How to forward ports to your devices with iptables - Asus Merlin

Same idea as DD-WRT but a little more work involved.

Assuming that:

  • destIP is the IP address of the destination device (your devices LAN IP)
  • port is the port you wish to forward to that device
  • tun1 is the tun interface of your router (please check! on some routers, it can be tun0, on Tomato it can be tun11)
  • you need to forward both TCP and UDP packets

1. Format the jffs - go to Administration -> System -> Persistent JFFS partition and make sure enable both options and restart. This is where the script will go. Restart the router.
2. SSH or WINSCP (WinSCP may be easier if your not familiar with the command line) into your router and navigate to /jffs/scripts - cd /jffs/scripts
3. Type the command  vi nat-start
4. Copy/paste the following into the CLI changing destIP for the destination IP (your LAN IP) and port for the port number you need to open on that LAN device - also make sure tun11 is the correct VPN interface by running ifconfig at the command line.


iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d destIP --dport Port -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d destIP --dport Port -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport Port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun11 -p udp --dport Port -j DNAT --to-destination destIP

5. Make sure you obviously setup the correct ports on the TorGuard website, Save it by running the following command:


6. Now run the following command to allow us to execute:

chmod 777 nat-start

7. Reboot the router.

Was this answer helpful? 997 Users Found This Useful (998 Votes)