Opened 4 years ago

Last modified 2 years ago

#10632 reopened enhancement

Feature Request: LUCI - Traffic Redirection - 'Internal IP Address' option for router lan IP

Reported by: camden.lindsay+openwrt@… Owned by: jow
Priority: normal Milestone: Features Paradise
Component: luci Version: Trunk
Keywords: localhost port forward Cc: camden.lindsay+openwrt@…



As a feature request, i would like to suggest that you add another menu option for the Traffic Redirection 'internal ip address' option on the Luci firewall section.

To make it easier to forward traffic from non-standard port to the ssh session (or https) running on localhost, we should be able to pull in the IP of the LAN interface of the router itself.

It should be handled in such a manner that, on firewall startup or refresh, it is grabbed from a variable or script somewhere, so that it always stays up to date with whatever the router IP is set or changed to.

Alternately, an option could be added somewhere such as the xxx page to allow remote administration and provide a way to set a remote administration port for each of ssh and https/http
Thoughts/suggestions welcome

Attachments (4)

luci redirection.jpg (116.6 KB) - added by desigabri 4 years ago.
luci redirection page
nmap.png (131.2 KB) - added by camden lindsay <camden.lindsay+openwrt@…> 4 years ago.
nmap look at two forwards, one with traffic rule
traffic_rules.png (157.1 KB) - added by camden lindsay <camden.lindsay+openwrt@…> 4 years ago.
Traffic rules for wan to lan on port 80
port_forwards.png (92.0 KB) - added by camden lindsay <camden.lindsay+openwrt@…> 4 years ago.
port forwards for 8080 and 5000

Download all attachments as: .zip

Change History (19)

comment:1 Changed 4 years ago by jow

  • Owner set to jow
  • Status changed from new to accepted

Changed 4 years ago by desigabri

luci redirection page

comment:2 Changed 4 years ago by desigabri

Damn! It did exist! how to switch to a previous luci svn, meanwhile we wait for it coming back on newer luci please?


Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

nmap look at two forwards, one with traffic rule

Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

Traffic rules for wan to lan on port 80

Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

port forwards for 8080 and 5000

comment:3 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

So, port redirection does work to within the lan, but not to the router itself--
that is, when you enter a new port forward on redirection, there are no rules inserted into the 'input' chain for the router to allow that traffic to forward to the device itself.

However, if you simply open a port to the wan, it does insert arule in 'input' chain... however it is done in such a way all WAN hosts can reach that port

Here is an example - 2 port forwards, one on port 5000 to router port 22, the other on port 8080 to router port 80.

Have a 'traffic rule' allowing anything from wan to port 80 on the router.

Screenshots of the settings, plus screenshot of nmap output.

comment:4 Changed 4 years ago by jow

You could amend the extra input rule with

option extra '-m conntrack --ctstate DNAT'

That should reduce the matching of input traffic to streams that previously got DNAT'ed.

comment:5 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

excellent, that is exactly what i was looking for -- thanks!

Is there somewhere in the wiki this could be put for newbies? or, we could keep this bug open to find a place to integrate remote management into the gui, such as dd-wrt does...

A quick perusal of the wiki does not really show a good place to put this... however there are plenty of forum threads indicating interest in remote management, although most are using standard ports.

There is no mention of ctstate on the firewall configuration page, but that would be hard to parse through for this (i think) useful feature..

Thoughts? I don't mind writing a quick wiki page or section if there is suggestion as to where to place it.
help much appreciated. :)

comment:6 Changed 4 years ago by jow

Here is a possible patch to the uci firewall:

--- package/firewall/files/lib/	(revision 29641)
+++ package/firewall/files/lib/	(working copy)
@@ -34,8 +34,18 @@
 			return 0
-		fwdchain="zone_${redirect_src}${redirect_dest_ip:+_forward}"
+		fwdopt=""
+		fwdchain=""
+		# Check whether only ports are given or whether the given dest ip is local,
+		# in this case match only DNATed traffic and allow it on input, not forward
+		if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then
+			fwdopt="-m conntrack --ctstate DNAT"
+			fwdchain="zone_${redirect_src}"
+		else
+			fwdchain="zone_${redirect_src}_forward"
+		fi
@@ -106,10 +116,11 @@
 			fw add $mode f ${fwdchain:-forward} ACCEPT + \
 				{ $redirect_src_ip $redirect_dest_ip } { \
-				$srcaddr ${destaddr:--m conntrack --ctstate DNAT} \
+				$srcaddr $destaddr \
 				$pr \
 				$srcports $destports \
 				${sm:+-m mac $sm} \
+				$fwdopt \
 				$redirect_extra \

With that such a rule:

config 'redirect'
	option '_name' 'Test-HTTP-8080-to-local-80'
	option 'src' 'wan'
	option 'proto' 'tcp'
	option 'src_dport' '8080'
	option 'dest_ip' ''
	option 'dest_port' '80'

Is transformed into these commands:

root@uplink:~# FW_TRACE=1 fw reload 2>&1 | grep 80   
iptables --table nat --insert zone_wan_prerouting 1 --jump DNAT -p tcp --dport 8080 --to-destination
iptables --table filter --insert zone_wan 1 --jump ACCEPT -d -p tcp --dport 80 -m conntrack --ctstate DNAT

(My router lan ip is

comment:7 Changed 4 years ago by jow

It should not affect other, traditional port forwards but I haven't tested too hard yet.

comment:8 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

This weekend i will see what i can do about testing with some other traditional port forwards mixed with this. :)


comment:9 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

So, the backend has been set up that a simple port forward to an internal router ip will cause a 'input' rule chain change rather than 'forward', with rule matching 'ctstate DNAT' -- which seems to work well (again will do more testing this weekend with other port forwards i have)

The next part would be to get the router's ip's listed in the dropdown in luci itself. now, i'm not sure if i should open a bug within luci's track system to do it, or keep this bug here..

it appears that the file to be changed is:

It appears that the ip address listing seen in the dropdown is actually the system arp table:

o = s:option(Value, "dest_ip", translate("Internal IP address"),

translate("Redirect matched incoming traffic to the specified \

internal host"))

o.datatype = "ip4addr"
for i, dataset in ipairs( do

o:value(dataset["IP address"])


So, how to figure a good way to include the system's ip addresses in this list would be handy...

I may poke at it this weekend as well, if there is time. I really don't know code very well, but.. we'll see ;)

comment:10 Changed 4 years ago by jow

This additional loop will do the trick:

for k, v in ipairs(nixio.getifaddrs()) do
    if == "inet" and v.addr ~= "" then

comment:11 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

Hmm i'm not seeing any interface i expect using that..

here is the diff between the two files, i have rm'd /tmp/luci-indexcache and have done a reboot. Is there something i'm missing?

root@buffalo:/# diff ./usr/lib/lua/luci/model/cbi/firewall/forward-details.lua ./usr/lib/lua/luci/model/cbi/firewall/forward-details.lua.original
< for k, v in ipairs(nixio.getifaddrs()) do
<     if == "inet" and v.addr ~= "" then
<         o:value(v.addr)
<     end
< end

comment:12 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

Ahh i see now.

That loop will have to be put in two places -- one in the file we noted, and the other time in aother file if we want it to come up on the main 'port forwards' page.

Hmm let me see, pretty anywhere we call arp to get a listing of IP addresses we would like to have this as well...

looks like the following places are eligable..

root@buffalo:/usr/lib/lua/luci# grep * -r
model/cbi/firewall/rule-details.lua:    for i, dataset in ipairs( do
model/cbi/firewall/forward-details.lua:for i, dataset in ipairs( do
model/cbi/admin_network/hosts.lua:for i, dataset in ipairs( do
tools/webadmin.lua:     for i, dataset in ipairs( do
view/firewall/cbi_addforward.htm:                       <% local i, e; for i, e in ipairs( do -%>
view/admin_network/wifi_overview.htm: arpcache[e["HW address"]:upper()] = e["IP address"] end)
view/admin_status/routes.htm:                           <% %>

comment:13 Changed 4 years ago by camden lindsay <camden.lindsay+openwrt@…>

I'm having a lot of trouble trying to figure out the syntax for the combobox addition in

cbi_combobox_init('_newfwd.intaddr', {
        <% local i, e; for i, e in ipairs( do -%>
                <%- if i > 1 then %>,<% end -%>'<%=e["IP address"]%>': '<%=e["IP address"]%>'
        <%- end %> },'','<%: -- custom -- %>');                     

What should this look like if the combobox were plain text? Or, does someone have a suggestion to code for adding the getifaddrs() listing into it?

comment:14 Changed 3 years ago by jow

  • Resolution set to fixed
  • Status changed from accepted to closed

Should be fixed in current LuCI trunk and 0.11 branch

comment:15 Changed 2 years ago by camden.lindsay+openwrt@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

This seems to have regressed in AA with fw3

root@router01.tdvh:~# cat /etc/banner | grep -i attitude
ATTITUDE ADJUSTMENT (Attitude Adjustment, r40431)

root@router01.tdvh:~# uci show firewall | grep redirect
firewall.@redirect[0].name=router01 sshd
firewall.@redirect[1].name=router01 https

root@router01.tdvh:~#  fw3 -4 print | grep 3232
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 3232 -m comment --comment "router01 sshd" -j DNAT --to-destination 
iptables -t nat -A zone_lan_prerouting -p tcp -s -d EXTERNALIP/32 -m tcp --dport 3232 -m comment --comment "router01 sshd (reflection)" -j DNAT --to-destination 

Note no "-m conntrack --ctstate DNAT" allowing connection to localhost of dnat'ed forwards.

Add Comment

Modify Ticket

as reopened .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.