ANSWERED Forwarded ports

[annon3876 1]

Hi guys,

 

please help me. i am a noob. i tried to forward ports to my local nas, so i forwarded the port here in client area port 20176. local port in my nas is 4431. am i right to forward the port 20176 and local port fill in 4431 in the client area? also i forwarded nat on my dd-wrt router tcp and udp to 192.168.1.5 port 20176 to port 4431 and also i created these firewall rules:

 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5

 

when i now start qfile app coming from wan to connect to xxxxxx.airdns.org i cant connect. just nothing happens and ends in a timeout.

when i check open ports on http://www.canyouseeme.org it says connection refused

[annon3876 1]

Actually i removed the nat rules. didnt solve the problem

[go558a83nk 362]

I'm not sure about what dd-wrt needs (I've worked with Merlin Asus) for security in combination with port forwarding.  However, this pattern is all I ever needed

 

iptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5

 

Now, I'm confused about your setup.  Did you create a forwarded port with AirVPN with a different internal port than external port?  If so, you'll use that internal port in your iptable rules

[annon3876 1]

I changed the local port from my nas from 4431 to 20176 as in airvpn i use 20176 too. local port and external port are the same now. still not solved. when i check the forwarded port on airvpn site i get refused error 111

[annon3876 1]

Noone has an idea or can help me?

[NaDre 157]

From doing "man iptables-extensions":

   DNAT
       This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only
       called from those chains.  It specifies that the destination address of the packet should be modified (and  all  future
       packets  in  this  connection  will  also  be  mangled), and rules should cease being examined.  It takes the following
       options:

       --to-destination [ipaddr[-ipaddr]][:port[-port]]
              which can specify a single new destination IP address, an inclusive range of IP  addresses.  Optionally  a  port
              range,  if  the rule also specifies one of the following protocols: tcp, udp, dccp or sctp.  If no port range is
              specified, then the destination port will never be modified. If no IP address is specified then only the  desti‐
              nation  port  will be modified.  In Kernels up to 2.6.10 you can add several --to-destination options. For those
              kernels, if you specify more than one destination address, either via an address range or multiple --to-destina‐
              tion  options,  a  simple  round-robin  (one  after  another  in cycle) load balancing takes place between these
              addresses.  Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.

So try making it "--to-destination 192.168.1.5:4431". That is, use you destination port number too.

 

UPDATE: I realize now that you later changed your port to match the port number that you forwarded at AirVPN. Maybe double-check that you have not told AirVPN to forward 20176 to 4431, or something?

[annon3876 1]

Thanks for the reply, but it didnt solve my problem. Firewall still blocks incoming traffic on port 20176. Creating nat rules for port 20176 dont work too. Actually no NAT rules and this is my firewall command:

 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5:20176
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5:20176

 

I dont know why the router refuses the connection

 

Update: My actual iptables look like this:

 

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5

[Staff 9973]

@annon3876
 
In addition to NaDre and go558a83nk suggestions, please make sure that your tun interface name is correct. Verify with command "ifconfig". On several DD-WRT builds the default interface name is tun1, not tun0. Error 111 means that the packets are actively refused by your system.

 

Do not forward ports from the router web panel. If you do so, you might expose your system to correlation attacks. You need to forward packets from tun interface, which is not affected by the port web panel of the router.
 
Kind regards

[annon3876 1]

Finally i got it working. Thx staff. I checked on my netgrear with ifconfig and tada: its tun1 thx all u guys. Problem solved.