iptables forward rule not working in openwrt

iptables firewall nat port-forwarding openwrt

7,404

At a guess, you've got 1 of 2 issues, or possibly both.

Machine 2 doesn't have a default route (or any route) via Machine 1. You haven't mentioned the operating systems or subnets in use so I can't give you much more information about how to resolve that.
You haven't actually enabled IP Forwarding on Machine 1:
- sysctl -w net.ipv4.ip_forward=1
  
  or
- echo 1 > /proc/sys/net/ipv4/ip_forward

7,404

Udit Gupta

Hello All !!! About me , I am a developer. Here Because I think mutual colloboration is the best way to learn and develope best applications.

Updated on September 18, 2022

Comments

Udit Gupta over 1 year
I am trying to apply some iptables forwarding rules in openwrt.

Here is my scenario -

My server has two cards ath0 and br-lan. br-lan is connected to internet and ath0 to private network.

The other machine in network also has ath0 that connects with this server's ath0 and they are able to ping each other.

Now, I want other machine in network to use internet using br-lan of server so I thought of using iptables forwarding rule-

Here is what I tried -

Server :
```
$ ping 1.1.1.6 // <ath0-ip of client> works fine
$ iptables -A FORWARD -i ath0 -o br-lan -j ACCEPT
$ /etc/init.d/firewall restart
```
Client :
```
$ ping 1.1.1.5 // <ath0-ip of server>  works fine
$ ping 132.245.244.60 // <br-lan ip of server> (not working)
```
I am new to iptables stuff and openwrt. What I am doing wrong here ??

Any other help if anyone could suggest for my scenario
- Michael Hampton over 10 years
  
  What are "m/c" and "n/w"?
- Udit Gupta over 10 years
  
  sorry for that .. m/c is machine and n/w is network. I will change it
Udit Gupta over 10 years

do we really need to add route.. as far i know if m/c1 is able to ping m/c2 then it will transfer its packet to m/c 2 and then firewall will just forward it to other interface. Why do we need to add route ?? Please see my edit for information about Actual IPs (IPs are different but with same class). Further I am new to this so do we need to run those commands to enable forwarding. Wouldn't iptables do it by default
Udit Gupta over 10 years

also is it like i need to forward th e icmp packets also to enable ping
fukawi2 over 10 years

RE: routing, yes if you want to talk to the IP Address(es) on the "other side" of Machine 1. Without an appropriate route, Machine 2 has no idea where to send the traffic, or will send it to the wrong place (default route) RE: enabling forwarding, no iptables does not enable it automatically.
Udit Gupta over 10 years

okk .. got it .One more thing. You are assuming m/c 2 as server or client ?? . Please corrct me if am wrong but you want me to do something like this on server ip route add 130.245.244.260 dev ath0 so that when request comes for ath0 on server then it will check route and then forward the traffic based on iptables rule
fukawi2 over 10 years

No, the route needs to know the 'next hop': ip route add 132.245.244.60 via 1.1.1.5 The command you posted tells the kernel that 132.245.244.60 is directly connected to ath0, which is is not, it's on the "other side" of 1.1.1.5
Goez almost 8 years

don't forget routes back or source natting ...