schedule port forwarding [done]

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
I have a windows 2000 machine connected to a linksys router with dd-wrt (so it's basically a linux machine). I configured the windows machine with WoL and for any packet it receives, it wakes up. This is not a problem, I want that. The problem is that I have port forwarding rules set on the router and every minute or so a packet arrives from the internet to that computer and wake it up. I want it to remain in sleep or hibernate as much as possible, so I need to change this. The ideia was to configure the router to only forward the ports from 3:00 a.m. to 9:00 a.m. and then disable the port forwarding, as I dont't need it during the day. I think I can do that with cron and iptables, but my knowledge of linux is not that great. I also tried to post on the dd-wrt forum but got no reply. Can someone help me?
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
can't do that... here's the full description of what I want:
an old computer, with windows 2000 used for file server, printer server and to download from emule and torrent at night. To save power it must be in sleep or hibernate mode as much as possible. It needs port forwarding to download from p2p and it needs WoL to be used as file server and printer server. The problem is that if I enable both the server will not powerdown because any packet will make it wake up. I really needed to schedule port forwarding only to those hours.
 
Ahh... I think I understand what you are trying to achieve here. I'll be honest though I'm now scratching my head like yourself. I was hoping that Linux_0 might have spotted this one and dived in with an answer.

It's getting a bit late for me here now but I'll have a google tomorrow and see what I can find. I think its the dd-wrt people who would really know though.
 
Ok.. I had a look. Try this dd-wrt wiki towards the bottom it shows the following code snipet for adding port forwarding:

[code:1:0e1309da77]iptables -t nat -I PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 80 -j ACCEPT[/code:1:0e1309da77]

so it very much looks like you could script this and as you suspected run it as a cron job.

I think this site would also be a good place to look portforward.com
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
I know, I saw that, but for some reason it didn't work. also that doesn't say how to disable port formwarding, only how to enable it. Those settings are probably erased in a reboot, but I didn't want that either.
 
[code:1:df8a0d4735]
$> man iptables

TARGETS
A firewall rule specifies criteria for a packet, and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the tar‐
get, which can be the name of a user-defined chain or one of the spe‐
cial values ACCEPT, DROP, QUEUE, or RETURN.
[/code:1:df8a0d4735]
So you should be able to drop the packets. You would need to have full root privs to do this though.


*edit* Can you also just confirm that you are on a static IP on the 2000 Workstation.
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
Ok, here's what I tried:
Router IP: 192.168.1.1
PC IP: 192.168.1.102 (not static, but router configured to always give the same IP through dhcp)
Incoming ports: 44625 (TCP), 24374 (UDP), 2070 (UDP) - the same in both router and PC

Router configured with port forwarding disabled in the admin page, but accessed via ssh and wrote:

[code:1:44721ea5e3]iptables -t nat -I PREROUTING -p tcp --dport 44625 -j DNAT --to 192.168.1.102:44625
iptables -I FORWARD -p tcp -d 192.168.1.102 --dport 44625 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport 24374 -j DNAT --to 192.168.1.102:24374
iptables -I FORWARD -p udp -d 192.168.1.102 --dport 24374 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport 2070 -j DNAT --to 192.168.1.102:2070
iptables -I FORWARD -p udp -d 192.168.1.102 --dport 2070 -j ACCEPT[/code:1:44721ea5e3]

next started emule in PC. It connected and showed highid, meaning ports forwarded (this is one of the few times I love being wrong)

so, the next step is to disable port forwarding:

[code:1:44721ea5e3]iptables -I FORWARD -p tcp -d 192.168.1.102 --dport 44625 -j DROP
iptables -I FORWARD -p udp -d 192.168.1.102 --dport 24374 -j DROP
iptables -I FORWARD -p udp -d 192.168.1.102 --dport 2070 -j DROP[/code:1:44721ea5e3]

This time it took a long time to connect, and ended with lowid, ports not forwarded. So far everything's perfect. Next: final test, re-enable port forwarding.

(same commands as before)

Fast reconnect, highid. So these commands work without router reboot. Now for the final step, set a cron job for this. Apparently, cron jobs can be set in a startup script on every router boot, like this (start at 2:30, end at 8:45):

[code:1:44721ea5e3]echo '30 2 * * * iptables -t nat -I PREROUTING -p tcp --dport 44625 -j DNAT --to 192.168.1.102:44625' >> /tmp/crontab
echo '30 2 * * * iptables -I FORWARD -p tcp -d 192.168.1.102 --dport 44625 -j ACCEPT' >> /tmp/crontab
echo '30 2 * * * iptables -t nat -I PREROUTING -p udp --dport 24374 -j DNAT --to 192.168.1.102:24374' >> /tmp/crontab
echo '30 2 * * * iptables -I FORWARD -p udp -d 192.168.1.102 --dport 24374 -j ACCEPT' >> /tmp/crontab
echo '30 2 * * * iptables -t nat -I PREROUTING -p udp --dport 2070 -j DNAT --to 192.168.1.102:2070' >> /tmp/crontab
echo '30 2 * * * iptables -I FORWARD -p udp -d 192.168.1.102 --dport 2070 -j ACCEPT' >> /tmp/crontab
echo '45 8 * * * iptables -I FORWARD -p tcp -d 192.168.1.102 --dport 44625 -j DROP' >> /tmp/crontab
echo '45 8 * * * iptables -I FORWARD -p udp -d 192.168.1.102 --dport 24374 -j DROP' >> /tmp/crontab
echo '45 8 * * * iptables -I FORWARD -p udp -d 192.168.1.102 --dport 2070 -j DROP' >> /tmp/crontab
killall -9 crond; crond[/code:1:44721ea5e3]

I'll test this tonight, but any comments/fixes/better solutions are welcome.
 
Nice progress :D

I wonder if you really need to use cron though. How about using 'at' to just run a shell script. One to turn it on and one to turn it off. You could also just invoke each of those scripts individually at any time to overide your defualt behaviour.

If you want to go to town you could tie it into a webmin or other such front end so you could monitor / control it from a browser on the workstation.

Glad we seem to be heading in the right direction..
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
I had never heard of the 'at' command before... anyway, the router doesn't have a few commands, 'at' is one of the missing ones. If I need to override this behaviour I have the router's admin page, so I don't really need to access the console. Also, I'm not very interested in monitoring, as long as this works. The only monitoring I do is check the amount transferred the next morning to see what files finished downloading. Still those were good suggestions, thanks for the help. I just hope to post a reply tomorrow saying everything's perfect.
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
No, everything's NOT perfect... apparently, the cron job didn't work. Now I set up putty with the command list and a scheduled task in windows, so now the server makes all changes by itself. I tested it and it works, so lets see if tomorrow I post the final reply "Everything's perfect".
 

pauloandre

Distinguished
Nov 28, 2002
77
0
18,630
Well, it worked, there are still some glitches, but nothing related to port forwarding and nothing I can't solve when I have some free time. Thanks for all the help!
 
Nice one :D I needed something to have gone right yesterday...

Glad you've found a solution. Its a shame we cant seem to get it all held on the router but its better than it was.

Happy to have helped.