Setting up Port Forward Loopbacks on OpenWrt White Russian

I originally posted these instructions on wiki.openwrt.org.

If you are using OpenWrt with a server behind it, you've probably already noticed that forwarding a port from the outside doesn't automatically forward it from the inside (loopback forwarding).  There are several ways to deal with this problem (like playing with your DNS settings).  One way is to "simply" teach your OpenWrt router to loopback forward.  After you look at all the instructions, you may decide that altering the LAN DNS is easier.  :)

To setup loopback forwarding, you need to add the following code to /etc/firewall.user.  Loopback allows a computer on your LAN to hit your external IP address and have the packet forwarded back as if it had come from the outside.  The default OpenWrt (iptables) installation does not allow this.

iptables -t nat -A prerouting_rule -d 100.100.100.100 -p tcp --dport 80 -j DNAT --to 192.168.0.2
iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.2 -j MASQUERADE

You can read an explanation for what these lines mean about half way down the OpenWrt forum under topic 4030. The example above loopbacks all traffic on port 80 directed from the LAN to the external IP address 100.100.100.100 back to 192.168.0.2. You need to copy these three lines and change the port number for every port needing loopback. You would usually use this with an existing port forwarding rule described. For example:

iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.0.2 -j ACCEPT

If you are using x-wrt to setup port forwarding this rule will be created in /etc/config/firewall and will look like the following:

forward:proto=tcp dport=80:192.168.0.2

These instructions only work for single port numbers. If anyone knows how to loopback a port range please drop me an email.