Posted: Thu Mar 16, 2017 19:17 Post subject: Port forwarding to VLAN
Hey,
I am currently running ASUS RT-N66U on DD-WRT v24-sp2 (05/27/13) mega with the following firewall configuration:
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.9.0/24 -j DROP
iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.9.0/24 -j DROP
iptables -I FORWARD -s 192.168.9.0/24 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.9.0/24 -d 192.168.3.0/24 -j DROP
iptables -I INPUT -p tcp -s ! 192.168.3.0/24 --dport 22 -j DROP
iptables -I INPUT -p tcp -s ! 192.168.3.0/24 --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 53 -j DROP
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan9 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
I am trying to externally forward port 2222 to 192.168.3.123:22. I have confirmed that I am capable of routing to 192.168.3.123:22 from the router without any issues, however, when I attempt to add the forwarding rule via the GUI or via iptables I am having issues. Please let me know if you require any additional details to help troubleshooting. Thanks in advance.
Try disabling NAT loopback (or what dd-wrt calls "Filter WAN NAT Redirection" in the Security->Firewall page, unchecked = enabled). See if things improve.
This was unchecked, and I checked the box and port 2222 is still filtered externally facing. Here is the new firewall configuration that I've tried with the box both unchecked and checked:
Code:
iptables -A PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 2222 -j DNAT --to-destination 192.168.3.123:22
iptables -A FORWARD -m state -p tcp -d 192.168.3.123 --dport 22 --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -p tcp -m tcp -s 192.168.3.123 --sport 22 -j SNAT --to-source `nvram get wan_ipaddr`
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.9.0/24 -j DROP
iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.9.0/24 -j DROP
iptables -I FORWARD -s 192.168.9.0/24 -d 192.168.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.9.0/24 -d 192.168.3.0/24 -j DROP
iptables -I INPUT -p tcp -s ! 192.168.3.0/24 --dport 22 -j DROP
iptables -I INPUT -p tcp -s ! 192.168.3.0/24 --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 53 -j DROP
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan9 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Code:
root@neo:~# iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 139 packets, 30177 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere EXTERNAL_HOSTNAME tcp dpt:ssh to:192.168.1.1:22
0 0 DNAT icmp -- any any anywhere EXTERNAL_HOSTNAME to:192.168.1.1
22 2415 TRIGGER 0 -- any any anywhere EXTERNAL_HOSTNAME TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 1589 packets, 112K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 3038 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 15 packets, 4770 bytes)
pkts bytes target prot opt in out source destination
67 17933 SNAT 0 -- any vlan2 anywhere anywhere to:EXTERNAL_IP_ADDRESS
1 1500 SNAT 0 -- any vlan2 192.168.1.0/24 anywhere to:EXTERNAL_IP_ADDRESS
0 0 SNAT 0 -- any vlan2 192.168.3.0/24 anywhere to:EXTERNAL_IP_ADDRESS
0 0 SNAT 0 -- any vlan2 192.168.9.0/24 anywhere to:EXTERNAL_IP_ADDRESS
0 0 SNAT tcp -- any any 192.168.3.123 anywhere tcp spt:ssh to:EXTERNAL_IP_ADDRESS
root@neo:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:domain
DROP tcp -- !192.168.3.0/24 anywhere tcp dpt:www
DROP tcp -- !192.168.3.0/24 anywhere tcp dpt:ssh
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
ACCEPT ipv6 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere neo.leo.net tcp dpt:ssh
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- 192.168.9.0/24 192.168.3.0/24
DROP 0 -- 192.168.9.0/24 192.168.1.0/24
DROP 0 -- 192.168.3.0/24 192.168.9.0/24
DROP 0 -- 192.168.3.0/24 192.168.1.0/24
DROP 0 -- 192.168.1.0/24 192.168.9.0/24
DROP 0 -- 192.168.1.0/24 192.168.3.0/24
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
lan2wan 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.3.123 state NEW,RELATED,ESTABLISHED tcp dpt:ssh
This is the danger in appending (-A) rules rather than inserting (-I) them. Since the last rule in the FORWARD table is an unconditional DROP, your forwarding rule for the port forward is unreachable.
Awesome, learned something new, thank you very much for the very prompt help!