Junior Member
From internal machines, I mean machines on my LAN.Originally Posted by Tamadite
That is how the router itself is doing it. For port forwarding to the router itself, the firmware adds a rule to the VSERVER chain and another rule to the INPUT chain. For forwarding to internal machines, you would probably need a rule to VSERVER and another to FORWARD chain.
I have not tested it out yet. I plan to do this today and post back the results here.
Junior Member
I tried it on the router and it works greatThanks for all the help.
To summarize, if you are port forwarding on the router itself:
1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <router internal ip>:<router internal port>
2) iptables -D INPUT -j DROP
3) iptables -A INPUT -p tcp --dport <router internal port> -j ACCEPT
4) iptables -A INPUT -j DROP
If you are forwarding to another pc on the lan:
1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <internal pc ip>:<internal pc port>
2) iptables -A FORWARD -p tcp --dport <router external port> -j ACCEPT
You can restrict the scope of the VSERVER rules to the external interface but I have not done that for now. I have all my VSERVERs set up in post-firewall and it is working great.
looks redundant, there's already (if firewall wan->lan is tuned from web-ui):
Code:-A FORWARD -m conntrack --ctstate DNAT -j ACCEPTsame for that. it's automagicaly restricted to the external interfaces.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Junior Member
Thanks for the info
Posting Permissions
Reply With Quote