Menu
What's new
By:
Filters
Better Search

Iptables vserver chain?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TheStork

TheStork

Occasional Visitor
Many of the examples around NAT scripts on this forum and in the documentation on GitHub use the chain 'VSERVER' for iptables, e.g. :

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
Click to expand...

My understanding of iptables is still relatively basic, but I have a rough idea what e.g. the POSTROUTING, PREROUTING and OUTPUT chains are for. However, could someone please clarify where (and why) a VSERVER chain comes into play?

Thanks in advance.
 
VSERVER is for manual port forwards (there is also a VUPNP chain when a upnp forward is established).

You can see them on the System Log/Port Forwarding tab.
 
Thanks John,

Am I being silly, or wouldn't the PREROUTING chain do something very similar for manual port forwards? What's the difference?
(I'm trying to visualise where the VSERVER 'hookpoint' would sit relative to PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD chains).

Apologies if I'm being slow here...
 
Unlike the chains you mention which are built-in, VSERVER is a user defined chain that sits in the NAT table.

The contents of this chain, as well as others like VUPNP, FUPNP and PControls, are automatically generated by the firmware depending on settings in the GUI.

The meaning of the names that ASUS chose are fairly obvious and having separate chains for different functions keeps things nice and simple, rather than having them all lumped together in one place. But you are correct in that the VSERVER chain is just hooked into the PREROUTING chain of the NAT table. You could put all of the VSERVER rules into the PREROUTING chain, it just makes it more difficult to manage.

If you issue the following command from the routers command prompt it will be a little bit easier to understand how the chains interact. (Of course, if you don't have any active forwarded ports or parental controls there won't be much to see other than a bunch of unused chains!)
Code: 
iptables-save
 
Last edited:
PREROUTING would imply every single packet coming in would be checked against the rule, while having it in VSERVER means it will only be checked if it's actually a packet that's targeting your LAN. Therefore, more efficient.
 
TheStork's example above (which is also found in the Wiki) adds that rule as rule number 3 in the VSERVER chain. If I follow the second example here for using a rule like this with a dynamic DNS host, it will flush the complete VSERVER chain when updating the rule. Is there a way to work around this?

Also, when I add a manual port forward via the WebUI, I am given the option to enter a source IP address, so why should we manually invoke iptables to enter this rule?
 
You must log in or register to reply here.

Similar threads

A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
1K
Don->
D
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
192
GShlomi
GShlomi
M
iptable questions
Replies
2
Views
1K
Mikii
M
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
463
Grefyne
G
Similar threads
Thread starter Title Forum Replies Date
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8
v.y.k iptables pkts & bytes numbers are too low on Merlin 3004.388 Asuswrt-Merlin 13
M iptables module rateest - loadbalancing split over Asuswrt-Merlin 0
A Entware iptables no chain/target/match and tcpdump problems Asuswrt-Merlin 3
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
L merlin default iptables. why are there strange logdrops for specific pattens and ips? Asuswrt-Merlin 3
NoBenefit Does my iptables looks normal? Asuswrt-Merlin 1
J Allowing just one device to subnet (iptables or Network Services Filter?) Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 607 (members: 20, guests: 587)
Top