Need an IPTABLES expert for my firewall script...

litlmary · 07-09-2010, 02:43 PM

I have an old(er) linksys WRT54G "router" (we all know that it's actually a nat box/switch/ap in a package that says router, but I'll use the marketing speak for the purposes of this post and call it a "router").

I also have 5 static IP's assigned to me by my ISP which all share one port on the modem. To make this happen I flashed the Thibor15c firmware into the "router" and cobbled together this little firewall script:

Code:

iptables -t nat -I PREROUTING -d EXT.IP.ADDY -j DNAT --to-destination INT.IP.ADDY
iptables -t nat -I POSTROUTING -s INT.IP.ADDY -j SNAT --to-source EXT.IP.ADDY
...which I repeated 4 times for 4 devices and used the 5th IP for the NAT box itself...

This worked great for a long time, while all of the external IP's were on the same subnet.

I recently switched ISP's, and my new static IP addresses are on 5 different subnets! Is there a way for me to specify the gateway on each line of that script?

TIA,

J

nimnull22 · 07-09-2010, 03:32 PM

Quote:

Originally Posted by litlmary

Code:

iptables -t nat -I PREROUTING -d EXT.IP.ADDY -j DNAT --to-destination INT.IP.ADDY
iptables -t nat -I POSTROUTING -s INT.IP.ADDY -j SNAT --to-source EXT.IP.ADDY
...which I repeated 4 times for 4 devices and used the 5th IP for the NAT box itself...

This worked great for a long time, while all of the external IP's were on the same subnet.

I recently switched ISP's, and my new static IP addresses are on 5 different subnets! Is there a way for me to specify the gateway on each line of that script?

TIA,

J

NAT examines source IP and destination IP, it doesn't care about GW. So I think you can't check GW with NAT iptables module.

But, may I ask, what do you want to achieve?

litlmary · 07-09-2010, 04:45 PM

Sorry. I thought it was obvious what I am doing.

There are 5 external addresses on the WAN port of my "router". My script is using iptables to route those external addresses to 5 devices on the internal network. i.e. - this allows 2 workstations, a VPN host, a web/ftp server, and the nat box to each have its own external address, but all be on the same internal network/subnet.

My new problem is that the external addresses that my new ISP gave me are all on different subnets. I'm trying to handle this without having to drop the funds on a real-deal enterprise router.

J

nimnull22 · 07-10-2010, 02:52 AM

To choose GW you need specify or explain to your router which GW to use for which destination.
NAT can change source IP, but it can't GW, because POSTROUTING is located after router, which chooses a GW.

You can try to associate the destination IP and gateway you want router to use/choose.
For example:

Code:

    Destination               Gateway                  Genmask            Flags  Metric Ref      Use    Iface
<mail server IP>      <Desired GW>         255.255.255.255        U         0      0        0        ethX

litlmary · 07-10-2010, 04:04 AM

If I understand you (and the other poster) right, PREROUTING and POSTROUTING are just not going to work. How and where do I make this specification then? Am I still working in the firewall script? Should I still be using preroute and postroute but specify the gateways in the startup script? Should I still be trying to do this with IPTABLES at all?

I'm grasping here, but should I put a few ifconfig strings in the startup script to associate the right gateways with each address? If I am on the right track, would you mind helping me out with the syntax, please?

J

nimnull22 · 07-10-2010, 08:43 AM

I found two good examples, please, take a look:
http://www.linuxhorizon.ro/iproute2.html

I think second is more suitable for you.