1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PRoblem with simple script

Discussion in 'Tomato Firmware' started by gtwdw, Jul 4, 2008.

  1. gtwdw

    gtwdw Guest

    I`m another noob here :)

    Have problem with firewall script
    i want to add simple rule ex.

    iptables -t nat -I PREROUTING -p udp -d XX.XX.XX.XX --dport 63002 -j DNAT --to-destination

    iptables -t nat -I POSTROUTING -p udp -s --sport 6112 -j SNAT --to-source XX.XX.XX.XX:63002

    xx.xx.xx.xx is a dynamic IP from internet connection and it change every 24 h.

    I don`t want to edit firewall every day.;[ So what i have to write threre ?:confused:
  2. ooglek

    ooglek LI Guru Member


    SOLVED! I'm the man. :halo:
    I found the answer for Rule #2: use MASQUERADE instead of SNAT.

    Use these rules instead:

    iptables -t nat -I PREROUTING -p udp -i eth0 --dport 63002 -j DNAT --to-destination

    iptables -t nat -I POSTROUTING -p udp -s --sport 6112 -j MASQUERADE --to-ports 63002

    If using PPPoE, replace eth0 in rule #1 with "ppp0"

    Original Post:
    Suggestion #1:
    Why not find out the netmask of possible IP addresses, and use that?

    i.e. "-d" and "--to-source:"

    You'll only ever have ONE of those IP addresses, so the rule should match.

    Suggestion #2:
    Alternatively you could look at dropping the -d and --to-source in favor of an interface option, but I'm not sure if that will work... but here's what I'd try in that situation.

    Rule #1: replace "-d xx.xx.xx.xx" with "-i eth0" (or use ppp0 if PPPoE)
    Rule #2: replace "-j SNAT --to-source:x.x.x.x:63002" with "-j MASQUERADE --to-ports 63002"

    I would have suggested using $INET_IP and $INET_IFACE, but these are not evaluated dynamically, so they wouldn't have worked.

    You could try and set up DDNS, and then change your rules to "-d myhost.gotdns.com" and "--to-source myhost.gotdns.com:63002", give that a try.

    Some URLs that helped me formulate your response (man, I should get paid for this stuff!!! :wink: ):
    Updating iptables rules dynamically: http://blog.axmx.net/2006/04/06/maintaining-a-dynamic-ip-address-with-iptables/
    Setting variable in rules: http://lists.netfilter.org/pipermail/netfilter/2002-October/038970.html (not sure if IP is grabbed dynamically on every packet, or if you still have to delete and re-add on IP change)
    Using MASQUERADE instead of SNAT for Dynamic IP addresses: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#MASQUERADETARGET

Share This Page