# Port Triggering in linux :?:

## outp0st

Is it possilble to set using linux(kernel 2.6) and iptables ? I have many clients on my network behind NAT which need to have the same ports open. Currently I'm running Gentoo using 2.6 kernel and shorewall. Any help would be much appreciated.....

Port Triggering definition:

Port triggering allows computers behind a NAT-enabled router access a special server or use a special application on the Internet using a specified port number.

Similar to a port forwarding, it allows a client to connect to a host behind a NAT router. The disadvantage of port forwarding is that it only allows one client on the network to use a particular service that occupies a particular port.

For example, Windows Remote Desktop uses port number 3389. If a client needed to connect to a Remote Desktop host outside the network, the router would have to be configured so that the WAN address routes port 3389 to the target host machine. With port forwarding, you could not have two Remote Desktop hosts running on the same port.

With port triggering, however, the router could be configured to trigger a custom port number to then route to the host machine on the default port. Illustrated:

Client machine connects Remote Desktop using port 4588 to the WAN address ---> router sees this attempt, checks its port triggering table, and routes port 4588 to the host machine's port 3389.

Best regards,

Outp0st

----------

## JeliJami

yes, this can be done with iptables

check for DNAT

----------

## outp0st

DNAT is used for PORT FORWARDING, which only allowes one host to use the forwared port!(read the definition before u replay).

----------

## nielchiano

 *outp0st wrote:*   

> DNAT is used for PORT FORWARDING, which only allowes one host to use the forwared port!(read the definition before u replay).

 

then could you give a more clear example?

 *outp0st wrote:*   

> Client machine connects Remote Desktop using port 4588 to the WAN address ---> router sees this attempt, checks its port triggering table, and routes port 4588 to the host machine's port 3389. 

 

This problem IS SOLVED with DNAT:

```
iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport 4588 -j DNAT --to-destination $INTIP:3389
```

----------

## JeliJami

 *outp0st wrote:*   

> ..(read the definition before u replay).

 

No need to be rude.

As nielchiano already replied, DNAT can solve the problem you specified.

----------

## outp0st

OK, ill try to explain. 

Lets say we have ten computers, all running windows xp. All have warcraft 3 installed and EACH need to have tcp and udp port 6112 forwared in order to be able co create games which other from the net can join. It would be no problem if it was only one computer, we could then use DNAT:

iptables -t nat -A PREROUTING -p tcp --dport 6112 -i eth0 -j DNAT --to dstip:6112

iptables -t nat -A PREROUTING -p udp --dport 6112 -i eth0 -j DNAT --to dstip:6112

But there are still othre 9 computers which need to have 6112 forwarded at the same time. Do u see the problem now ?

Best regard,

Outp0st

----------

## nielchiano

 *outp0st wrote:*   

> But there are still othre 9 computers which need to have 6112 forwarded at the same time.

 

And what criteria should be used to "choose" which computer to forward the incomming request to?

I mean: your 10 PC's are on, the router receives a TCP-connection for port 6112, how should he pick the "right" computer?

----------

## NTT

You cannot forward one and the same port to 10 hosts at once, but what you want is what upnp is meant for, am i right? Just what you would find in routers (an application can request the router to open & forward a port to him).

I used to run a upnp daemon on my Linux box before I got a hardware router builtin my dsl router, with upnp support.

Its in portage as linux-igd. It only works of course with upnp enabled applications, like messener on windows, directx games and the likes of remote desktop I guess. Also Azureus torrent client does upnp on all platforms.

After usage the application closes the used ports again. I dont think any tcpip protocol can handle a single port to be forwarded to 10 hosts (i've never seen it, also not in "hardware" routers) - the normal way is, if you run 10 game servers, you run 'em at 10 different ports.

----------

## outp0st

THX NTT - thats exactly what I meant. I noticed that my wireless dlink router had port triggering option and that's how I started to wonder how it could be achived with linux. Thnx for the tip about UPNP daemon - gonna give it a try later today.

Best regards,

Outp0st

----------

