NATing multiple subnets with Tomato (Shibby build)

10 posts / 0 new
Last post
wleeb
wleeb's picture
NATing multiple subnets with Tomato (Shibby build)

NATing multiple subnets with DDWRT is very straight forward by adding the following Firewall rule:

"iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT –to `nvram get wan_ipaddr`"

Apparently Tomato does not recognize 'get_wanface' or 'nvram get wan_ipaddr'. I can hard code the WAN interface into the statement (e.g. vlan2) so that takes care of 'get_wanface' but not sure how I get the WAN's IP address.

Does anyone know a command that will retrieve the current WAN IP that can be used in an iptables statement?

 

microchip
microchip's picture
You can use "ifconfig vlan2"

You can use "ifconfig vlan2" combined with grep (and maybe awk) to get the WAN IP

microchip
microchip's picture
For example: ifconfig vlan2 |

For example: ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'

wleeb
wleeb's picture
Thanks, this does return the

Thanks, this does return the WAN IP address however I am not sure how to incorporate it into the iptables statement, triied using it directly then single and double qoutes and it fails on all:

root@unknown:/tmp/home/root#  iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'
Bad argument `ifconfig'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#  iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to 'ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}''
Bad argument `ifconfig vlan2 | grep inet'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#  iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to "ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'"
Bad argument `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print }' | awk '{print }''
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#

microchip
microchip's picture
Try this http://pastebin.com
wleeb
wleeb's picture
Almost there, now getting a

Almost there, now getting a 'Bad argument '10.20.30.60'', my WAN IP.

root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`
Bad argument `10.20.30.60'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#

wleeb
wleeb's picture
Got it taking the iptables

Got it taking the iptables statement now, the '-to' required a double-hypen '--to', howver the rule does not showup in iptables:

root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`
root@unknown:/tmp/home/root# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N shlimit
-N wanin
-N wanout
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A FORWARD -m account--aaddr 10.20.30.0/255.255.255.0 --aname lan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vlan2 -j wanin
-A FORWARD -o vlan2 -j wanout
-A FORWARD -i br0 -j ACCEPT
-A shlimit -m recent --set --name shlimit --rsource
-A shlimit -m recent --update --seconds 60 --hitcount 4 --name shlimit --rsource -j DROP

wleeb
wleeb's picture
Thanks @microchip I got it

Thanks @microchip I got it working!

I am new to iptables and was using the wrong switches to show NAT rules. Defaulted my router and started again to grab default rules:

root@unknown:/tmp/home/root# iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    WANPREROUTING  all  --  anywhere             wan1-ip

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  anywhere             anywhere
2    SNAT       all  --  10.20.30.0/24        10.20.30.0/24        to:10.20.30.1

Chain WANPREROUTING (1 references)
num  target     prot opt source               destination
1    DNAT       icmp --  anywhere             anywhere             to:10.20.30.1
root@unknown:/tmp/home/root#

Ran the iptables statement you helped me work out and it now shows up in my NAT rules:

root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}
' | awk '{print $1}'`
root@unknown:/tmp/home/root# iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    WANPREROUTING  all  --  anywhere             wan1-ip

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       all  --  anywhere             anywhere             to:10.20.30.65
2    MASQUERADE  all  --  anywhere             anywhere
3    SNAT       all  --  10.20.30.0/24        10.20.30.0/24        to:10.20.30.1

Chain WANPREROUTING (1 references)
num  target     prot opt source               destination
1    DNAT       icmp --  anywhere             anywhere             to:10.20.30.1
root@unknown:/tmp/home/root#

 

wleeb
wleeb's picture
Here is the statement to

Here is the statement to allow NATing of multple subnets on Tomato:

iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`

microchip
microchip's picture
glad it's working :)

glad it's working :)