How to open a port on the router itself (Not forward)

[s_Fanous]

Hi,

I want to open a port on the router itself. I tried to port forward to 192.168.1.1 but that didn't work. Is it just a matter of executing some iptables commands?

Not, an iptables expert but would appreciate some help/tips

TIA

 

[Martineau]

I want to open a port on the router itself. I tried to port forward to 192.168.1.1 but that didn't work. Is it just a matter of executing some iptables commands?

Not, an iptables expert but would appreciate some help/tips

Whilst the iptables command syntax to open a port on the router is simple

iptables -I INPUT xxxxxxxxxxxxxxxxxxxxxxxxxxxx

e.g. Assuming you have a custom service running on the router that exposes UDP port 54321

iptables -I INPUT -p udp -m udp --dport 54321 -j ACCEPT

iptables -nvL INPUT --line

although rather than insert the custom rule at the top of the target chain, sometimes it is prudent to insert the custom rule in a specific position
i.e. Ensure the custom rule is processed after important rules with most hits for performance etc.

iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "state INVALID" | awk '{$1 = $1 + 1; print $1}')" xxxxxxxxxxxxxxxxxxxxxxxxxxx

However, if I may ask.. "What custom service are you hosting on the router that requires ports to be opened from the WAN?"

 

[s_Fanous]

However, if I may ask.. "What custom service are you hosting on the router that requires ports to be opened from the WAN?"

It's a personal python application that I've written. It starts an HTTPS server using the LetsEncrypt certificate that is generated by the router and requires authentication/authorization.

I had quickly tried

iptables -A INPUT -d 192.168.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport XYZ -j ACCEPT

but that didn't work and as I said I'm no iptables expert. I deleted the chain and will try your rules later and let you know.

Thanks for your help

 

[s_Fanous]

iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "state INVALID" | awk '{$1 = $1 + 1; print $1}')" xxxxxxxxxxxxxxxxxxxxxxxxxxx

Worked like a charm. I suppose I need to put this into the firewall-start script file, but have a quick question. On router startup, would there be any use in that command though? Would iptables have already established rules with the most hits?

Thanks again

 

[Martineau]

Worked like a charm.

I suppose I need to put this into the firewall-start script file

Yes

On router startup, would there be any use in that command though? Would iptables have already established rules with the most hits?

In truth you could simply insert your rule at the top of the chain - but it may get pushed down the processing order.

Usually the first three rules are:

-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop

So inserting your rule as the fourth rule means that probably >90% of the packets are processed (by rules 2 & 3 ) without even hitting your custom rule.
If your rule was the first rule, then every packet will be tested to see if it is for your custom port! - bit inefficient wouldn't you agree?

 

[s_Fanous]

In truth you could simply insert your rule at the top of the chain - but it may get pushed down the processing order.

Usually the first three rules are:

-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop

So inserting your rule as the fourth rule means that probably >90% of the packets are processed (by rules 2 & 3 ) without even hitting your custom rule.
If your rule was the first rule, then every packet will be tested to see if it is for your custom port! - bit inefficient wouldn't you agree?

I agree 100% with you.

I was just wondering what would be the most accurate way to guarantee it ends up in the most efficient position on router startup. When I issued the command it got put into position 6. I guess I could just force it into position 6 and live with that

Thanks again for your help. Much appreciated.