1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Newbie with another iptables routing question

Discussion in 'Tomato Firmware' started by petah, Aug 6, 2008.

  1. petah

    petah Addicted to LI Member

    Hi there, have a question on how I can fix my routing issue.

    Background:
    I have an Asus router running Tomato firmware set to "gateway" mode/NAT. I have a block of IP assigned to me by my ISP that routes through PPPoE's main ip.

    I have successfully converted port #4 into a WAN port and assigned it a REAL ip which my server connects to and the routing goes through the main IP as well.

    When the server accesses the internet the outgoing traffic looks like is being modified to appear as the main static ip and not the server's IP.

    Is it possible that the NAT iptables rules are altering outgoing packets from the server to be the main router IP? how do I get around that so the block of IP assigned to me is not altered?

    I hope that make sense.


    attemp of a picture:

    internet -- router -- NAT
    -- server (no NAT, real IP).

    (server's out going packets are appearing as they originate from the router)

    thanks.
     
  2. markbto

    markbto LI Guru Member

    iptables router/gateway

    I am trying the same thing.. if the router is set to gateway, it uses NAT, if the router is set to Router.. it will use static ip's.. server on LAN will be seen from internet.

    I think the diffrences between router and gateway is the iptables in tomato located at /tmp/etc/iptables

    I set my router to gateway, and checked the iptables file, then set to router then checked the ip tables..

    here's what is in the iptables when set to gateway, as you can see I have left in my port forwarding. i'm guessing that you have have the router:thumbup: in either router or gateway mode, and just using some iptables command in the net up secton to add extra stuff to iptables..

    so I'm thinking leave it in gateway mode, then set your static ip's up with iptables... so the question is, what should be added to iptables to make it work..



    Code:
    *mangle
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :QOSO - [0:0]
    -A QOSO -j CONNMARK --restore-mark --mask 0xff
    -A QOSO -m connmark ! --mark 0/0xff00 -j RETURN
    -A QOSO -m mac --mac-source 00:12:17:F1:45:E0  -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p tcp -m mport --dports 80,443   -m bcount --range 0x0-0x3fffff -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p tcp -m mport --dports 80,443   -m bcount --range 0x400000 -j CONNMARK --set-return 0x3/0xFF
    -A QOSO -p udp --dport 53   -m bcount --range 0xf000 -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p tcp --dport 53   -m bcount --range 0xf000 -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p udp --dport 53   -m bcount --range 0x0-0xefff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -p tcp --dport 53   -m bcount --range 0x0-0xefff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -m mac --mac-source 00:13:21:D3:2C:2D  -j CONNMARK --set-return 0xa/0xFF
    -I QOSO -j BCOUNT
    -A QOSO -j CONNMARK --set-return 0x5
    -A FORWARD -o ppp+ -j QOSO
    -A OUTPUT -o ppp+ -j QOSO
    -A PREROUTING -i ppp+ -j CONNMARK --restore-mark --mask 0xff
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i ppp+ -d 192.168.1.1/255.255.255.0 -j DROP
    -A PREROUTING -p icmp -d 206.248.172.131 -j DNAT --to-destination 192.168.1.1
    -A PREROUTING -p tcp  -d 206.248.172.131 --dport 22489 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p udp  -d 206.248.172.131 --dport 22489 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p tcp  -d 206.248.172.131 --dport 8333 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p udp  -d 206.248.172.131 --dport 8333 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p tcp  -d 206.248.172.131 --dport 8222 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p udp  -d 206.248.172.131 --dport 8222 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p tcp  -d 206.248.172.131 --dport 902 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING -p udp  -d 206.248.172.131 --dport 902 -j DNAT --to-destination 192.168.1.250
    -A PREROUTING  -d 206.248.172.131 -j DNAT --to-destination 192.168.1.251
    -A POSTROUTING -o ppp+ -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0 -j MASQUERADE
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
    :L7in - [0:0]
    -A FORWARD -i ppp+ -j L7in
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j RETURN
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i ppp+ -j wanin
    -A FORWARD -o ppp+ -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.1.250 --dport 22489 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.1.250 --dport 22489 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.1.250 --dport 8333 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.1.250 --dport 8333 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.1.250 --dport 8222 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.1.250 --dport 8222 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.1.250 --dport 902 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.1.250 --dport 902 -j ACCEPT
    -A FORWARD -o br0  -d 192.168.1.251 -j ACCEPT
    COMMIT
    # 
    

    Here is what my iptables looks like when router:thumbup: set to router:thumbup:

    Code:
    *mangle
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :QOSO - [0:0]
    -A QOSO -j CONNMARK --restore-mark --mask 0xff
    -A QOSO -m connmark ! --mark 0/0xff00 -j RETURN
    -A QOSO -m mac --mac-source 00:12:17:F1:45:E0  -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-return 0x101/0xFF
    -A QOSO -p tcp -m mport --dports 80,443   -m bcount --range 0x0-0x3fffff -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p tcp -m mport --dports 80,443   -m bcount --range 0x400000 -j CONNMARK --set-return 0x3/0xFF
    -A QOSO -p udp --dport 53   -m bcount --range 0xf000 -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p tcp --dport 53   -m bcount --range 0xf000 -j CONNMARK --set-return 0x2/0xFF
    -A QOSO -p udp --dport 53   -m bcount --range 0x0-0xefff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -p tcp --dport 53   -m bcount --range 0x0-0xefff -j CONNMARK --set-return 0x1/0xFF
    -A QOSO -m mac --mac-source 00:13:21:D3:2C:2D  -j CONNMARK --set-return 0xa/0xFF
    -I QOSO -j BCOUNT
    -A QOSO -j CONNMARK --set-return 0x5
    -A FORWARD -o ppp+ -j QOSO
    -A OUTPUT -o ppp+ -j QOSO
    -A PREROUTING -i ppp+ -j CONNMARK --restore-mark --mask 0xff
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    :FORWARD ACCEPT [0:0]
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: -j TCPMSS --set-mss 1452
    COMMIT
    #
    
    
     

Share This Page