Adding One-to-One NAT on dd-wrt for a specific IP address to forward traffic like RDP
ElementZero | March 27, 2009For quite some time I have been wanting the ability to connect to my home computer through RDP from work as occasionally there is some information I can use from my home computer. The problem is that I use dd-wrt on my home router, which doesn’t allow for one-to-one (1:1) nat’s at this time. I basically wanted the following rules
- Open only the RDP port open and forward connections coming to the WAN IP address on the dd-wrt to that port to my computer
- Only allow connections from a specific IP address (my work).
In order to do this, you will need the following information
- Know the external IP address that you want to allow. A quick trip to whatismyip.org from your work computer will give you this if you don’t know it. I’ll also show below if you just want to allow ALL IP addresses.
- Know the internal IP address of your computer you want to RDP to. You can get this just by doing “ipconfig” on your home machine. Note that you pretty much have to set you computer to a static address on your dd-wrt. To do this if you haven’t already, do “ipconfig /all” and get the value for “Physical Address”. Now go to the dd-wrt Administration web site and go to the Administration tab, and then to the Services sub-tab. Under “Static Leases”, add a row and add the Physical Address you got from ipconfig. You will need to replace the dashes with colons ( : ). Add whatever you call your computer to the host name (this doesn’t really matter – you could put ‘computer’ in the box if you wanted). Now add the IP Address value you got from ipconfig in the IP Address box, then hit Save Settings at the bottom of the screen.
- -I PREROUTING – this tells the the firewall network address translation (nat) routing to alter packets as soon as they come in. The -I says to insert the command to the rules for the firewall, adding it as the top rule (meaning it supersedes all other rules).
- -d $(nvram get wan_ipaddr) – this is a special command for the dd-wrt router, which tells the device to get the current WAN IP for the WAN port
- -j – this is a parameter for the commands, which tells the rule what to do if the rule matches the packet being examined.
I knew that RDP is port 3389 by default on Windows (just an FYI – you can change this in the registry if you like). If you would like a different port, you can pretty much just google the program you are looking forward followed by the word “port” and you’ll surely find the ports you need.
First, you will need to get to the command window for the box. The easiest way to do this is by going to the dd-wrt administration web site, then going to the “Administration” tab, and click the “Commands” sub tab. DD-wrt uses linux, and therefore uses iptables for it’s firewall network packet filtering abilities. That being said, we just need to add some rules to the iptables to run on top of all the other filtering rules the box already has.
PLEASE note that there is a “backup” sub tab under the “Administration” tab as well. You may wish to backup your settings BEFORE applying this change – just in case you make a mistake or something 
iptables -I PREROUTING -t nat -d $(nvram get wan_ipaddr) -p tcp --source WAN_IP --dport 3389 -j DNAT --to-destination LAN_IP
iptables -I FORWARD -d LAN_IP -p tcp --dport 3389 -j ACCEPT
where WAN_IP is the external IP of where you want to connect from (in my case, my work IP), and LAN_IP is the internal IP address of the computer you want to connect to (in my case, my home computer). I think most of this is self explanatory, but I’ll break it down a bit just so you can know what some of these parameters are doing.
Optionally, you can do multiple ports by removing the “–dport 3389″ and replacing it with a different command for multiple ports followed by a comma separated list. In example:
-m multiport --dports 3389,80
Also you can just remove the “–source WAN_IP” if you want to allow connections from any public IP (much less secure obviously).
Once your changes are in the box, hit the “Save Firewall” button, and this will save the commands into a custom script that will run every time the firewall is started on the dd-wrt router. Note that these commands should not be under the “Save Startup” custom script (it won’t hurt anything – but it doesn’t do anything either). If you ever want to change the commands, just hit the Edit button on the custom script for the firewall and modify it accordingly. You can even set the box to empty and hit save firewall again in order to delete your script.
That’s it! Hopefully in the future the dd-wrt firmware will include the ability to do 1:1 nat’s, but for now at least there is a work around.
Hi Thanks for the nice post, I was wondering if there is a way to open ports on the WAN side in a DD-WRT router, I am trying to do so as i am running a proxy server on my dd-wrt.
Port forwarding is not working in this case due to the fact the port that has to be opened is in the router itself and port forwarding only works for all other devices other than the router in the network.
To put it short how do I access a specific port in my DD-WRT router, I only know how to access ports for other devices in my network.
I believe what you want is
iptables -I INPUT -p tcp -d $(nvram get wan_ipaddr) --dport 80 -j ACCEPT
Which will open up port 80 on the router itself to on the WAN IP (just change the port to whatever you need). Optionally you could do this as well
iptables -I INPUT -p tcp -d $(nvram get wan_ipaddr) --dport 80 --source WAN_IP -j ACCEPT
where WAN_IP is a public addess you would like to allow. This will limit the open access to only specific IP’s if desired.
Let me know if this doesn’t meet your needs and I can get you the right script.
Hi I am trying to do the following:
Open port 443 on WAN from a specific external IP (my office) only and forward it to 3389 on the internal lan IP of my server. How would I do that ? thanx a lot.
I believe what you need is:
iptables -A PREROUTING -t nat -d $(nvram get wan_ipaddr) --source WAN_IP -p tcp --dport 443 -j DNAT --to-destination LAN_IP:3389
iptables -I FORWARD -d LAN_IP -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -d LAN_IP -p tcp --dport 3389 -j ACCEPT
Where you replace LAN_IP with the IP of your server on your network and WAN_IP is the source IP you will be coming from (your work).