hi,

thanks all for the tips. I've finally found time to upgrade the firmware to 1.8.1.7, and I must say, it works nice (I especially like the telnet service)

Now, to come back to my problem of mapping an "outside" port 5080 to an "inside" port 80 on one of the machines in my LAN: I can't get it to work...

I want to connect to my router's WAN address (via dyndns.org) on port 5080 and have all (HTTP) traffic redirected to 100.100.100.110 port 80. Note: For technical reasons, I cannot change the port 80 into something else.

Here's what I tried:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080 -j DNAT --to 100.100.100.110:80
iptables -A FORWARD -d 100.100.100.10 -p tcp --dport 5080 -j ACCEPT

What am I doing wrong here ?
Check entire iptables state, to see if your rules are in effect.

Oleg,

thanks for your quick reply !!

Here's what I did:

[admin@telenetPC root]$ iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5080 -j DNAT --to 100.100.100.110:80
[admin@telenetPC root]$ iptables -A FORWARD -d 100.100.100.110 -p tcp --dport 5080 -j ACCEPT

Here's the check:

[admin@telenetPC root]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 81.83.48.26 tcp dpt:5631 to:100.100.100.100
DNAT udp -- 0.0.0.0/0 81.83.48.26 udp dpt:5631 to:100.100.100.100
DNAT tcp -- 0.0.0.0/0 81.83.48.26 tcp dpt:5632 to:100.100.100.100
DNAT udp -- 0.0.0.0/0 81.83.48.26 udp dpt:5632 to:100.100.100.100
DNAT tcp -- 0.0.0.0/0 81.83.48.26 tcp dpt:5800 to:100.100.100.100
DNAT udp -- 0.0.0.0/0 81.83.48.26 udp dpt:5800 to:100.100.100.100
DNAT tcp -- 0.0.0.0/0 81.83.48.26 tcp dpt:5900 to:100.100.100.100
DNAT udp -- 0.0.0.0/0 81.83.48.26 udp dpt:5900 to:100.100.100.100
NETMAP udp -- 0.0.0.0/0 81.83.48.26 udp spt:6112 100.100.100.0/24
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5080 to:100.100.100.110:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 100.100.100.0/24 0.0.0.0/0 udp dpt:6112 81.83.48.26/32
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 100.100.100.0/24 100.100.100.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


[admin@telenetPC root]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 100.100.100.17 tcp dpt:7573
ACCEPT udp -- 0.0.0.0/0 100.100.100.17 udp dpt:11634
ACCEPT tcp -- 0.0.0.0/0 100.100.100.214 tcp dpt:7730
ACCEPT udp -- 0.0.0.0/0 100.100.100.214 udp dpt:15308
ACCEPT tcp -- 0.0.0.0/0 100.100.100.10 tcp dpt:5080

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[admin@telenetPC root]$
[admin@telenetPC root]$ iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 100.100.100.214 udp dpt:13675
ACCEPT tcp -- 0.0.0.0/0 100.100.100.110 tcp dpt:5080

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Well, yet another question - have you used external address to connect to this server (i mean access from WANm not LAN)?

Yes, I used the dyndns.org address:

http://blabla.dyndns.org:5080

btw, the dyndns.org address works just fine because I now using it to VNC and PCAnywhere into another box behind the router.

Thanks,

BigO

Oleg,

Sorry, I have not been very clear aparently. Mea culpa.

The wl-500g router I've been talking about is located at another physical location outside my LAN.

This is the set-up:

[my PC]--[router]----(internet)----[wl-500g]---[webserver port 80]
+--[file server port 5631,5632]

The file server is accessible over the internet via PCAnywhere and VNC, *through* the router, so the wl-500g is working just fine (at least for same port to same port mapping...)

So I have tested this indeed from the internet.

Big O.

Works fine for me (but I've disabled local firewall on the PC, otherwise it blocks external traffic):


[root@wl500g root]$ iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 431 packets, 31992 bytes)
pkts bytes target prot opt in out source destination

3 180 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443 to:192.168.1.4:3389

Chain POSTROUTING (policy ACCEPT 4097 packets, 246K bytes)
pkts bytes target prot opt in out source destination

314 18385 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0

84 16982 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0
/24

Chain OUTPUT (policy ACCEPT 4206 packets, 264K bytes)
pkts bytes target prot opt in out source destination

[root@wl500g root]$ iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 16612 packets, 11M bytes)
pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0

557 32224 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1453:65535TCPMSS set 1452
223 12744 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x16/0x02 limit: avg 1/sec burst 5
73 2920 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 1/sec burst 5 icmp type 8
2 112 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.4
tcp dpt:3389

Also, looks like ACCEPT in the FORWARD chain is not needed at all.

Oleg,

can you send me the iptable command(s) to enter via telnet ? I must be overlooking something really stupid...

I would like to map WAN address port 5080 to LAN address 100.100.100.110:80

Many thanks,

Big O

Hi,

I finally managed to upgrade the firmware to the last version available (1.8.1.7-3 from http://wl500g.dyndns.org). So far the good news. The bad news is that the port redirection *still* doesn't work...

I've rebooted the router after the upgrade, and ran the following command:

iptables -t nat -A PREROUTING -i any -p udp --dport 5080 -j DNAT --to-destination 100.100.100.110:80
iptables -t nat -A PREROUTING -i any -p tcp --dport 5080 -j DNAT --to-destination 100.100.100.110:80

The result:

#iptables -vL -t nat:
0 0 DNAT udp -- any any anywhere d5153301A.kabel.telenet.beudp dpt:64523 to:100.100.100.100
0 0 DNAT tcp -- ppp0 any anywhere anywhere tcp dpt:5080 to:100.100.100.110:80
0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpt:5080 to:100.100.100.110:80

Remember, I'm trying to connect to a webdevice on my LAN with internal ip 100.100.100.110 running on port 80 (cannot change this port) and this via de wl500g router. The WAN port should be 5080.

PS: I can connect from the router to this device without a problem: ("telnet 100.100.100.110 80" and then "GET"...)

Try telneting from the outside and check, that counters to the left of DNAT word are increasing. If it's not - then probably your ISP blocks this traffic.

Oleg,

(sigh) I got it working... :)
Problem was the missing "-d" parameter in the iptables command :eek:
This caused an "anywhere" as destination rather than the WAN address of the router.

WRONG
iptables -t nat -A PREROUTING -i any -p tcp --dport 7070 -j DNAT --to-destination 100.100.100.1:80
>>> 0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:5080 to:100.100.100.100:80

RIGHT
iptables -t nat -A PREROUTING -d 81.83.48.26 -p tcp --dport 6060 -j DNAT --to-destination 100.100.100.110:80
>>> 0 0 DNAT tcp -- any any anywhere abc123.telenet.be tcp dpt:6060 to:100.100.100.110:80

I'm happy that it works now, but all I need to do now is make sure that the iptables rules are saved so they survive a router reset. How do I do this ?

Q1: Can I put a parameter instead of the WAN IP address (router has dynamic IP)

A?: is this the $2 parameter (WAN_IP) ?

Q2: How do I save the settings ?
Is the following correct ?
# mkdir -p /usr/local/init
# touch post-firewall
# vi /usr/local/init/post-firewall
and type:
iptables -t nat -A PREROUTING -d $2 -p tcp --dport 6060 -j DNAT --to-destination 100.100.100.110:80
# chmod +x /usr/local/init/post-firewall

Do I need to change something else ? (the boot process ? using flashfs ?) Please explain.

Q3: How do I remove rules from iptables (e.g. the old test ones) (except via a reboot offcourse :cool:

Oleg, many thanks again !

BigOoze

Well, -d should not be a problem. It works with no -d for me.
A1: Yes
A2: the layout is changed since 1.8.1.7-1:


mkdir -p /usr/loca/sbin/
echo "#!/bin/sh" >> /usr/local/sbin/post-firewall
echo "iptables -t nat -A PREROUTING -d \$2 -p tcp --dport 6060 -j DNAT --to-destination 100.100.100.110:80" >> /usr/local/sbin/post-firewall
chmod +x /usr/local/sbin/post-firewall
flashfs save && flashfs commit && flashfs enable

A3:
use -D instead of -A in the iptables command, i.e. type


iptables -t nat -D PREROUTING -d x.y.z.w -p tcp --dport 6060 -j DNAT --to-destination 100.100.100.110:80