I’ve tried setting up a port forward from the router to a device in its LAN - and this forward should only work for other devices in the LAN (i.e. it is not a WAN->LAN forward). I did it using the standard Luci interface, selecting lan
as both source and destination zone. However, I’m confused by the iptables rules it generated.
Setup:
Router: br-lan (192.168.2.1)
Forwarded-to device: 192.168.2.3
Forwarded port: 2101
The generated rules (there were 2, one tcp, one udp) were like this:
iptables -t nat -A zone_lan_prerouting -i br-lan -p tcp --dport 2101 -j DNAT --to 192.168.2.3:2101
However, this rule forwards everything, not just packets destined to the router itself (i.e. if the forwarded-to device itself tries to connect to <SOME_IP_IN_INTERNET>:2101
, this rule forwards the traffic back to the device itself).
For it to work as I want, I needed to create a rule manually, adding the --destination
flag:
iptables -t nat -A zone_lan_prerouting -i br-lan -d 192.168.2.1 -p tcp --dport 2101 -j DNAT --to 192.168.2.3:2101
My question is why doesn’t Luci automatically fill destination to the router’s IP. I think it’s not desirable in the general case to kidnap traffic that’s just passing through the router and is not destined to it. Or am I wrong?
I see there is one difficulty using iptables that you can’t specify <device>
as the destination, so you probably have to generate one rule for each IP address the router has in the lan
zone. But that shouldn’t be a big problem, should it?
Or would it be easier to add the rule to a different chain? Apparently, zone_lan_prerouting
applies to both INPUT and FORWARD traffic. I guess port forwards could easily go just to INPUT.