Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AC68 - iptables REDIRECT --to-port

Discussion in 'Asuswrt-Merlin' started by lahma, Jun 19, 2017.

  1. lahma

    lahma New Around Here

    Jan 10, 2014
    I've got a quick technical question that I am sure could be easily answered by someone with moderate experience using iptables. I've literally spent about 8 hours searching, reading, and experimenting to try to figure this out, but I have had no luck so far.

    Background Info:
    I am running an Asus RT-AC68U with Merlin firmware, and I have an OpenVPN client setup to operate with the provider PrivateInternetAccess.com. I'm using selective routing to route only 1 (for the moment) local IP over the VPN tunnel (, and that is working perfectly.

    Additionally, I am running a route-up script upon VPN connection in order to send a request over the VPN tunnel to ask my VPN provider for an open port (using PrivateInternetAccess' new API they just launched) that I can use for torrents and such. Again, after much trial and error (it is not easy to send to send a GET request over the VPN tunnel from a shell script on the router since something simple like using curl's interface-bind doesn't work), I have this working perfectly as well.

    I am using the following script to forward the port given to me by my VPN to the local IP that I want to setup a torrent client on:

    Ex local IP:
    Ex open port provided by VPN: 43251

    iptables -I FORWARD -i tun11 -p udp -d --dport 43251 -j ACCEPT
    iptables -I FORWARD -i tun11 -p tcp -d --dport 43251 -j ACCEPT
    iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 43251 -j DNAT --to-destination
    iptables -t nat -I PREROUTING -i tun11 -p udp --dport 43251 -j DNAT --to-destination

    This is also working fine, but this is where the change I want to make comes into play.

    The Problem:
    Being that I have spent so much time and effort researching and writing scripts to automate all of this on the router, I want to make the last final step of having the port provided to me by my VPN provider redirected to a static local port. If I could do this, then I would not have to change the TCP/UDP port in my torrent client every time the router reconnects to the VPN (as the port # changes every time you reconnect). I thought I had figured out the solution which was to change the last 2 iptables command listed above to:

    Ex static local port: 17444

    iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 43251 -j DNAT --to-destination
    iptables -t nat -I PREROUTING -i tun11 -p udp --dport 43251 -j DNAT --to-destination

    Unfortunately, this does not work. I also tried the following 2 iptables commands in addition to the others (although I had very little hope they were going to do anything):

    iptables -t nat -A PREROUTING -i tun11 -p tcp --dport 43251 -j REDIRECT --to-port 17444
    iptables -t nat -A PREROUTING -i tun11 -p udp --dport 43251 -j REDIRECT --to-port 17444

    I tried the above 2 commands with specifying the local destination IPs as well, but nothing worked.

    I apologize for writing such a long message, but I figured it was better to provide as much context as possible. For someone experienced, all they probably need to read is this last section to provide me with an answer... If someone can help me out, I would be FOREVER indebted to you. Thank you in advance.

Share This Page