NATing multiple subnets with DDWRT is very straight forward by adding the following Firewall rule:
"iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT –to `nvram get wan_ipaddr`"
Apparently Tomato does not recognize 'get_wanface' or 'nvram get wan_ipaddr'. I can hard code the WAN interface into the statement (e.g. vlan2) so that takes care of 'get_wanface' but not sure how I get the WAN's IP address.
Does anyone know a command that will retrieve the current WAN IP that can be used in an iptables statement?
You can use "ifconfig vlan2" combined with grep (and maybe awk) to get the WAN IP
For example: ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'
Thanks, this does return the WAN IP address however I am not sure how to incorporate it into the iptables statement, triied using it directly then single and double qoutes and it fails on all:
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'
Bad argument `ifconfig'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to 'ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}''
Bad argument `ifconfig vlan2 | grep inet'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to "ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'"
Bad argument `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print }' | awk '{print }''
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#
Try this http://pastebin.com/qxkbxmcJ
Almost there, now getting a 'Bad argument '10.20.30.60'', my WAN IP.
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT -to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`
Bad argument `10.20.30.60'
Try `iptables -h' or 'iptables --help' for more information.
root@unknown:/tmp/home/root#
Got it taking the iptables statement now, the '-to' required a double-hypen '--to', howver the rule does not showup in iptables:
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`
root@unknown:/tmp/home/root# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N shlimit
-N wanin
-N wanout
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A FORWARD -m account--aaddr 10.20.30.0/255.255.255.0 --aname lan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vlan2 -j wanin
-A FORWARD -o vlan2 -j wanout
-A FORWARD -i br0 -j ACCEPT
-A shlimit -m recent --set --name shlimit --rsource
-A shlimit -m recent --update --seconds 60 --hitcount 4 --name shlimit --rsource -j DROP
Thanks @microchip I got it working!
I am new to iptables and was using the wrong switches to show NAT rules. Defaulted my router and started again to grab default rules:
root@unknown:/tmp/home/root# iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 WANPREROUTING all -- anywhere wan1-ip
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- anywhere anywhere
2 SNAT all -- 10.20.30.0/24 10.20.30.0/24 to:10.20.30.1
Chain WANPREROUTING (1 references)
num target prot opt source destination
1 DNAT icmp -- anywhere anywhere to:10.20.30.1
root@unknown:/tmp/home/root#
Ran the iptables statement you helped me work out and it now shows up in my NAT rules:
root@unknown:/tmp/home/root# iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}
' | awk '{print $1}'`
root@unknown:/tmp/home/root# iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 WANPREROUTING all -- anywhere wan1-ip
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- anywhere anywhere to:10.20.30.65
2 MASQUERADE all -- anywhere anywhere
3 SNAT all -- 10.20.30.0/24 10.20.30.0/24 to:10.20.30.1
Chain WANPREROUTING (1 references)
num target prot opt source destination
1 DNAT icmp -- anywhere anywhere to:10.20.30.1
root@unknown:/tmp/home/root#
Here is the statement to allow NATing of multple subnets on Tomato:
iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to `ifconfig vlan2 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print $1}'`
glad it's working :)