What's new

Idiots guide needed.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

PythonJ

New Around Here
Recently upgraded to a AC66U using Merlin from a N16 using Shibby tomato, Merlins build is great it does everything we need and I don't have to disable countless features that'll never get used. However there is one feature that I used missing from Merlins and that is opening a port only for a specific IP.

I run a mumble server for me and my friend and with tomato I could just put his ip in the port rule and job done, I know this can also be done with Merlins but the method to do so just goes over my head. I sort of understand what needs to be done but I'd be doing it blind with no understanding of what I'm actually doing, I don't want to get it working only to find out I've made a gapping hole in the firewall by accident.

I know this is a bit much to ask but can someone write quick guide on how to do this? All I want is to leave a port open for mumble that only allows my friends ip to join. Any help is appreciated, thanks.
 
Thanks for the reply, I have read those but they may as well be in French.

So far I know I need to enable the JFFS partition plus format it and that I need Notepad++ to make the scripts but where do I put the scripts? It mentions something about VI included in the firmware but I can't see anything in the router, also the bit under "Creating scripts" I'm totally lost there. On the plus side I think I understand the Iptables tips one :S
 
Ok I think I know what I'm doing but before I commit to it can someone just check that this script is right please.

Code:
#!/bin/sh

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -I VSERVER 3 -p udp -m udp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

I've just copied the example and haven't put the right IPs or port in yet but as I understand all that does is open the port for 10.10.10.10 only, is that correct?

Also just out of curiosity whats the 3 after VSERVER mean, it went red when saved as a UNIX script.

Thanks for the help.
 
Ok I think I know what I'm doing but before I commit to it can someone just check that this script is right please.

Code:
#!/bin/sh

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -I VSERVER 3 -p udp -m udp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

I've just copied the example and haven't put the right IPs or port in yet but as I understand all that does is open the port for 10.10.10.10 only, is that correct?

Also just out of curiosity whats the 3 after VSERVER mean, it went red when saved as a UNIX script.

Thanks for the help.

Seriously, before you start tinkering with iptables, Google for one of the many Iptables tutorials (see the section 'add a new firewall rule')

http://www.cyberciti.biz/tips/linux-iptables-examples.html

or even

Code:
iptables -help

Regards,
 
Last edited:
Seriously, before you start tinkering with iptables, Google for one of the many Iptables tutorials (see the section 'add a new firewall rule')

http://www.cyberciti.biz/tips/linux-iptables-examples.html

This just confused me even more :(

or even

Code:
iptables -help

Regards,

Might sound daft but where do you type this? I found a guide for adding portforward rules using WinSCP which seemed simple enough but I take its not as simple as copying a script over?

Starting to think my only option is to go back to tomato which I really don't want to.
 
This just confused me even more :(



Might sound daft but where do you type this? I found a guide for adding portforward rules using WinSCP which seemed simple enough but I take its not as simple as copying a script over?

Starting to think my only option is to go back to tomato which I really don't want to.

Telnet or SSH into the router either using PuTTY, or use the WinSCP commands->Open in PuTTY option or Use the WinSCP (Right Click) Custom Commands->Enter option to issue the command in a terminal window.
 
OK so I've been reading up on the iptables and I sort of understand some of it. Merlins example has VSERVER 3 which means its inserted between the line 2 - 3 on the table, so I understand the what just not the why.

So I assume you can't have a rule on the same line so would this be correct?:

#!/bin/sh

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -I VSERVER 4 -p udp -m udp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

or

#!/bin/sh

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -I VSERVER 2 -p udp -m udp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

Not sure on the importance of VSERVER 3 used in the example, are lines 1 and 2 already used?
 
OK, I'm not an expert on this but as I understand it...

This command will show you the current VSERVER chain.
Code:
# iptables -t nat -L VSERVER -n --line-numbers
Chain VSERVER (1 references)
num  target     prot opt source               destination
1    VUPNP      all  --  0.0.0.0/0            0.0.0.0/0
As you can see I only have 1 rule and that is there because I have enabled UPnP.

So this says "For all cases jump to the VUPNP chain and do that stuff, after which return here and continue with the next line".

In my case there is no "next line" so that's the end.

Assuming that you have at least 1 existing VSERVER rule you should be able to insert your rule(s) at line 2 (or line 1 for that matter). When you insert a new rule at a particular line any existing rules from that line down are all moved down one place.

Note that you can only insert at a position where there is an existing rule or at the end of the chain.

So, again in my case, this doesn't work (because it's beyond the end of the chain):
Code:
# iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables: Index of insertion too big
but this does (because it is at the end of the chain):
Code:
# iptables -t nat -I VSERVER 2 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

I hope this helps.

PS To answer your earlier question, you could issue your 2 iptables commands to insert at the same line. Because the commands take effect immediately, the second command would move the first one (and all rules below it) down by one position.
 
Last edited:
That I understood lol, thank you.

So if I have nothing in VSERVER chain then inserting it at 1 would be correct?

Code:
#!/bin/sh

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -I VSERVER 2 -p udp -m udp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

Also just to clarify that this script is the same as using the port fowarding GUI but will restrict it to the source IP I choose? (i.e. 10.10.10.10)

I've been using Tomato for that long that I assumed this was a standard feature, really want to get this working with Merlins build as it performs a lot better for what we use.
 
Last edited:
So if I have nothing in VSERVER chain then inserting it at 1 would be correct?
Yes
Also just to clarify that this script is the same as using the port fowarding GUI but will restrict it to the source IP I choose? (i.e. 10.10.10.10)
Yes. I've just tried the port forwarding in the GUI and it inserts exactly the same command, but without the source parameter, in position 1.
Code:
# iptables -t nat -L VSERVER -n --line-numbers
Chain VSERVER (1 references)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.1.100
2    VUPNP      all  --  0.0.0.0/0            0.0.0.0/0
 
Last edited:
Success!

Everything appears to be in order however I have a slight concern. When viewing the chain I get something like this:

Code:
Chain VSERVER (1 references)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.1.100
2    DNAT       udp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.1.100
3    VUPNP      all  --  0.0.0.0/0            0.0.0.0/0

Does that mean UPnP is enabled? I have it turned off in the gui. If its meant to be there does the script need to be inserted after or will it work as normal?
 
I've just checked on my router (N66U) and it looks like the VUPNP chain exists whether UPnP is being used or not. So that's OK.

Is that the actual output from your router though? It's still showing the source address as 0.0.0.0/0 rather than something you specified.

PS Personally I always leave UPnP on anyway. If you play any online multiplayer games (PS3/Xbox, etc.) turning it off will give you a lot of grief.
 
Last edited:
I've just checked on my router (N66U) and it looks like the VUPNP chain exists whether UPnP is being used or not. So that's OK.

Is that the actual output from your router though? It's still showing the source address as 0.0.0.0/0 rather than something you specified.

No that was just an example I have all the right IPs and its working. Did spend an hour trying to work out why it was read only but I got there in the end.

Thanks for all the help. :D
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top