How to forward UDP Wake-on-Lan port to broadcast IP with IPTABLES?

Question

I'm trying to setup Wake-on-Lan for some of the LAN computers at home and it seems that I need to open a UDP port (7 or 9 being the most common) and forward all requests to the broadcast IP, which in my case is 192.168.1.255.

The problem is that my router does not allow me to forward anything to the broadcast IP.

I can connect to my router through telnet and it seems this router uses IPTABLES, but I don't know much about it or how to is.

Can someone help me out with the proper iptables commands to do what I want? Also, in case it doesn't work, the commands to put everything back would be nice too.

One last thing, rebooting the router will keep those manually added iptables entries or I would need to run them every time?

A very similar question about Wake-on-Lan was asked fairly recently: [How to get Wake-on-LAN working?](http://serverfault.com/questions/161560/how-to-get-wake-on-lan-working) The questioner's circumstances seem to be similar to yours, so the discussion there should be useful. — Steven Monday, Nov 07 '10 at 01:07

score 1 · Answer 1 · answered Feb 27 '20 at 16:31

Some routers (cisco) are able to forward directed UDP broadcast.

Linux kernel since circa version 5.0 is able to do this. You just need to specify a parameter for particular network interface:

sudo sysctl -w net.ipv4.conf.eth1.bc_forwarding=1

(Note: it seems the option net.ipv4.conf.all.bc_forwarding doesn't work)

You may save this parameter int /etc/sysctl.conf

score 1 · Answer 2 · answered May 07 '11 at 17:12

1

# iptables -A PREROUTING -t nat -p udp --dport 6  -d <original destination> -j DNAT --to-destination 192.168.1.255

That will take a WOL packet destined for and reroute it to the broadcast of your network.

Also if you are using a Red Hat derived system you will need to save the iptables entry using

# service iptables save

answered May 07 '11 at 17:12

Red Tux

2,074
13
14

When I do that iptables command and then try to list all rules with `iptables --list", that doesn't appear. – rfgamaral May 08 '11 at 12:55
NAT rules are in the mangle table # iptables -t mangle -nL – Red Tux May 08 '11 at 15:40
why `--dport 6` rather then 9 (or 7) as sepcified in the question? – Apr 03 '15 at 16:55

score 1 · Answer 3 · edited Apr 13 '17 at 12:37

There's a great solution using the tool socat, mentionned on this StackExchange topic:

Transform a UDP unicast packet into a broadcast?

I'm not an expert at all on this topic, so I can't elaborate, I can only quote. This solution worked great for me.

The solution mentioned by Red Tux (https://serverfault.com/a/267343/323199) doesn't work, iptables is not made to broadcast a packet. This is explained in the StackExchange topic I mentioned above.

score -1 · Answer 4 · edited Jul 21 '11 at 21:36

-1

Add something like this:

iptables -A IN_FILTER -p udp -d 10.11.11.255 -j ACCEPT -m comment --comment "Depicus WoL"

http://linux.die.net/man/8/iptables will give you the syntax

Should survive a reboot but you never can tell until you try it.

edited Jul 21 '11 at 21:36

Nate

2,151
5
25
41

answered Nov 06 '10 at 23:49

Depicus

31
5

Shouldn't the port be specified too? – rfgamaral Nov 06 '10 at 23:54
Sorry was late at night. Yes -dport 7 and -sport 7 to set the destination port and source port. – Depicus Nov 07 '10 at 12:39
Your -A might not be IN_FILTER so do a iptables -L to get a list of rules. – Depicus Nov 08 '10 at 13:52
There's a bunch of them, how do I know which one should I use? I saw in the documentation that -A is for append, what if I used -I to insert a rule for IN_FILTER? Not the same? – rfgamaral Nov 08 '10 at 19:53
No you cannot add your own, the router would not know where to get them from. Best bet is to add a firewall rule similar to what you want in the web interface, just make it up. Then you can telnet in and see what section the new rule is in. – Depicus Nov 08 '10 at 20:50
I have a bunch of rules already for various different services but the --list argument does not reveal anything close to any of those rules. This is what the command shows: http://pastebin.com/cpgbM69B – rfgamaral Nov 09 '10 at 01:14
Mmmmm.... am afraid you are at the edge of my knowledge then. My Linksys has lots more info that your's does. Chain IN_FILTER (1 references) target prot opt source destination RETURN all -- anywhere anywhere ACCEPT udp -- anywhere 10.11.11.113 udp dpt:7 You could try adding an IN_FILTER section but I am really just guessing here. – Depicus Nov 09 '10 at 19:31
With the -I switch like I said before? How can I see if it's working (without tying WoL itself cause that's tricky)? – rfgamaral Nov 09 '10 at 20:06
Doesn't work... :( Don't know what else to do. – rfgamaral Nov 10 '10 at 11:56
Last chance is to speak to the manufacturer and see what they say. – Depicus Nov 10 '10 at 14:32

How to forward UDP Wake-on-Lan port to broadcast IP with IPTABLES?

4 Answers4