I have a DD-WRT router with two subnets, 192.168.0.0/24 and 192.168.8.0/24. The latter is used for a 'guest' WiFi network. Traffic between subnets is filtered using iptables.
What I would like to do is enable printing from the guest subnet, i.e. permit traffic from 192.168.8.0/24 to 192.168.0.2 port 631.
My current iptables is like this:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -p tcp --dport 631 -d 192.168.0.2 -m state --state NEW -j ACCEPT
#iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
When I uncomment the commented POSTROUTING line, it seems to work. But then everything in the server logs (e.g. HTTP logs) shows as the router's LAN IP address (192.168.0.1).
Can anyone suggest the best way to solve this? Thanks.
0 Answers