Secure Developments

Port forwarding in OpenWRT

So you need the outside world to have access to some box’s on your internal network. first you should use Static DHCP to tell static the IP’s of the computer you’re routing to. Then you of course need to know the inbound from the outside world and the port on the computer you are forwarding too. For this example we’ll forward WAN (Wide Area Network (or (probably) the Internet)) port 8080 to a local dev box running Apache on httpd (we assume you know how to set apache up and make sure it’s working on the LAN(Local Area Network)).

edit /etc/config/firewall. note: /etc/firewall.user is for manual iptables commands and is basically a shell script. I only recommend this if /etc/config/firewall doesn’t do what you want (like multiport).

config redirect
option src wan
option src_dport 8080
option dest lan
option dest_ip 192.168.1.3
option dest_port 80
option proto tcp


So options src and dest merely define the too and from interfaces (to be honest I’m not sure they actually do anything. as I’m not seeing any changes to what’s in iptables). src_dport is what external port you want to listen on. dest_port is what you want it to go to. dest_ip is what ip you want it to go to and proto is the protocol it listens on (yes you have to specify separately for udp if what you’re forwarding uses both tcp and udp).

After you’ve edited and saved the file to fit your case run /etc/init.d/firewall restart and it should work

IMPORTANT: there’s a bug in 7.x and pre 8.09.2 with 2.4-bcrm kernels and netfilter code… it ‘causes port drift. if the bug is affecting you. (it did me) reboot the system. you will be able to see it with a -j LOG iptables rule. the output was thus for me
IN=eth0.1 OUT=br-lan SRC=66.98.131.131 DST=192.168.1.3 LEN=44 TOS=0x00 PREC=0x20 TTL=47 ID=63450 DF PROTO=TCP SPT=54402 DPT=82 WINDOW=5840 RES=0x00 SYN URGP=0
as you can see the destination port(DPT) is 82 instead of 80 like it’s supposed to be. 8.09.2 should be out in a few weeks it’s currently at rc2.


Share

comments powered by Disqus