Junior Member
I have flashed r2844 to the router and am having one hell of time trying to get virtual servers to work. I am trying to forward ports from the router to internal machines (ssh, vnc to name a couple). For example, public_ip:37237 to internal_ip:5900. I need about 10 "virtual servers".
Is there anything beyond filling in the various textboxes on the Virtual Server webpage?
I have also played around with iptables with PREROUTING chain, but have not succeeded. It seems the router is not forwarding at all.
Can someone please help?
Student Computer Engineer
Something like this:
My basic post-firewall layoutCode:#!/bin/sh WANIF=`nvram get wan_ifname` # deleting last firewal rules (policy) iptables -D INPUT -j DROP iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 80 -j DNAT --to-destination 192.168.1.110:8080 # Restablishing INPUT chain policy iptables -A INPUT -j DROP
WANIF is automatically set to your wan network interface
this rule forwards port 80 to port 8080 on the computer with ip 192.168.1.110
Junior Member
Thanks for your reply. So I do not need any FORWARD or INPUT chain rules? I will try it out on the router.
What if I want to forward a port to another port on the router itself. For example, forward port 33425 to port 22 on the router itself (I do not want to open port 22 itself to the outside). Will I need some other rules in this case?
Student Computer Engineer
It should work like this, other chains already have been madeOriginally Posted by Khurram
you could use the same command, just use the LAN ip of the router as endpointiptables -L
if you want to open a port in a regular way just use:
or something like thatiptables -A INPUT -p tcp --dport 80 -j ACCEPT
Senior Member
What do you call "internal machines"? Servers on the router or servers on the LAN?
If servers on the router then WPTE hint is enough. If servers on the LAN then you need to use the FORWARD chain.
why not to use VSERVER chain? it's used for new connections from wan side.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Junior Member
From internal machines, I mean machines on my LAN.
That is how the router itself is doing it. For port forwarding to the router itself, the firmware adds a rule to the VSERVER chain and another rule to the INPUT chain. For forwarding to internal machines, you would probably need a rule to VSERVER and another to FORWARD chain.
I have not tested it out yet. I plan to do this today and post back the results here.
Junior Member
I tried it on the router and it works greatThanks for all the help.
To summarize, if you are port forwarding on the router itself:
1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <router internal ip>:<router internal port>
2) iptables -D INPUT -j DROP
3) iptables -A INPUT -p tcp --dport <router internal port> -j ACCEPT
4) iptables -A INPUT -j DROP
If you are forwarding to another pc on the lan:
1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <internal pc ip>:<internal pc port>
2) iptables -A FORWARD -p tcp --dport <router external port> -j ACCEPT
You can restrict the scope of the VSERVER rules to the external interface but I have not done that for now. I have all my VSERVERs set up in post-firewall and it is working great.
looks redundant, there's already (if firewall wan->lan is tuned from web-ui):
Code:-A FORWARD -m conntrack --ctstate DNAT -j ACCEPTsame for that. it's automagicaly restricted to the external interfaces.
ASUS WL5xx: FW 1.9.2.7-d-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | bip irc proxy
ASUS RT-N1x: FW 1.9.2.7-rtn-rXXXX / обсуждение прошивки [RU] / firmware discussion [EN] | fake ident daemon
Junior Member
Thanks for the info
Posting Permissions
Reply With Quote