lord_Galathon
Occasional Visitor
I'm fairly new to Linux scripting and iptables so bare with me. I'm going to use some private IPs to show the example but it should translate to public.
I want to setup an init-start script to run on my AC66U flashed with Merlin, the purpose of the init-start is to setup multiple WAN adresses (I have a pool from my ISP) and forward two of them to two web servers I run on 172.21.100.10 and 11
I had a script that ran on my old router (TP-Link flashed with DD-WRT) that worked so I'm starting from that script that worked.
I'm testing the script line by line by using putty telnetted onto the router.
My pool is 10.10.10.152/29 with 153 as a gateway. My addresses are .154~.158.
The first IP address is easy, I configure the WAN port eth0:1 directly from the web-interface to use 10.10.10.154 which I use for webmail. This one is actually off the script as it's not needed.
Then I assign the two other addresses using the following commands:
ifconfig eth0:2 10.10.10.155 netmask 255.255.255.248 broadcast 10.10.10.153
ifconfig eth0:3 10.10.10.156 netmask 255.255.255.248 broadcast 10.10.10.153
Which results in ifconfig eth0:
eth0 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.154 Bcast:10.10.10.153 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29391 errors:0 dropped:0 overruns:0 frame:0
TX packets:14488 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3920444 (3.7 MiB) TX bytes:6567216 (6.2 MiB)
Interrupt:4 Base address:0x2000
eth0:2 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.155 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000
eth0:3 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.156 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000
All of the above seems correct and I'm happy.
_______________________________________________________________
Then I want to setup the firewall rules right? So here's what I got so far:
iptables -t nat -I PREROUTING -d 10.10.10.155 -j DNAT --to 172.21.100.10
iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156
All of the above seems to work. From what I think I understand about iptables, the lines above create a rule that blocks all traffic from both IPs stated. Please correct me if I'm understanding this incorrectly.
Then I want to unblock the port (80) and this is where I get weird:
iptables -i FORWARD -d 172.21.100.10 -p tcp --dport 80 -j ACCEPT
The line above gives me the following error:
iptables v1.3.8: Unknown arg `--delete'
There are several things that don't make sense here:
-Why am I deleting a FORWARD rule?
-Are the rules above creating a firewall rule to block all traffic?
Now I'm stumped and baffled!
Note that the above line does NOT return an error on the TP-Link flashed with DD-WRT.
Any advise is welcome, thanks!
I want to setup an init-start script to run on my AC66U flashed with Merlin, the purpose of the init-start is to setup multiple WAN adresses (I have a pool from my ISP) and forward two of them to two web servers I run on 172.21.100.10 and 11
I had a script that ran on my old router (TP-Link flashed with DD-WRT) that worked so I'm starting from that script that worked.
I'm testing the script line by line by using putty telnetted onto the router.
My pool is 10.10.10.152/29 with 153 as a gateway. My addresses are .154~.158.
The first IP address is easy, I configure the WAN port eth0:1 directly from the web-interface to use 10.10.10.154 which I use for webmail. This one is actually off the script as it's not needed.
Then I assign the two other addresses using the following commands:
ifconfig eth0:2 10.10.10.155 netmask 255.255.255.248 broadcast 10.10.10.153
ifconfig eth0:3 10.10.10.156 netmask 255.255.255.248 broadcast 10.10.10.153
Which results in ifconfig eth0:
eth0 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.154 Bcast:10.10.10.153 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29391 errors:0 dropped:0 overruns:0 frame:0
TX packets:14488 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3920444 (3.7 MiB) TX bytes:6567216 (6.2 MiB)
Interrupt:4 Base address:0x2000
eth0:2 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.155 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000
eth0:3 Link encap:Ethernet HWaddr 54:A0:50:5C:BE:88
inet addr:10.10.10.156 Bcast:10.10.10.159 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:4 Base address:0x2000
All of the above seems correct and I'm happy.
_______________________________________________________________
Then I want to setup the firewall rules right? So here's what I got so far:
iptables -t nat -I PREROUTING -d 10.10.10.155 -j DNAT --to 172.21.100.10
iptables -t nat -I POSTROUTING -s 172.21.100.10 -j SNAT --to 10.10.10.156
All of the above seems to work. From what I think I understand about iptables, the lines above create a rule that blocks all traffic from both IPs stated. Please correct me if I'm understanding this incorrectly.
Then I want to unblock the port (80) and this is where I get weird:
iptables -i FORWARD -d 172.21.100.10 -p tcp --dport 80 -j ACCEPT
The line above gives me the following error:
iptables v1.3.8: Unknown arg `--delete'
There are several things that don't make sense here:
-Why am I deleting a FORWARD rule?
-Are the rules above creating a firewall rule to block all traffic?
Now I'm stumped and baffled!
Note that the above line does NOT return an error on the TP-Link flashed with DD-WRT.
Any advise is welcome, thanks!