May 2007 Archives

IP Tables

| No TrackBacks

For posterity, here is my working iptables config:


#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# Note: Firewall must be re-run if WAN IP address changes
WANIP=`ifconfig $WAN | grep inet\ addr | sed -r 's/.*inet addr:([0-9.]+) .*/\1/'`
network="192.168.1.0/24"
server="192.168.1.10"

iptables -t nat -A postrouting_rule -o $WAN -j SNAT --to-source $WANIP

There you have the basic setup. The variable WANIP will find the current IP address of the WAN interface, network is whever you have defined for your local LAN, and server is the server you're routing ports to. You could easily define server2, server3, etc, for as many systems as you want to map here.



# identd
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 113 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 113 -j ACCEPT

This is my config for identd (still not working for some reason?) to open the correct port, and set up the router itself to answer on this port (that part, at least, works).



# Lines below let WAN address work from LAN
# SMTP
iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 25 -j DNAT --to $server:25
iptables -A forwarding_rule -d $server -p tcp --dport 25 -j ACCEPT
iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 25 -j SNAT --to-source $WANIP

# HTTP
iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 80 -j DNAT --to $server:80
iptables -A forwarding_rule -d $server -p tcp --dport 80 -j ACCEPT
iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 80 -j SNAT --to-source $WANIP

# POP/IMAP
iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 110 -j DNAT --to $server:110
iptables -A forwarding_rule -d $server -p tcp --dport 110 -j ACCEPT
iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 110 -j SNAT --to-source $WANIP

iptables -t nat -A prerouting_rule -d $WANIP -p tcp --dport 143 -j DNAT --to $server:143
iptables -A forwarding_rule -d $server -p tcp --dport 143 -j ACCEPT
iptables -t nat -A postrouting_rule -o $LAN -p tcp -s $network -d $server -m multiport --dports 143 -j SNAT --to-source $WANIP

Opening up various ports that will be handled by 'server', and tricking things so that requests via the LAN port for the WANIP will get routed correctly, so you can use your own external domain name internally (default router config doesn't allow this to work). This was the tricky bit solved in the forum thread mentioned in my last post.



# Access webif from WAN on port 65321
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65321 -j DNAT --to :80
iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT

This took a small bit of research. This will redirect port 65321 from the WAN side to port 80 on the router itself, in case you want the router's web interface to be accessible externally. Use this same trick if you wanted to SSH into the router, or externally access any other router specific service by remapping the port.

About this Archive

This page is an archive of entries from May 2007 listed from newest to oldest.

April 2007 is the previous archive.

June 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Categories

Pages

Powered by Movable Type 5.031