Menu
What's new
By:
Filters Better Search

Whitelist filtering with port forwards?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Okay, I did as you mentioned. Here's what I get:
Code: 
Chain PREROUTING (policy ACCEPT 20573 packets, 2814K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1      910  104K VSERVER    all  --  *      *       0.0.0.0/0            173.xx.xx.135     

Chain INPUT (policy ACCEPT 11868 packets, 1199K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 30230 packets, 2354K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 8028 packets, 966K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     7214 1491K MASQUERADE  all  --  *      eth0   !173.xx.xx.135        0.0.0.0/0        
2    22205 1389K MASQUERADE  all  --  *      br0     192.168.100.0/24     192.168.100.0/24 

Chain DNSFILTER (0 references)
num   pkts bytes target     prot opt in     out     source               destination       

Chain LOCALSRV (0 references)
num   pkts bytes target     prot opt in     out     source               destination       

Chain VSERVER (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5004 to:192.168.100.175:5004
2        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5060 to:192.168.100.175:5060
3      910  104K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0         

Chain VUPNP (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Under VSERVER, the destination for the two entries shows as 0.0.0.0/0 with udp dpt:5004 to 192.168.100.175:5004 & 5060

I'm not sure how exactly to read all of this. Is it showing that the device can only communicate with the block of IPs listed?

I appreciate all the help. I'm still learning this stuff!
 
the_townie said:
Okay, I did as you mentioned. Here's what I get:
Code: 
Chain PREROUTING (policy ACCEPT 20573 packets, 2814K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1      910  104K VSERVER    all  --  *      *       0.0.0.0/0            173.xx.xx.135     

Chain INPUT (policy ACCEPT 11868 packets, 1199K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 30230 packets, 2354K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 8028 packets, 966K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     7214 1491K MASQUERADE  all  --  *      eth0   !173.xx.xx.135        0.0.0.0/0        
2    22205 1389K MASQUERADE  all  --  *      br0     192.168.100.0/24     192.168.100.0/24 

Chain DNSFILTER (0 references)
num   pkts bytes target     prot opt in     out     source               destination       

Chain LOCALSRV (0 references)
num   pkts bytes target     prot opt in     out     source               destination       

Chain VSERVER (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5004 to:192.168.100.175:5004
2        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5060 to:192.168.100.175:5060
3      910  104K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0         

Chain VUPNP (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Under VSERVER, the destination for the two entries shows as 0.0.0.0/0 with udp dpt:5004 to 192.168.100.175:5004 & 5060

I'm not sure how exactly to read all of this. Is it showing that the device can only communicate with the block of IPs listed?

I appreciate all the help. I'm still learning this stuff!
Click to expand...

You can use the Virtual Server / Port Forwardng tab to see if a comparable port forwarding definition results in an iptables entry with the same syntax (obviously without the source 8.xxx.xxx.0/24 filter because this is not available via the GUI).

Since the source port is the same as the destination port then that is why I believe the :xxxx suffix on the --to address is superflous.
 
Last edited:
Martineau said:
You can use the Virtual Server / Port Forwardng tab to see if a comparable port forwarding definition results in an iptables entry with the same syntax (obviously without the source 8.xxx.xxx.0/24 filter because this is not available via the GUI).
Click to expand...

I don't see anything listed there. However, under System Log, the Port Forwarding tab shows:
Code: 
Destination     Proto. Port range  Redirect to     Local port  Chain
ALL             UDP    5004        192.168.100.175 5004        VSERVER        
ALL             UDP    5060        192.168.100.175 5060        VSERVER
Just curious, why does it say ALL under destination.

Also, in my last post, why does it show 0.0.0.0/0 under destination and then over to the side udp dpt...
Code: 
Chain VSERVER (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5004 to:192.168.100.175:5004
2        0     0 DNAT       udp  --  *      *       8.xx.xx.0/24         0.0.0.0/0            udp dpt:5060 to:192.168.100.175:5060
3      910  104K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0
Scroll right to see.

Thanks!
 
sorry for warming up this thread,but I stumbled on this,on my search to a way to add/delete a forward rule via ssh.
Why are rules added i.e. :

Code: 
iptables -t nat -I VSERVER 1 -p tcp -m tcp --dport 18734 -j DNAT --to 192.168.0.123:5900

not shown in the web gui virtual server list ?
I assume as I dont give the rule a name it doesnt appear right ? how can I add rules so they are listed in the gui ?
 
heliosone said:
sorry for warming up this thread,but I stumbled on this,on my search to a way to add/delete a forward rule via ssh.
Why are rules added i.e. :

Code: 
iptables -t nat -I VSERVER 1 -p tcp -m tcp --dport 18734 -j DNAT --to 192.168.0.123:5900

not shown in the web gui virtual server list ?
I assume as I dont give the rule a name it doesnt appear right ? how can I add rules so they are listed in the gui ?
Click to expand...


You didn't update the NVRAM variable ?

Code: 
nvram get vts_rulelist

if the returned value is blank then

Code: 
nvram set vts_rulelist="<VNC>18734>192.168.0.123>5900>TCP"
nvram commit

otherwise you will need to append your new Port Forward/Virtual Server configuration to the end of the existing vts_rulelist NVRAM variable.
 
Last edited:
big thanks for that info !!!
never looked into the nvram variables before,definitely on my toDOlist :)

here are the shortcuts I now use,maybe they are a help to someone else with the same idea I had :) :
(this only works,if your only have 1 port forward/device you need to toggle on/off line.)

enable (add rule) :
Code: 
#!/bin/sh
iptables -t nat -I VSERVER 1 -p tcp -m tcp --dport 12345 -j DNAT --to 192.168.3.124:5900
nvram set vts_rulelist="<Test>12345>192.168.3.124>5900>TCP"
nvram commit

nvram get vts_rulelist
iptables -t nat -L VSERVER -n -v

disable (remove rule) :
Code: 
#!/bin/sh
iptables -t nat -D VSERVER 1
nvram set vts_rulelist=""
nvram commit
nvram get vts_rulelist
iptables -t nat -L VSERVER -n -v

show rules (added via gui/actual active rules) :
Code: 
#!/bin/sh
nvram get vts_rulelist
iptables -t nat -L VSERVER -n -v
 
You must log in or register to reply here.

Similar threads

P
Firewall on RT-AX86U blocking RTRR Server
Replies
0
Views
311
Pir
P
C
IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt
Replies
4
Views
2K
chrisisbd
C
P
Port Forwarding Transmission with AirVPN
Replies
4
Views
1K
alecmascot
A
P
Using smartphone with 4G to connect to host in LAN.
Replies
1
Views
892
tgl
T
nothingness
Problem with reaching Adguard Home from outside home network
Replies
6
Views
2K
nothingness
nothingness
Similar threads
Thread starter Title Forum Replies Date
M Wireless Mac filter defaulting to whitelist. Asuswrt-Merlin 5
Q [Feature Request] Schedule DoS Protection state and/or whitelist option Asuswrt-Merlin 5
P Help with traffic filtering Asuswrt-Merlin 0
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
R Wireless MAC (Band filter filtering out Guest network) Asuswrt-Merlin 2
R DNS filtering when using cloudflare DNS? Asuswrt-Merlin 6
ollimoe RT-BE88U and Dynamic WAN Port MAC? Asuswrt-Merlin 0
C Can port forwarding do failover to an alternative server? Asuswrt-Merlin 2
Yota How to enable port randomization in Asuswrt-Merlin? Asuswrt-Merlin 4
R RT-AX86U Pro LAN Port on Guest Network Asuswrt-Merlin 9

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 751 (members: 21, guests: 730)
Top