Forward ports - why is it not doing what I ask it??

[jago25_98]

What on earth is going on here? It's driving me mad now.

Any settings changed in the web interface does not effect `iptables -L` including port forwarding DMZ and firewall.

Trying forwarding ports on the command line doesn't do it either when I actually test the port. How do you test the port without a remote machine anyway? At the moment I'm just trying to connect to the router on the port I'm trying to forward.

Code:

j@ethel:~$ nmap my.router

Starting Nmap 4.53 ( http://insecure.org ) at 2008-09-05 18:20 BST
Interesting ports on my.router (192.168.1.50):
Not shown: 1708 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
515/tcp  open  printer
9100/tcp open  jetdirect
9101/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 2.088 seconds

Code:

j@ethel:~$ nmap PUBLIC-INTERNET-IP

Starting Nmap 4.53 ( http://insecure.org ) at 2008-09-05 18:21 BST
Interesting ports on xxxx:
Not shown: 1709 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
80/tcp   open     http
1720/tcp filtered H.323/Q.931
8080/tcp open     http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.056 seconds
j@ethel:~$

Code:

[admin@(none) root]$ iptables -A INPUT -p tcp --dport ssh -j ACCEPT
[admin@(none) root]$ iptables -A INPUT -p tcp --dport 8081 -j ACCEPT
[admin@(none) root]$ iptables -A FORWARD -i eth1 -p tcp --dport 8081:8081 --destination 192.168.1.3 -j ACCEPT
[admin@(none) root]$ iptables -A FORWARD -i eth1 -p tcp --dport 8081:8081 --destination 192.168.1.3 -j ACCEPT
[admin@(none) root]$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state NEW
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:tproxy

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           ctstate DNAT
ACCEPT     tcp  --  anywhere             192.168.1.3        tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             192.168.1.3        tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             192.168.1.3        tcp dpt:tproxy

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (2 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere
[admin@(none) root]$

[ericguo]

Have you switch on Enable (Firewall, DMZ) on Web form?

If you already switch it on, custome iptables at post-firewall

Code:

[Eric@WL500g root]$ cat /usr/local/sbin/post-firewall
#!/bin/sh
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p udp --dport 23 -j ACCEPT

[Eric@WL500g root]$

don't forget save and commit by cmd flashfs

I test my router as remote by linking to my neighbor wireless network (we are all open system )

[jago25_98]

Code:

[admin@(none) root]$ cat /usr/local/sbin/post-firewall
cat: /usr/local/sbin/post-firewall: No such file or directory
[admin@(none) root]$ uname -a
Linux (none) 2.4.20 #61 Mon Oct 9 21:51:36 MSD 2006 mips unknown
[admin@(none) root]$

Release: 1.9.2.7-7f

[darkside40]

Seems that you dont have a post-firewall script.
Refer to that post that explains how to setup the script etc. http://wl500g.info/showthread.php?t=10307

But i have another question, it seems that my iptable drop the settings i made with the script from time to time, is that normal?

[jago25_98]

Thanks for the help.

I don't really want to have to use the USB port and a thumb drive. I used to be able to forward ports without all that.

I also can't ping to the ADSL modem on 192.168.1.10 from behind the router (192.168.1.50) on a client like 192.168.101. But I can ping the modem from the router via telnet.

Surely issuing iptables commands on the command line should work?

When I get back from holiday I will instal a hub and buy a thumb drive on the USB so the printer can stay installed and go the whole hog of installing everything. But I'm not sure it will help.

In the screenshot attached, where are these settings saved?

[jago25_98]

It would be nice if I could open everything up and redirect everything to everwhere but alas I can't get it to work even doing this.

I think the problem could be the separate modem to the router. It has a separate IP 192.168.1.10, unlike the router, which is 192.168.1.50.

Could like be why I can't forward ports? - because I need to bridge the mdoem to the router?

If so how to I get to the modem? Do I have to really have to unplug it?

edit::

Think I have the solution.

I use a separate PPPOA modem. I think I need to bridge this to the router, and enter my PPPOA username and password on the WL500G router. There doesn't appear to be an option in the web interface for PPPOA however and selection of 0:38 UK encapsulation.... hmm...

[jago25_98]

going to try

Code:

iptables -t nat -A PREROUTING -i <public interface> -p tcp --sport <port> --dport <port> -j DNAT --to-destination <local ip>

next

[jago25_98]

Now linux clients can connect over wifi but a windows box can't (it's ok on wired). I can't see anything in My Computer >manage>event viewer mentioned.

It just says `waiting for network`. Another windows laptop is the same...

iptables prerouting didn't work and I don't know what the modem IP is -it's *** starred out with traceroute.

I may have to throw away this wl500g and modem and buy something new.