What's new

How to open a port on the router itself (Not forward)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

s_Fanous

Occasional Visitor
Hi,

I want to open a port on the router itself. I tried to port forward to 192.168.1.1 but that didn't work. Is it just a matter of executing some iptables commands?

Not, an iptables expert but would appreciate some help/tips

TIA
 
I want to open a port on the router itself. I tried to port forward to 192.168.1.1 but that didn't work. Is it just a matter of executing some iptables commands?

Not, an iptables expert but would appreciate some help/tips

Whilst the iptables command syntax to open a port on the router is simple
Code:
iptables -I INPUT xxxxxxxxxxxxxxxxxxxxxxxxxxxx
e.g. Assuming you have a custom service running on the router that exposes UDP port 54321
Code:
iptables -I INPUT -p udp -m udp --dport 54321 -j ACCEPT

iptables -nvL INPUT --line
although rather than insert the custom rule at the top of the target chain, sometimes it is prudent to insert the custom rule in a specific position
i.e. Ensure the custom rule is processed after important rules with most hits for performance etc.
Code:
iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "state INVALID" | awk '{$1 = $1 + 1; print $1}')" xxxxxxxxxxxxxxxxxxxxxxxxxxx
However, if I may ask.. "What custom service are you hosting on the router that requires ports to be opened from the WAN?"
 
However, if I may ask.. "What custom service are you hosting on the router that requires ports to be opened from the WAN?"

It's a personal python application that I've written. It starts an HTTPS server using the LetsEncrypt certificate that is generated by the router and requires authentication/authorization.

I had quickly tried

Code:
iptables -A INPUT -d 192.168.1.1/32 -p tcp -m conntrack --ctstate DNAT -m tcp --dport XYZ -j ACCEPT

but that didn't work and as I said I'm no iptables expert. I deleted the chain and will try your rules later and let you know.

Thanks for your help
 
Code:
iptables -I INPUT "$(iptables -nvL INPUT --line -t filter | grep -m 1 "state INVALID" | awk '{$1 = $1 + 1; print $1}')" xxxxxxxxxxxxxxxxxxxxxxxxxxx

Worked like a charm. I suppose I need to put this into the firewall-start script file, but have a quick question. On router startup, would there be any use in that command though? Would iptables have already established rules with the most hits?

Thanks again
 
Worked like a charm.

I suppose I need to put this into the firewall-start script file
Yes
On router startup, would there be any use in that command though? Would iptables have already established rules with the most hits?
In truth you could simply insert your rule at the top of the chain - but it may get pushed down the processing order.

Usually the first three rules are:
Code:
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
So inserting your rule as the fourth rule means that probably >90% of the packets are processed (by rules 2 & 3 ) without even hitting your custom rule.
If your rule was the first rule, then every packet will be tested to see if it is for your custom port! :eek: - bit inefficient wouldn't you agree? ;)
 
In truth you could simply insert your rule at the top of the chain - but it may get pushed down the processing order.

Usually the first three rules are:
Code:
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
So inserting your rule as the fourth rule means that probably >90% of the packets are processed (by rules 2 & 3 ) without even hitting your custom rule.
If your rule was the first rule, then every packet will be tested to see if it is for your custom port! :eek: - bit inefficient wouldn't you agree? ;)

I agree 100% with you.

I was just wondering what would be the most accurate way to guarantee it ends up in the most efficient position on router startup. When I issued the command it got put into position 6. I guess I could just force it into position 6 and live with that :)

Thanks again for your help. Much appreciated.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top