Comments on: iptables, port forwarding, and access from LAN-side

By: Bill Welch

Bill Welch — Wed, 08 Nov 2006 13:41:42 +0000

This web page has a working example. I've included the link to give credit where it is due, and for context.

http://forum.openwrt.org/viewtopic.php?id=4030

iptables -t nat -A prerouting_rule -d x.x.x.x -p tcp --dport 80 -j DNAT --to 10.0.0.2
iptables -A forwarding_rule -p tcp --dport 80 -d 10.0.0.2 -j ACCEPT
iptables -t nat -A postrouting_rule -s 10.0.0.0/24 -p tcp --dport 80 -d 10.0.0.2 -j MASQUERADE

By: nystark

nystark — Tue, 23 May 2006 17:08:09 +0000

i had the same issue after upgrading from rc4, the easy solution is to add a rule for your local subnet and have it forward to your destination.

By: 0r

0r — Fri, 19 May 2006 09:02:40 +0000

iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 –dport 80 -j DNAT –to-destination 192.168.1.1-192.168.1.10

iptables -t nat -A POSTROUTING -p tcp –dst $HTTPIP –dport 80 -j SNAT –to-source $LANIP

iptables -t nat -A OUTPUT –dst $INETIP -p tcp –dport 80 -j DNAT –to-destination $HTTPIP

Check http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for explanations of the lines above. Another good reference is http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html (and http://www.openbsd.org/faq/pf/rdr.html if you are on BSD). The DNS solution seems better since it won’t harm your logging.

By: Heretic

Heretic — Wed, 17 May 2006 03:43:36 +0000

Feel like a moron no more :o)

I believe what you are looking for is something like the following two rules:

1.) $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

2.) $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I hope that helps!

Heretic

By: l.m.orchard

l.m.orchard — Wed, 10 May 2006 16:15:19 +0000

Oh, holy hell. I can't figure out the proper iptables arrangement - which still bugs me - but I did discover that my router's running dnsmasq and that the following line in /etc/dnsmasq.conf did the trick:

address=/foo.dyndns.org/192.168.123.123

Still feeling like a moron.

By: l.m.orchard

l.m.orchard — Wed, 10 May 2006 15:58:22 +0000

Okay, addendum summary: I’m already using DynDNS to point at my home address, my external IP. I’ve used a DNS cache that substituted a LAN IP for that domain name for LAN clients in the past and didn’t like it. Up until this week, my firewall rules allowed port 80 on my external IP to respond to traffic from the WAN and the LAN interfaces. But now, those rules are gone and I don’t remember what the magic invocation was in iptables.

Bah, I’ll probably just end up going back to a DNS cache.

By: Kevan Emmott

Kevan Emmott — Wed, 10 May 2006 15:43:26 +0000

OpenWRT may offer this, but this is what I do with m0n0wall, which I have running on one of those little dedicated WRAP boxes - it can run a DNS forwarder for the internal boxes that are accessing the world. In other words, it runs as a DNS cache from whatever your external DNS is, and then can inject any custom entries you want. Then configure DHCP or any internal static IP boxes to point at the router as a DNS server. Then you can setup overriding rules for any DNS entries that refer to your home external IP.

You also stated you access it via your "external IP" - are you not using a dynamic DNS service like DynDNS to give your home an external domain? You could even then use a real DNS provider to make a nicer domain (say a subdomain of your website) be a CNAME pointing at the DynDNS entry. m0n0wall and many other routers also have DynDNS clients built in. Who needs static IPs? You certainly don't if all you need is web and ssh access.

So for example, I may have an internal web server running at 192.168.1.10, with my external IP being 1.2.3.4. So I have home.cafgood.com as a CNAME pointing at cafgood.dyndns.com which gets automatically set to resolve to my external home IP (1.2.3.4). On my router, I then say home.cafgood.com equals the internal IP (192.168.1.10). From the outside, I would hit real DNS servers, get CNAME-pointed to DynDNS servers, which would point me at my external IP, and NAT points at the web server. From the inside, the overridden DNS forwarder would just point any internal request right at the web server.

By: Pete Prodoehl

Pete Prodoehl — Wed, 10 May 2006 14:37:10 +0000

This is the reason I’ve got a wiki on my home network I store all the little notes and config stuff in. It’s on the Linux box I never tinker with, so I’m sure not to wipe it out. (I also do some minimal backups as well in case of trouble.)

By: l.m.orchard

l.m.orchard — Wed, 10 May 2006 10:48:51 +0000

fluffy: Eh, OpenWRT lets me meddle, first of all (see this post).. But, second, it’s got some traffic shaping stuff I’ve been learning about, can run a VPN connection, and let’s me SSH in to a screen session to check on some other machines at home. Between this and my NSLU2, I don’t have a PC home linux server anymore. (Of course, I haven’t checked out the factory firmware in awhile, so they may have made some updates I haven’t seen.)

Stuart: I did just that at one point, by running a DNS proxy on the home LAN that gave an internal IP answer for the equivalent of home.decafbad.com - while the rest of the world saw the WAN address. I think I did it with tinydns, but I seem to remember it was a pain in the butt for some reason. I should check it out again.

By: Stuart Langridge

Stuart Langridge — Wed, 10 May 2006 09:04:12 +0000

Just in case I’m a bit dim, why would you not refer to the machine by name? I appreciate the cleverness with IPs was a nice thing to do, but wouldn’t it be easier to just call it home.decafbad.com wherever you are (and have that resolve to the internal IP address of the box inside the network and the external address outside)?

By: fluffy

fluffy — Wed, 10 May 2006 03:59:14 +0000

What does OpenWRT get you that the stock factory firmware doesn’t? Personally I’ve been very happy with the official firmware and it’s nice easy web-based configuration which also happens to support everything I need out of a router (port forwarding, access control, QoS, etc.)