Skip to content

Port forwarding with OpenWRT Kamikaze

Port forwarding in itself is nothing new in OpenWRT, though the way it is done has changed dramatically between White Russian and Kamikaze.

One reoccurring problem is that port forwarding only works for packets coming in through the wan interface – In White Russian it was possible to add some clever rules to

/etc/firewall.user

but things does not seem to be so easy in Kamikaze (even if it is possible to include

/etc/firewall.user

from

/etc/config/firewall

the rules do not work.

Luckily I have a work-around.

As an example, let us say I want to forward traffic from the Internet to my server


192.168.0.1: OpenWRT router
192.168.0.2: Server

First, create the configuration for the forwarded port by adding this to

/etc/config/firewall

:

config 'redirect' 'www'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'src_dport' '80'
    option 'dest_ip' '192.168.0.2'
    option 'dest_port' '80

config 'rule'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'dest_ip' ''
    option 'dest_port' '80'
    option 'target' 'ACCEPT'
[email protected]:~# /etc/init.d/firewall restart

That is it, traffic coming to the wan interface is now forwarded to the server.

But there is a problem. If you try to connect to www.my.site (which resolves to your public IP) you will get the webif of OpenWRT instead of the website.

To circumvent this we need to redirect (or proxy) the traffic to the web server as there does not seem to be any easy way to do “lan to lan port forwarding”.

For this I decided to use xinetd since it has native support for port redirection.

Start by moving the webif to another port, the configuration is in

/etc/config/httpd

:

config 'httpd'
    option 'home' '/www'
    option 'port' '1080'
[email protected]:~# /etc/init.d/httpd restart

(The configuration for the SSH server is in

/etc/config/dropbear

)

Now install xinetd – It’s not in the “native” OpenWRT packages but can be found in OptWare:

[email protected]:~# ipkpg install http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/unstable/xinetd_2.3.14-8_mipsel.ipk

Now, either copy

/etc/services

from a Linux/Unix machine or add this line:

www     80/tcp      http        # WorldWideWeb HTTP

Then create the file

/opt/etc/xinetd.d/http-forward

:

service http
{
   flags = REUSE
   socket_type = stream
   wait = no
   user = root
   redirect = 192.168.1.2 80
   log_on_failure += USERID
}

If you plan on using a lot of OptWare packages you could at a custom start-up script that calls all S-scripts in

/opt/etc/init.d

– But I opted for a single OpenWRT-style init-script for xinetd.

/etc/init.d/xinetd

:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

START=39
start() {
    [ -x /opt/sbin/xinetd ] && {
        /opt/sbin/xinetd
    }      
}
[email protected]:~# /etc/init.d/xinetd enable
[email protected]:~# /etc/init.d/xinetd start
[email protected]:~# ps aux | grep [x]inetd
 1599 root      1900 S    /opt/sbin/xinetd
 1935 root      1900 S    /opt/sbin/xinetd

logread should show something like

May 10 23:25:45 xinetd[2166]: Reading included configuration file: /opt/etc/xinetd.d/http-forward [file=/opt/etc/xinetd.conf] [line=15]
May 10 23:25:45 xinetd[2166]: xinetd Version 2.3.14 started with no options compiled in.
May 10 23:25:45 xinetd[2166]: Started working: 1 available services

Now try to connect to the forwarded port, there should be something like this in the log:

May 10 23:25:53 xinetd[2166]: START: http pid=2168 from=192.168.1.240
Published inOpenWRT

6 Comments

  1. Andi Andi

    to keep LuCI on port 80 for lan and have wan port 80 redirected to to a specific server (here in lan), try first a rule that rejects port 80 on wan and then the forward… like this (in /etc/config/firewall):

    config rule
    option src wan
    option dest_port 80
    option target REJECT

    config redirect
    option src wan
    option src_dport 80
    option dest lan
    option dest_ip 192.168.1.2
    option dest_port 80
    option proto tcp

    works fine for me…

    • Yes, it’s a typo. Fixed.

    • Another brilliant way of solving the same problem :)

      I’ve always been running the WebIf on port 1080 (instead of 80) which is why I chose that solution with Kamikaze.

      mvh
      Allan

  2. Steve Steve

    Hi Alan,

    I noticed in your example you said your server was at 192.168.0.2 but in your configuration you use 192.168.1.2. Is this a typo?

    Steve

  3. Hi,
    that’s very usefull, but I still have a question:
    is it possible to specify both protocol? I mean, how to enable udp and tcp on port 6000?
    Thanks,
    hamen

  4. I do believe that the ‘proto’ parameter is optional – but I cannot test it as I am no longer using OpenWRT (hardware compatibility issues – nothing wrong with OpenWRT as such).

Leave a Reply

Your email address will not be published. Required fields are marked *

Page optimized by WP Minify WordPress Plugin