Port forwarding (DNAT Access) not working

[rimsky57]

Local acces to router working
But NAT Access throu fw to local RDP server not: rules in forward chain not created, only in INPUT chain
External port TCP/50900 (on router), internal TCP/3389 (on RDP server)

After port knok rules appears

        chain input_fwknop {
                ip saddr 93.174.229.63 tcp dport 50900 accept
                return
        }

config

cat /etc/config/fwknopd

config global
        option uci_enabled '1'

config network
        option network 'wan'

config access
        option SOURCE 'ANY'
        option KEY_BASE64 'remove due to security'
        option HMAC_KEY_BASE64 'remove due to security'
        option FW_ACCESS_TIMEOUT '30'
        option DESTINATION 'ANY'
        option CMD_CYCLE_OPEN '/etc/fwknop/cmd-open.sh $SRC $PORT $PROTO'
        option CMD_CYCLE_TIMER '5'
        option CMD_CYCLE_CLOSE '/etc/fwknop/cmd-close.sh $SRC $PORT $PROTO'
        option REQUIRE_SOURCE_ADDRESS 'Y'

config config
        option ENABLE_IPT_FORWARDING 'Y'
        option ENABLE_NAT_DNS 'Y'

[sfgets]

Local acces to router working But NAT Access throu fw to local RDP server not: rules in forward chain not created, only in INPUT chain External port TCP/50900 (on router), internal TCP/3389 (on RDP server)

After port knok rules appears

        chain input_fwknop {
                ip saddr 93.174.229.63 tcp dport 50900 accept
                return
        }

config

cat /etc/config/fwknopd

config global
        option uci_enabled '1'

config network
        option network 'wan'

config access
        option SOURCE 'ANY'
        option KEY_BASE64 'remove due to security'
        option HMAC_KEY_BASE64 'remove due to security'
        option FW_ACCESS_TIMEOUT '30'
        option DESTINATION 'ANY'
        option CMD_CYCLE_OPEN '/etc/fwknop/cmd-open.sh $SRC $PORT $PROTO'
        option CMD_CYCLE_TIMER '5'
        option CMD_CYCLE_CLOSE '/etc/fwknop/cmd-close.sh $SRC $PORT $PROTO'
        option REQUIRE_SOURCE_ADDRESS 'Y'

config config
        option ENABLE_IPT_FORWARDING 'Y'
        option ENABLE_NAT_DNS 'Y'

Hey @rimsky57,
I doubt cmd cycle could be able to handle this specific use case, however will take a look at the fwknop source code this weekend and see what's possible.

[rimsky57]

Thanks!
regard to instructions fwknopd "cmd cycle" hasn't $DPORT $DNATIP or whatever to dnat function
May be use "run external app", as external app use some predifined scripts? kludge of course, but how redirect source client IP address to this script...

[rimsky57]

may be iptables-translate do some magic?

[rimsky57]

waitin for some magic

[rimsky57]

looks line fwknop fork https://github.com/yangcancai/fwknop

[rimsky57]

here is the bug openwrt nft-ipt
openwrt/openwrt#13860