syncswim 1 Posted ... Hi Guys, Sorry to trouble you with this, but I've followed all your instructions and googled to no avail.. I have airvpn client set up on my DD-WRT router. The client is working fine, but I cannot successfully forward ports to a destination on the local network. In my airvpn client area I have port 26048 mapped to 5050. I'm trying to get this through to my linux server on 192.168.1.2. If I go to 192.168.1.2:5050 from browser the service works properly, so I'm pretty sure the problem isn't on my server. This service has been up and running for months. My normal isp ip is replaced with <isp ip> to maintain my privacy. root@DD-WRT:~# iptables -t nat -vnL PREROUTING Chain PREROUTING (policy ACCEPT 4998 packets, 364K bytes) pkts bytes target prot opt in out source destination 3 174 DNAT udp -- * * 0.0.0.0/0 <isp ip> udp dpt:52316 to:192.168.1.2:52316 9 544 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpt:52316 to:192.168.1.2:52316 0 0 DNAT tcp -- tun1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5050 to:192.168.1.2 0 0 DNAT udp -- tun1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5050 to:192.168.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpt:8080 to:192.168.1.1:80 1 40 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpt:22 to:192.168.1.1:22 0 0 DNAT icmp -- * * 0.0.0.0/0 <isp ip> to:192.168.1.1 0 0 DNAT udp -- vlan2 * 0.0.0.0/0 <isp ip> udp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- vlan2 * 0.0.0.0/0 <isp ip> tcp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- vlan2 * 0.0.0.0/0 <isp ip> tcp dpt:8080 to:192.168.1.1:8080 0 0 DNAT udp -- vlan2 * 0.0.0.0/0 <isp ip> udp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- vlan2 * 0.0.0.0/0 <isp ip> tcp dpt:49643 to:192.168.1.3:49643 0 0 DNAT udp -- vlan2 * 0.0.0.0/0 <isp ip> udp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- vlan2 * 0.0.0.0/0 <isp ip> tcp dpt:49643 to:192.168.1.3:49643 0 0 DNAT udp -- vlan2 * 0.0.0.0/0 <isp ip> udp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- vlan2 * 0.0.0.0/0 <isp ip> tcp dpt:49643 to:192.168.1.3:49643 0 0 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpts:20:21 to:192.168.1.2 0 0 DNAT udp -- * * 0.0.0.0/0 <isp ip> udp dpts:20:21 to:192.168.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpts:60030:60050 to:192.168.1.2 0 0 DNAT udp -- * * 0.0.0.0/0 <isp ip> udp dpts:60030:60050 to:192.168.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 <isp ip> tcp dpts:2235:2236 to:192.168.1.3 0 0 DNAT udp -- * * 0.0.0.0/0 <isp ip> udp dpts:2235:2236 to:192.168.1.3 127 25775 TRIGGER 0 -- * * 0.0.0.0/0 <isp ip> TRIGGER type:dnat match:0 relate:0 root@DD-WRT:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED logdrop udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 logdrop udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:80 logbrute tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:22 logdrop icmp -- 0.0.0.0/0 0.0.0.0/0 logdrop 2 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW logdrop 0 -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:2236 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:2235 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:49643 logaccept udp -- 0.0.0.0/0 192.168.1.3 udp dpt:49643 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 192.168.1.2 tcp dpt:5050 ACCEPT udp -- 0.0.0.0/0 192.168.1.2 udp dpt:5050 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 logaccept 47 -- 192.168.1.0/24 0.0.0.0/0 logaccept tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723 lan2wan 0 -- 0.0.0.0/0 0.0.0.0/0 logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:8080 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:49643 logaccept udp -- 0.0.0.0/0 192.168.1.3 udp dpt:49643 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:49643 logaccept udp -- 0.0.0.0/0 192.168.1.3 udp dpt:49643 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:49643 logaccept tcp -- 0.0.0.0/0 192.168.1.2 tcp dpt:52316 logaccept udp -- 0.0.0.0/0 192.168.1.2 udp dpt:52316 logaccept udp -- 0.0.0.0/0 192.168.1.3 udp dpt:49643 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:49643 logaccept tcp -- 0.0.0.0/0 192.168.1.2 tcp dpts:20:21 logaccept udp -- 0.0.0.0/0 192.168.1.2 udp dpts:20:21 logaccept tcp -- 0.0.0.0/0 192.168.1.2 tcp dpts:60030:60050 logaccept udp -- 0.0.0.0/0 192.168.1.2 udp dpts:60030:60050 logaccept tcp -- 0.0.0.0/0 192.168.1.3 tcp dpts:2235:2236 logaccept udp -- 0.0.0.0/0 192.168.1.3 udp dpts:2235:2236 TRIGGER 0 -- 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0 trigger_out 0 -- 0.0.0.0/0 0.0.0.0/0 logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW logdrop 0 -- 0.0.0.0/0 0.0.0.0/0 (plus some more that's probably not relevant) ifconfig ath0 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:819 errors:0 dropped:0 overruns:0 frame:0 TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:145072 (141.6 KiB) TX bytes:534915 (522.3 KiB) br0 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:19457 errors:0 dropped:20 overruns:0 frame:0 TX packets:38422 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8797715 (8.3 MiB) TX bytes:42660264 (40.6 MiB) br0:0 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57772 errors:0 dropped:0 overruns:0 frame:0 TX packets:57273 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:54483401 (51.9 MiB) TX bytes:52954706 (50.5 MiB) Interrupt:4 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:23 errors:0 dropped:0 overruns:0 frame:0 TX packets:23 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13248 (12.9 KiB) TX bytes:13248 (12.9 KiB) tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00 inet addr:10.4.49.34 P-t-P:10.4.49.33 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:35169 errors:0 dropped:0 overruns:0 frame:0 TX packets:17559 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:39773061 (37.9 MiB) TX bytes:8388223 (7.9 MiB) vlan1 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:18844 errors:0 dropped:0 overruns:0 frame:0 TX packets:38202 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8774774 (8.3 MiB) TX bytes:42421285 (40.4 MiB) vlan2 Link encap:Ethernet HWaddr B0:48:7A:D1:31:D2 inet addr:89.78.239.155 Bcast:<isp ip> Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38928 errors:0 dropped:0 overruns:0 frame:0 TX packets:19071 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:44668731 (42.5 MiB) TX bytes:10304329 (9.8 MiB) my firewalls script in ddwrt admin: iptables -I FORWARD -i br0 -o tun1 -j ACCEPT iptables -I FORWARD -i tun1 -o br0 -j ACCEPT iptables -I INPUT -i tun1 -j REJECT iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE iptables -I FORWARD -i tun1 -p udp -d 192.168.1.2 --dport 5050 -j ACCEPT iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.2 --dport 5050 -j ACCEPT iptables -t nat -I PREROUTING -i tun1 -p udp --dport 5050 -j DNAT --to-destination 192.168.1.2 iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5050 -j DNAT --to-destination 192.168.1.2 I also have this startup script so one local IP bypasses the VPN: #!/bin/sh sleep 30 NO_VPN_LST=`nvram get no_vpn_lst` [ -z "$NO_VPN_LST" ] && exit 0 WAN_GWAY="0.0.0.0" while [ $WAN_GWAY == "0.0.0.0" ]; do sleep 3 WAN_GWAY=`nvram get wan_gateway` done ip route add default via $WAN_GWAY table 10 for ipa in $NO_VPN_LST; do ip rule add from $ipa table 10 done ip route flush cache exit 0 airvpn admin shows the port is open (green).http://www.yougetsignal.com/ last night showed the port was open. now shows closed. Please help! I'm sure it's something simple, but I don't know much about iptables, or how to trace the lost packets Quote Share this post Link to post
syncswim 1 Posted ... Soo... To answer my own question, once I removed this line from the iptables: iptables -I INPUT -i tun1 -j REJECT everything was good. Well, actually not everything I'm left with one question and one problem, Firstly, what was this line for? Secondly, I can now access my router's external VPN IP, but only from outside my local network. I'm trying to figure out how to fix this.. 1 bhouse reacted to this Quote Share this post Link to post
ptolemyiv 4 Posted ... Soo... To answer my own question, once I removed this line from the iptables: iptables -I INPUT -i tun1 -j REJECT everything was good. Well, actually not everything I'm left with one question and one problem, Firstly, what was this line for? Secondly, I can now access my router's external VPN IP, but only from outside my local network. I'm trying to figure out how to fix this.. Hi, Can you check if that line in the dd-wrt firewall script does actually stop it working? I thought I had the same issue and then realised it was because I was trying to access from inside my lan - once i got it working by accessing externally I then went back, re-enabled that line, and found it still working... Interested to know if you experience the same. If anyone else can advise how to fix it so I can also access my external IP from internal to the lan would be much appreciated - I have my own domain with SSL certificate so a pain to have to switch back to local IPs if I am on the lan. Thanks in advance. 1 bhouse reacted to this Quote Share this post Link to post
bhouse 0 Posted ... SyncSwim: Thanks for your comments here you have done a great job of explaining all of this, it helped me out a lot! Quote Share this post Link to post
Not connected, Your IP: 3.15.218.44
Online: 27624 users - 347659 Mbit/s total BW