Port forwarding in itself is nothing new in OpenWRT, though the way it is done has changed dramatically between White Russian and Kamikaze.
One reoccurring problem is that port forwarding only works for packets coming in through the wan interface – In White Russian it was possible to add some clever rules to /etc/firewall.user but things does not seem to be so easy in Kamikaze (even if it is possible to include /etc/firewall.user from /etc/config/firewall the rules do not work).
Luckily I have a work-around.
As an example, let us say I want to forward traffic from the Internet to my server
192.168.0.1: OpenWRT router
192.168.0.2: Server
First, create the configuration for the forwarded port by adding this to /etc/config/firewall:
config 'redirect' 'www'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'src_dport' '80'
option 'dest_ip' '192.168.0.2'
option 'dest_port' '80
config 'rule'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'dest_ip' ''
option 'dest_port' '80'
option 'target' 'ACCEPT'
the reload the firewall
[email protected]:~# /etc/init.d/firewall restart
That is it, traffic coming to the wan interface is now forwarded to the server.
But there is a problem. If you try to connect to www.my.site (which resolves to your public IP) you will get the webif of OpenWRT instead of the website.
To circumvent this we need to redirect (or proxy) the traffic to the web server as there does not seem to be any easy way to do “lan to lan port forwarding”.
For this I decided to use xinetd since it has native support for port redirection.
Start by moving the webif to another port, the configuration is in /etc/config/httpd:
config 'httpd'
option 'home' '/www'
option 'port' '1080'
and then restart the web server
[email protected]:~# /etc/init.d/httpd restart
(The configuration for the SSH server is in /etc/config/dropbear)
Now install xinetd – It’s not in the “native” OpenWRT packages but can be found in OptWare:
[email protected]:~# ipkpg install http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/unstable/xinetd_2.3.14-8_mipsel.ipk
Now, either copy /etc/services from a Linux/Unix machine or add this line:
www 80/tcp http # WorldWideWeb HTTP
Then create the file /opt/etc/xinetd.d/http-forward:
service http
{
flags = REUSE
socket_type = stream
wait = no
user = root
redirect = 192.168.1.2 80
log_on_failure += USERID
}
If you plan on using a lot of OptWare packages you could at a custom start-up script that calls all S-scripts in /opt/etc/init.d
– But I opted for a single OpenWRT-style init-script for xinetd (/etc/init.d/xinetd):
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
START=39
start() {
[ -x /opt/sbin/xinetd ] && {
/opt/sbin/xinetd
}
}
and then enable and start the service
[email protected]:~# /etc/init.d/xinetd enable
[email protected]:~# /etc/init.d/xinetd start
[email protected]:~# ps aux | grep [x]inetd
1599 root 1900 S /opt/sbin/xinetd
1935 root 1900 S /opt/sbin/xinetd
logread should show something like
May 10 23:25:45 xinetd[2166]: Reading included configuration file: /opt/etc/xinetd.d/http-forward [file=/opt/etc/xinetd.conf] [line=15]
May 10 23:25:45 xinetd[2166]: xinetd Version 2.3.14 started with no options compiled in.
May 10 23:25:45 xinetd[2166]: Started working: 1 available services
Now try to connect to the forwarded port, there should be something like this in the log:
May 10 23:25:53 xinetd[2166]: START: http pid=2168 from=192.168.1.240