Jump to content
Not connected, Your IP: 18.226.187.60
syncswim

DD-WRT Port forwarding problem

Recommended Posts

Hi Guys,
 
Sorry to trouble you with this, but I've followed all your instructions and googled to no avail..
 
I have airvpn client set up on my DD-WRT router. The client is working fine, but I cannot successfully forward ports to a destination on the local network.
 
In my airvpn client area I have port 26048 mapped to 5050. I'm trying to get this through to my linux server on 192.168.1.2. If I go to 192.168.1.2:5050 from browser the service works properly, so I'm pretty sure the problem isn't on my server. This service has been up and running for months.
 
My normal isp ip is replaced with <isp ip>  to maintain my privacy.
 

 

root@DD-WRT:~# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 4998 packets, 364K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   174 DNAT       udp  --  *      *       0.0.0.0/0            <isp ip>       udp dpt:52316 to:192.168.1.2:52316
    9   544 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>        tcp dpt:52316 to:192.168.1.2:52316
    0     0 DNAT       tcp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5050 to:192.168.1.2
    0     0 DNAT       udp  --  tun1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5050 to:192.168.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>       tcp dpt:8080 to:192.168.1.1:80
    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>        tcp dpt:22 to:192.168.1.1:22
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            <isp ip>       to:192.168.1.1
    0     0 DNAT       udp  --  vlan2  *       0.0.0.0/0           <isp ip>       udp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  vlan2  *       0.0.0.0/0            <isp ip>       tcp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  vlan2  *       0.0.0.0/0            <isp ip>       tcp dpt:8080 to:192.168.1.1:8080
    0     0 DNAT       udp  --  vlan2  *       0.0.0.0/0            <isp ip>       udp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  vlan2  *       0.0.0.0/0            <isp ip>       tcp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       udp  --  vlan2  *       0.0.0.0/0            <isp ip>       udp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  vlan2  *       0.0.0.0/0            <isp ip>       tcp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       udp  --  vlan2  *       0.0.0.0/0            <isp ip>       udp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  vlan2  *       0.0.0.0/0           <isp ip>       tcp dpt:49643 to:192.168.1.3:49643
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>       tcp dpts:20:21 to:192.168.1.2
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <isp ip>       udp dpts:20:21 to:192.168.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>        tcp dpts:60030:60050 to:192.168.1.2
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <isp ip>        udp dpts:60030:60050 to:192.168.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <isp ip>        tcp dpts:2235:2236 to:192.168.1.3
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <isp ip>        udp dpts:2235:2236 to:192.168.1.3
  127 25775 TRIGGER    0    --  *      *       0.0.0.0/0            <isp ip>       TRIGGER type:dnat match:0 relate:0


 root@DD-WRT:~#  iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
REJECT     0    --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
logdrop    udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:520
logdrop    udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:520
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:520
logaccept  tcp  --  0.0.0.0/0            192.168.1.1         tcp dpt:80
logbrute   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
logaccept  tcp  --  0.0.0.0/0            192.168.1.1         tcp dpt:22
logdrop    icmp --  0.0.0.0/0            0.0.0.0/0
logdrop    2    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state NEW
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state NEW
logdrop    0    --  0.0.0.0/0            0.0.0.0/0


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:2236
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:2235
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:49643
logaccept  udp  --  0.0.0.0/0            192.168.1.3         udp dpt:49643
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            192.168.1.2         tcp dpt:5050
ACCEPT     udp  --  0.0.0.0/0            192.168.1.2         udp dpt:5050
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
logaccept  47   --  192.168.1.0/24       0.0.0.0/0
logaccept  tcp  --  192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
lan2wan    0    --  0.0.0.0/0            0.0.0.0/0
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
logaccept  0    --  0.0.0.0/0            0.0.0.0/0
logaccept  tcp  --  0.0.0.0/0            192.168.1.1         tcp dpt:8080
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:49643
logaccept  udp  --  0.0.0.0/0            192.168.1.3         udp dpt:49643
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:49643
logaccept  udp  --  0.0.0.0/0            192.168.1.3         udp dpt:49643
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:49643
logaccept  tcp  --  0.0.0.0/0            192.168.1.2         tcp dpt:52316
logaccept  udp  --  0.0.0.0/0            192.168.1.2         udp dpt:52316
logaccept  udp  --  0.0.0.0/0            192.168.1.3         udp dpt:49643
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpt:49643
logaccept  tcp  --  0.0.0.0/0            192.168.1.2         tcp dpts:20:21
logaccept  udp  --  0.0.0.0/0            192.168.1.2         udp dpts:20:21
logaccept  tcp  --  0.0.0.0/0            192.168.1.2         tcp dpts:60030:60050
logaccept  udp  --  0.0.0.0/0            192.168.1.2         udp dpts:60030:60050
logaccept  tcp  --  0.0.0.0/0            192.168.1.3         tcp dpts:2235:2236
logaccept  udp  --  0.0.0.0/0            192.168.1.3         udp dpts:2235:2236
TRIGGER    0    --  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
trigger_out  0    --  0.0.0.0/0            0.0.0.0/0
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state NEW
logdrop    0    --  0.0.0.0/0            0.0.0.0/0
(plus some more that's probably not relevant)


 ifconfig
ath0      Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:819 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1167 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:145072 (141.6 KiB)  TX bytes:534915 (522.3 KiB)


br0       Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19457 errors:0 dropped:20 overruns:0 frame:0
          TX packets:38422 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8797715 (8.3 MiB)  TX bytes:42660264 (40.6 MiB)


br0:0     Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


eth0      Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57772 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54483401 (51.9 MiB)  TX bytes:52954706 (50.5 MiB)
          Interrupt:4


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13248 (12.9 KiB)  TX bytes:13248 (12.9 KiB)


tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                              -00
          inet addr:10.4.49.34  P-t-P:10.4.49.33  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:35169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17559 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:39773061 (37.9 MiB)  TX bytes:8388223 (7.9 MiB)


vlan1     Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18844 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8774774 (8.3 MiB)  TX bytes:42421285 (40.4 MiB)


vlan2     Link encap:Ethernet  HWaddr B0:48:7A:D1:31:D2
          inet addr:89.78.239.155  Bcast:<isp ip>   Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38928 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19071 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:44668731 (42.5 MiB)  TX bytes:10304329 (9.8 MiB)






my firewalls script in ddwrt admin:
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT 
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT 
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -I FORWARD -i tun1 -p udp -d 192.168.1.2 --dport 5050 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.2 --dport 5050 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p udp --dport 5050 -j DNAT --to-destination 192.168.1.2
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5050 -j DNAT --to-destination 192.168.1.2


I also have this startup script so one local IP bypasses the VPN:


#!/bin/sh
sleep 30
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 3
WAN_GWAY=`nvram get wan_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0
 

 

 
airvpn admin shows the port is open (green).
http://www.yougetsignal.com/ last night showed the port was open. now shows closed.
 
Please help! I'm sure it's something simple, but I don't know much about iptables, or how to trace the lost packets
 

Share this post


Link to post

Soo...

 

To answer my own question, once I removed this line from the iptables:

iptables -I INPUT -i tun1 -j REJECT 
 

everything was good.

 

Well, actually not everything I'm left with one question and one problem,

 

Firstly, what was this line for?

 

Secondly, I can now access my router's external VPN IP, but only from outside my local network. I'm trying to figure out how to fix this..

Share this post


Link to post

Soo...

 

To answer my own question, once I removed this line from the iptables:

iptables -I INPUT -i tun1 -j REJECT 
 

everything was good.

 

Well, actually not everything I'm left with one question and one problem,

 

Firstly, what was this line for?

 

Secondly, I can now access my router's external VPN IP, but only from outside my local network. I'm trying to figure out how to fix this..

 

Hi,

 

 

Can you check if that line in the dd-wrt firewall script does actually stop it working? I thought I had the same issue and then realised it was because I was trying to access from inside my lan - once i got it working by accessing externally I then went back, re-enabled that line, and found it still working...

 

Interested to know if you experience the same.

 

If anyone else can advise how to fix it so I can also access my external IP from internal to the lan would be much appreciated - I have my own domain with SSL certificate so a pain to have to switch back to local IPs if I am on the lan.

 

Thanks in advance.

Share this post


Link to post

SyncSwim: Thanks for your comments here you have done a great job of explaining all of this, it helped me out a lot!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...