Jump to content
Not connected, Your IP: 3.16.212.203
njuskalonjusko

ANSWERED Port forwarding to specific internal ip ? (tomato, iptables)

Recommended Posts

Sorry if this has already been discussed or solved but just couldn't find the relevant info and possible solution.

 

The scenario is following:

 

I have 2 devices that use same internal port, and to be accessed from outside they require different external port.

 

The internal ports of these devices cannot be changed at all.

 

I.E. first device ext. 65500 - int. 8899 / 192.168.1.100

second device ext. 65501 - int. 8899 / 192.168.1.101

 

So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ?

 

I'm using R7000 with tomato, already using iptables for port forwarding, but couldn't solve the above.

 

Thank you very much in advance !

Share this post


Link to post

So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ?

 

Yes it is.

What part of this is not working for you?

Can you post us some info from the port forwarding configuration page, or the iptables rules you are using?


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

So is it possible to forward 65500 to 8899 but only to 192.168.1.100 and then forward 65501 to 8899 but only to 192.168.1.101 ?

 

Yes it is.

What part of this is not working for you?

Can you post us some info from the port forwarding configuration page, or the iptables rules you are using?

Thank you for your reply. Here are firewall rules for *100 and *101

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport 8899 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport 8899 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8899 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 8899 -j DNAT --to-destination 192.168.1.100
 
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport 8899 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport 8899 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8899 -j DNAT --to-destination 192.168.1.101
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 8899 -j DNAT --to-destination 192.168.1.101
 
On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip.

Share this post


Link to post

 

On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip.

 

That's part of the misconfiguration that you have.

On the Air port-forwarding page, you should only forward all your external ports to your OpenVPN IP (The one that starts with 10.xx).

Then in your router, you should "catch" the incoming connections and throw them to your NATted 192.168.xx.xx clients using the iptables rules.

So obviously 8899 is only part of the rules you need, the others that you need are for the external ports.

 

Does this make sense to you, or you want the iptables pseudo-rules?


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

 

On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip.

That's part of the misconfiguration that you have.

On the Air port-forwarding page, you should only forward all your external ports to your OpenVPN IP (The one that starts with 10.xx).

Then in your router, you should "catch" the incoming connections and throw them to your NATted 192.168.xx.xx clients using the iptables rules.

So obviously 8899 is only part of the rules you need, the others that you need are for the external ports.

 

Does this make sense to you, or you want the iptables pseudo-rules?

Thanks, this makes sense, but please help with router config part, regarding airvpn-port-forward config, everything is as you noted, port xxxxx local port 8899 mapped to 10.xx

 

I have no idea how to configure the router though

Share this post


Link to post

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport XXXXX -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport XXXXX -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899
iptables -t nat -I PREROUTING -i tun11 -p udp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport YYYYY -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport YYYYY -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899
iptables -t nat -I PREROUTING -i tun11 -p udp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

 

On airvpn port forward page I can only forward to port 8899 and not to a specific ip. So forwarding 65500 to 8899 and 65501 to 8899 makes no use as they are basically forwarded to 8899 internally but without specific ip.

 

 

Hello,

 

it makes no difference. Your rules as well as zhang888 rules look fine and everything should be working: the router will forward everything for both services. In case you need further discernment, configure the services to listen to two different ports and configure your Air ports panel and your router iptables accordingly.

 

Kind regards

Share this post


Link to post

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport XXXXX -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport XXXXX -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899

iptables -t nat -I PREROUTING -i tun11 -p udp --dport XXXXX -j DNAT --to-destination 192.168.1.100:8899

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.101 --dport YYYYY -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.101 --dport YYYYY -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899

iptables -t nat -I PREROUTING -i tun11 -p udp --dport YYYYY -j DNAT --to-destination 192.168.1.101:8899

 

 

Thanks, XXXXX and YYYYY I assume you refer to airvpn forwarded ports / airvpn config ? If so, it doesn't work though

 

On airvpn-config forwarded XXXXX to 8899 and YYYYY to 8899, error 111 - connection refused when using check

 

EDIT: works now, I stupidly replaced your rules over mine, just figured yours were an addition, not a replacement !

 

EDIT: doesn't work as it should: both XXXXX and YYYYY are forwarded to 192.168.1.100, rather than XXXXX only to *.100 and YYYYY only to *.101

 

Any ideas ?

 

Thanks

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...