[uranux]

Hi there, I've been trying to forward a group of ports (21, 80, 443, etc) on my router, using the "NAT/QoS Port Forwarding" interface.

In fact, I had it working perfectly for some years, but one day, out of nowhere, it stoped working. So, after strugling for a while, I decided to upgrade the firmware (from v3.0-r46329 std to v3.0-r54682 std) I was using, but even so, I could not connect to these ports again anymore.


Firmware: DD-WRT v3.0-r54682 (01/02/24)
Router: TP-Link ARCHER-C7 v5

Settings under NAT/QoS > Port forwarding
Application: HTTP
Protocol: TCP
Source net:
Port from: 80
IP address: 192.168.1.XXX
Port to: 80
Enable: Y

I have also connected to the router using ssh and the dump of the command
"iptables -vnL FORWARD" is attached.

Any help with this would be greatly appreciated. Thanks!

[ho1Aetoo]

The output of the PREROUTING and FORWARD chain is required

iptables -t nat -vnL
iptables -vnL

However, your FORWARD chain shows that packets are arriving - so it works.

Also, don't mask private IP addresses - you know they are private?

[egc]

Redacting RFC1918 addresses is not only useless , as they are private, but it makes it difficult to give the best possible support.

Assuming you did not allow remote administration (please show iptables -vnL -t nat) it looks like the port forwarding is working you can see the rules being hit.

Maybe nobody is home on the IP address you are forwarding too?

[uranux]

Hi ho1Aetoo,
Thanks for answering.

Output of the commands are:
(1)

[kernel-panic69]

I edited your post(s) to make them more readable and to redact your public IP for security reasons. If you know that the IP address is public and wish to redact it, that is fine and good practice.

[uranux]

Hi egc,

Thanks for answering.

Redacting RFC1918 addresses is not only useless, as they are private, but it makes it difficult to give the best possible support.
-> I must confess I do not understand what you mean here.

Assuming you did not allow remote administration (please show iptables -vnL -t nat) it looks like the port forwarding is working you can see the rules being hit.
-> command output:

[ho1Aetoo]

And what should we do with it? These are definitely not the iptables rules of your dd-wrt router

You should run the command on your router and not on any other device.

[uranux]

Hi ho1Aetoo,

Thanks once more. My mistake, I executed the iptables command at another host.
I have edited the previous posts correcting it.

Thank you very much for your patience!

[kernel-panic69]

The redacted address is 177.*.*.* and is public, hence my edit to the post. This may have been confusion on @uranux' part, but that was the IP range he posted and I connected it with the redacted screenshot, which probably actually showed the 192.168.1.199 address. Either way, no public IP addresses should be posted for the sake of keeping everyone honest. Sorry for your gears getting ground smooth over trivial mistakes.

[ho1Aetoo]

@uranux

According to the table it works, packets arrive on ports 80,443,21 and are also forwarded

Are you testing the ports from an external host or from an internal one?

You can only test this with real certainty from an external host and if packets arrive there, it is most likely due to the destination system whose ports are closed or that the firewall does not allow access from the WAN.

[uranux]

Thank you kernel-panic69!

I have edit my post and replaced the real ip address with 177.x.x.x.

[uranux]

Hi ho1Aetoo,

Are you testing the ports from an external host or from an internal one?
-> From an internal host, it works
[guest@internal-host]# telnet 177.X.X.X 21
Trying 177.X.X.X...
Connected to 177.X.X.X.
Escape character is '^]'.
220 FTP Server ready.

But not from a VPS
[guest@external-host]# telnet 177.X.X.X 21
Trying 177.X.X.X...
telnet: connect to address 177.X.X.X: Connection timed out

Thank you very much.

[ho1Aetoo]

Restart the router/firewall and then try to connect through your VPS only.

Then check the PREROUTING table on your router to see if packets are arriving.

Chain PREROUTING (policy ACCEPT 7916 packets, 1493K bytes)
pkts bytes target prot opt in out source destination
101 5609 DNAT tcp -- * * 0.0.0.0/0 177.x.x.x tcp dpt:80 to:192.168.1.199:80
22 1068 DNAT tcp -- * * 0.0.0.0/0 177.x.x.x tcp dpt:443 to:192.168.1.199:443
7 316 DNAT tcp -- * * 0.0.0.0/0 177.x.x.x tcp dpt:21 to:192.168.1.199:21

If no packets arrive there and 0 is displayed, this is probably due to your Internet provider, which may be using CGNAT and therefore no port forwarding is possible

[uranux]

Hi ho1Aetoo,

Thank you once more.

It realy looks like everything is fine, but still no connection is done from VPS host.

As you mentioned, I also believe the problem may be due to any kind of rules changed by my ISP. However, I wanted to check if it could be caused by any other problem with the configuration of my router or even a hardware issue.

As I said on the first post, I have been using Port Forward with DD-WRT for many years without problems. I will try to solve it hiring another ISP.

Thank you very much for your help.

root@aguia:~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT icmp -- 0.0.0.0/0 177.X.X.X to:192.168.1.1
DNAT tcp -- 0.0.0.0/0 177.X.X.X tcp dpt:80 to:192.168.1.199:80
DNAT tcp -- 0.0.0.0/0 177.X.X.X tcp dpt:443 to:192.168.1.199:443
DNAT tcp -- 0.0.0.0/0 177.X.X.X tcp dpt:21 to:192.168.1.199:21
TRIGGER all -- 0.0.0.0/0 177.X.X.X TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:177.X.X.X
RETURN all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

[ho1Aetoo]

You are using the wrong command - it does not display any packages...

the command is still "iptables -t nat -vnL"