Port Forwarding

HOW TO DO IT EVEN THOUGH YOU SHOULDN'T

If you don't have a Magnia ( or don't know what one is ), and ended up here doing a web search, try THIS article instead.

THIS ARTICLE WORKS, BUT THERE IS AN EASIER WAY NOW.

VISIT UPDATED:Forwarding Ports on your Magnia SG20 FOR MORE INFO

This document assumes you have ftp access to your magnia, or are willing to edit files from a bash prompt (yuck!). If you have ver 2.5xx you will also need to understand IPCHAINS.

If you don’t understand what I just said you are going to have SERIOUS trouble! Go bowling or something.

One of the first things a power user asks after replacing his/her router with a Magnia is "How the heck do I forward ports?"

The short of it is: YOU CAN'T!

Toshiba very thoroughly and completely locked the bugger down tight for security reasons.

Your Magnia is a COMPUTER running SOFTWARE and CAN BE HACKED!! It is not a simple router with firmware!

If you want to access stuff on the other side of your firewall - use VPN. It works great.

If you want others to be able to access stuff on the other side of your firewall... make sure you have a drive image of your magnia (sooner or later you're going to need it) and follow along with me.

This example applies to a Magnia SG20 ver 2.6xx. Note I’ve said this twice now.

2.5xx uses IPCHAINS not IPTABLES so the rules syntax is different!

The menu setup, however, is the same... so if you are clever you can use the example to figure the rest out - menus YES rules NO!!

The next most common question is "How can I get my magnia upgraded to ver 2.6xx?" The simple answer is: you must find a hard drive image, download it, and write the image to the magnia's drive with another computer. OR you need to get somebody who has the image to write it for you - this process requires special software and hardware. Buy a spare drive for your magnia and send it to someone who can image it for you! If this doesn’t sound simple to you, remember, that was the simple answer!

Firewall rules are located in /sa2/firewall

These are the firewall rules available by default in the administration menu

under Firewall --> Customize

  1. Checkpoint VPN Client (UDP Encapsulation Mode)
  2. Cisco VPN Client (IPSec over UDP)
  3. Internet Games
  4. FTP Server
  5. Telnet Server
  6. WWW Server

These firewall options offer limited access and are of almost no use to anyone. I have no idea why Toshiba even bothered with some of them.

I put the numbers in (instead of checkboxes) for a reason... bear with me.

Each firewall rule is in it's own folder.

Each folder contains the following files:

index - contains the number that determines the order the rule appears in the magnia's firewall menu (i.e. 60)

description - contains the description of the rule that appears in the magnia's firewall menu (i.e. WWW Server)

rule - contains the actual IPTABLES rule

type - for most port forwarding will contain the word "server"

By far the easiest way to "make" a new rule for opening a port is:

  1. copy an existing rule folder to your local machine using ftp
  2. modify the folder name, index #, description, and rule
  3. copy the new folder back to the magnia with ftp
  4. enable the rule through the magnia's firewall "customize" menu

Tips:

Use a short description, I use ports. IE: "Forward port 4240 to 192.168.1.249:80

The index number for the new rule must be greater than existing rules. The format seems to be in tens. So rule one is 10, rule two is 20, and so on. Your first new rule would be 70.

Examples: (taken from working RULES files, comment lines start with #)

1: # forward anything going to port 4240 to 192.168.1.249 port 80

$IPTABLES -A PREROUTING -t nat -p tcp --dport 4240 -j DNAT --to 192.168.1.249:80
# allow packets trying to go from the wan to lan to the forward port 4240 thru.
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --sport 80 -j ACCEPT

2: # forward anything going to port 4662 to 192.168.1.2 port 4662

$IPTABLES -A PREROUTING -t nat -p tcp --dport 4662 -j DNAT --to 192.168.1.2:4662
# allow packets trying to go from the wan to lan to the forward port 4662 thru.
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --sport 4662 -j ACCEPT

 

Top