Using iptables to route all outbound traffic to internal box

jaredscott · 04-24-2014, 01:56 PM

Hey guys,

I have been working on a personal project that requires HTTP traffic, destined for the WAN (on my ADSL router, 10.10.10.254), to be routed to an internal box (lets call it 10.10.10.1 /24, listening on port 8888). That box does some traffic monitoring and then will send it back to the ADSL router, sitting on 10.10.10.254.

If I dump this into the telnet session on my router (it runs a linux base, so it supports iptables), it doesn't seem to work.

iptables -t nat -A PREROUTING -i br0 -s ! 10.10.10.1 -d ! 10.10.10.1 -p tcp --dport 80 -j DNAT --to 10.10.10.1:8888

From what I can understand, that rule should route all HTTP traffic to 10.10.10.1:8888 and ignore any traffic that is originating from 10.10.10.1 (needed otherwise a routing loop would happen).

I would really appreciate any help, really stuck on this one for a couple days now

Thanks!

nikmit · 04-25-2014, 03:03 AM

You probably need a permission in the FORWARD chain. Other than that tcpdump is your friend, see where the traffic goes/doesn't go. Have your cleanup rules log and check your logs.

Code:

-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
-A INPUT -j DROP
-A FORWARD -d 10.10.10.1 -p tcp --dport 8888 -j ACCEPT
-A FORWARD -m limit --limit 1/second --limit-burst 100 -j LOG
-A FORWARD -j DROP

jaredscott · 04-25-2014, 04:02 PM

Quote:

Originally Posted by nikmit

You probably need a permission in the FORWARD chain. Other than that tcpdump is your friend, see where the traffic goes/doesn't go. Have your cleanup rules log and check your logs.

Code:

-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG
-A INPUT -j DROP
-A FORWARD -d 10.10.10.1 -p tcp --dport 8888 -j ACCEPT
-A FORWARD -m limit --limit 1/second --limit-burst 100 -j LOG
-A FORWARD -j DROP

Thanks for your response

I cant load tcpdump on my ADSL router. It runs basic linux but only a couple things are available (its not anything fancy, definitely no package manager in there) so no tcpdump. Could you explain what those iptable rules are doing? I am still pretty new to this.

Thanks

Firerat · 04-25-2014, 04:53 PM

Is is a stock firmware on the router, or third party like openwrt , ddwrt , tomato?

Personally I use ópenWRT on a tplink n900
Not adsl, but shouldn't matter here.

I have privoxy running on the router, and used its web ui ( luci ) to add forward rules for http --> 127.0.0.1:8118 when !<routerip>

Basically it works and knocks out most anoying ads , and things , even on a smart tv wgich can't be configured to use a proxy.

I will be happy to provide detail on the openWRT config..

Edit
Actually, not 127.0.0.1

Code:

config redirect
       option name 'Privoxy'
       option target 'DNAT'
       option proto 'tcp'
       option src 'lan'
       option src_ip '!<router ip>'
       option src_dport '80'
       option dest 'lan'
       option dest_ip '<router ip>'
       option dest_port '8118'

In /etc/config/firewall

OpenWRT , may need tweeking for external (from router) proxy

jaredscott · 04-26-2014, 03:33 PM

Quote:

Originally Posted by Firerat

Is is a stock firmware on the router, or third party like openwrt , ddwrt , tomato?

Stock firmware, thats the biggest problem.

Since I want to replicate this process on most home ADSL routers (most accept telnet connectivity to a basic linux environment and iptables is always available in it), I don't really want a solution where a custom firmware needs to be loaded, even though I agree, it would be preferable.

Do you know how to accomplish this process using purely iptables?

I will try the solution displayed above, just been a hectic day. I would love some clarification on it though, don't quite understand what its doing, even though I did a little research. I am almost sure its a single line rule that needs to be added.

Thanks