Hey guys, I have a problem with OpenWrt and port forwarding. If anyone has ideas please let me know.
-bash-2.05b$ ssh -l root -v ****no.ip.info
OpenSSH_4.3, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to *******[75.40.***.**] port 22.
debug1: connect to address 75.40.***.*** port 22: Connection refused
ssh: connect to host ********* port 22: Connection refused
-bash-2.05b$ telnet *** 10001
Trying 75.40.62.85..
(refused)
-bash-2.05b$ telnet *** 10003
Trying 75.40.62.85...
(refused)
Followed these instructions for my firewall setup:
http://wiki.openwrt.org/SimpleFirewall
This is the odd message I recieve:
root@OpenWrt:/etc# . /etc/init.d/S35firewall restart
/etc/fwlib.sh: 18: interface: not found
/etc/firewall.user: 6: -j: not found
/etc/firewall.user: 6: -j: not found
/etc/firewall.user: 7: -j: not found
/etc/firewall.user: 7: -j: not found
FORWARDING 113 TO doug (192.168.0.107)
/etc/firewall.user: 21: -j: not found
/etc/firewall.user: 21: -d: not found
FORWARDING 10001:10100 TO doug (192.168.0.107)
/etc/firewall.user: 25: -j: not found
/etc/firewall.user: 25: -d: not found
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
/etc/firewall.user: 33: ACCEPT: not found
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
/etc/firewall.user: 33: ACCEPT: not found
root@OpenWrt:/etc# cat firewall.user
#!/bin/sh
. /etc/fwlib.sh
flush_firewall
### Ports accessible on the router from the WAN
allow_tcp_port 22 # SSH
allow_tcp_port 465 # HTTPS
### Ports accessible from specific hosts to the router from the WAN
# allow_tcp_port_fromhost 80 remote_access # HTTP
# allow_tcp_port_fromhost 22 remote_access
### Ports accessible to client machines.
# forward_port 22 server
#forward_port 10001:10100 doug
### if we really need _all_ ports...
# register_dmz server
# forward workstation port for application development
forward_port 113 doug
# forward a few utility port-ranges to make it easier to deal with
# bittorrent configurations and the like
forward_port 10001:10100 doug
# forward_port 10100:10199 laptop1
# forward_port 10200:10299 laptop2
### Translate port for client machines.
# translate_port 8080 printer_01 80
### Trusted hosts, full access to router
trusted_host doug
/etc/hosts
127.0.0.1 localhost OpenWrt
192.168.0.107 doug
root@OpenWrt:/etc# cat fwlib.sh
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
flush_firewall () {
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
}
### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN
interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.
allow_tcp_port () {
ALLOWPORT=$1
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport $ALLOWPORT
-j ACCEPT
}
allow_tcp_port_fromhost () {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "Allowing tcp from $ALLOWHOSTNAME to port $ALLOWPORT"
iptables -t nat -A prerouting_rule -i $WAN -p tcp -s $ALLOWHOST
--dport $ALLOWPORT -j ACCEPT
iptables -A input_rule -i $WAN -p tcp -s $ALLOWHOST
--dport $ALLOWPORT -j ACCEPT
}
sucky_resolve () {
HOSTNAME=$1
###
grep $HOSTNAME /etc/hosts | awk '{ print $1 }'
}
forward_port() {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "FORWARDING $ALLOWPORT TO $ALLOWHOSTNAME ($ALLOWHOST)"
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j DNAT --to $ALLOWHOST
iptables -A forwarding_rule -i $WAN -p tcp --dport $ALLOWPORT
-d $ALLOWHOST -j ACCEPT
}
translate_port() {
ALLOWPORT=$1
ALLOWHOSTNAME=$2
ALLOWHOSTPORT=$3
ALLOWHOST=`sucky_resolve $ALLOWHOSTNAME`
echo "TRANSLATING $ALLOWPORT TO $ALLOWHOSTNAME
($ALLOWHOST:$ALLOWHOSTPORT)"
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ALLOWPORT
-j DNAT --to $ALLOWHOST:$ALLOWHOSTPORT
iptables -A forwarding_rule -i $WAN -p tcp --dport
$ALLOWHOSTPORT -d $ALLOWHOST -j ACCEPT
}
trusted_host (){
ALLOWHOSTNAME=$1
TRUSTEDHOST=`sucky_resolve $ALLOWHOSTNAME`
iptables -t nat -A prerouting_rule -i $WAN -p tcp -s $TRUSTEDHOST -j
ACCEPT
iptables -A input_rule -i $WAN -p tcp -s $TRUSTEDHOST -j
ACCEPT
}
Finally:
[b]root@OpenWrt:/etc# iptables -L[b/]
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
LAN_ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain LAN_ACCEPT (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain forward_ppp0 (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:113
tcp -- anywhere anywhere tcp dpts:10001:10100
forward_ppp0 all -- anywhere anywhere
Chain input_ppp0 (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
tcp -- anywhere anywhere tcp dpt:22
tcp -- anywhere anywhere tcp dpt:465
input_ppp0 all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Any ideas? Bittorrent and Ktorrent are not working either.
Thanks,
Doug