Port Forwarding

[clinton]

Hello,

I have a OpenVPN on debian server. And one of my friends have some traffic on port 12000:12200 (uPnP)

How I have to forward a part of his traffic through port 12000:12200?

Thanks a lot!

[Bebop]

Here's the hardcoded method. For this method you need to know the IPs. This is the not recommended method. In the following example, its assumed that '124.66.90.100' is the WAN IP of the VPN server, and '10.0.0.2' is the IP assigned to the client from the VPN.

Code: Select all

iptables -A FORWARD -p tcp -i eth0 -d 124.66.90.100 --dport 12000 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 --dport 12000 -j DNAT --to-destination 124.66.90.100:12000

Below is the softcoded method, and using an up-script. Below is the recommended method.

Add to server.conf:

Code: Select all

client-connect /etc/openvpn/clientconnect.sh
client-disconnect /etc/openvpn/clientdisconnect.sh

script-security 2

You need to create these two files manually (clientconnect.sh and clientdisconnect.sh [remember to make them executable - 755]), and in the clientconnect.sh you put the following code:

Code: Select all

PORT = 12000

iptables -A FORWARD -p tcp -i eth0 -d $ifconfig_pool_remote_ip --dport $PORT -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d $ifconfig_local --dport $PORT -j DNAT --to-destination $ifconfig_pool_remote_ip:$PORT

Since this topic is raised occasionally, there is now a proper how-to.

See: Board index » Scripting and Customizations » Routing and Firewall Scripts » IPTABLES - Portforwarding

[clinton]

Thanks a lot for your reply!

I don't understand your second method? All the clients will get they traffic on port 12000?

With each connection (for each client) the file clientconnect.sh will generate:

iptables -A FORWARD -p tcp -i eth0 -d some_ip_1 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_2 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_3 --dport 12000 -j ACCEPT

?

Thanks

[Bebop]

Thanks a lot for your reply!

I don't understand your second method? All the clients will get they traffic on port 12000?

With each connection (for each client) the file clientconnect.sh will generate:

iptables -A FORWARD -p tcp -i eth0 -d some_ip_1 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_2 --dport 12000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -d some_ip_3 --dport 12000 -j ACCEPT

?

Thanks

I left some notes the the linked page about it:

You can only forward a port such as "12000 tcp" to a single client at any one time. You will need to get creative with your port management when you have multiple clients. A simple line such as "PORT 12000" wont be sufficient for a setup with many clients who need ports forwarded. A suggestion would be to look at using a database or flat-file with client/port allocations.

So basically, if you have multiple clients you need to dynamically alter the 'PORT' for each client connect, so 1st client receives 12000, 2nd client 12001, 3rd client 12003, etc. No two clients can share a forwarded port.