I'm using a DSL-5300 VDSL modem/router which is set up with NAT for my house, and works great. Its web interface hasn't been written to support a mix of NAT and no-NAT traffic.
I've been assigned 8 public IP addresses. I've set up a linux box on one of these IPs, and wired it (eth0) to my the modem.
Logging in as root to my modem and using TCPDUMP - I can see traffic coming in for my IPs on interface "br0". I can also see traffic from my internal host using its IP on "eth0".
I'm trying to tell the router to simply relay all external traffic destined to one of my /29 (8 IPs) to my linux host, and return all internal traffic from any of my /29 sources of my 8 IPs to the internet.
Can anyone explain how to do this, or if it's the correct approach ?
I started with this, which fails with: iptables v1.4.21: Couldn't find target `NOTRACK':
iptables -t raw -A PREROUTING -s 203.139.179.48/29 -j NOTRACK
(and, for reference, the -t raw is empty as well)
I'm guessing I need to use the -t filter table instead, at the top (before NAT), somehow, although I'm not entirely sure.
Can anyone suggest rules to use? Should I be adding a "route" instead/as-well ? Do I need to spell out the interfaces to my modem, or should I give my linux box a LAN IP, and tell my modem to send all traffic to "that IP", but without actually mangling anything (e.g. leave the destination IP in the packet as 203.139.179.49 and just use the 192.168.1.x IP as some kind of means to understand which interface (eth0) it needs to go through ?)
Update: - I got one IP working with NAT, but I don't want to use NAT on my public IPs - I want direct for those. This is what got NAT going:
iptables -t nat -A DMZ_PREROUTING -d 203.139.179.49/32 -j DNAT --to-destination 192.168.1.250
(I set my linux box up on 192.168.1.250 - but as I said, I want to change that back to 203.139.179.49/29 (all 8 public IPs)). Here's how the tables looked before the above:
# Generated by iptables-save v1.4.21 on Thu Feb 25 21:25:24 2021
*raw
:PREROUTING ACCEPT [757713:146949682]
:OUTPUT ACCEPT [487359:155842609]
COMMIT
# Completed on Thu Feb 25 21:25:24 2021
# Generated by iptables-save v1.4.21 on Thu Feb 25 21:25:24 2021
*nat
:PREROUTING ACCEPT [3356:465245]
:INPUT ACCEPT [685:68545]
:OUTPUT ACCEPT [683:72201]
:POSTROUTING ACCEPT [861:82958]
:DMZ_POSTROUTING - [0:0]
:DMZ_PREROUTING - [0:0]
:MINIUPNPD - [0:0]
:POSTROUTING_MASQUERADE - [0:0]
:PRE_WAN_INFILTER - [0:0]
:REMOTEMANGE_PREROUTING - [0:0]
-A PREROUTING -j REMOTEMANGE_PREROUTING
-A PREROUTING -j DMZ_PREROUTING
-A PREROUTING -i eth0.1 -j MINIUPNPD
-A PREROUTING -i eth0.1 -j PRE_WAN_INFILTER
-A POSTROUTING -j DMZ_POSTROUTING
-A POSTROUTING -j POSTROUTING_MASQUERADE
-A DMZ_POSTROUTING -s 192.168.1.1/32 -d 192.168.1.250/32 -j ACCEPT
-A DMZ_POSTROUTING -s 192.168.1.0/24 -d 192.168.1.250/32 -j SNAT --to-source 110.243.62.22
-A DMZ_POSTROUTING -s 192.168.7.1/32 -d 192.168.1.250/32 -j ACCEPT
-A DMZ_POSTROUTING -s 192.168.7.0/24 -d 192.168.1.250/32 -j SNAT --to-source 110.243.62.22
-A DMZ_PREROUTING -i eth0.1 -p udp -m udp --sport 67:68 -j ACCEPT
-A DMZ_PREROUTING -i eth0.1 -p 47 -j ACCEPT
-A DMZ_PREROUTING -i eth0.1 -p udp -m udp --sport 1701 -j ACCEPT
-A DMZ_PREROUTING -i eth0.1 -p tcp -m tcp --sport 1723 -j ACCEPT
-A DMZ_PREROUTING -d 110.243.62.22/32 -j DNAT --to-destination 192.168.1.250
-A POSTROUTING_MASQUERADE -s 192.168.1.0/24 -o eth0.1 -j MASQUERADE
-A POSTROUTING_MASQUERADE -s 192.168.7.0/24 -o eth0.1 -j MASQUERADE
-A POSTROUTING_MASQUERADE -s 10.8.0.0/24 -o eth0.1 -j MASQUERADE
-A PRE_WAN_INFILTER -p tcp -m tcp --dport 8091 -j ACCEPT
-A PRE_WAN_INFILTER -p tcp -m tcp --dport 8090 -j ACCEPT
-A PRE_WAN_INFILTER -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PRE_WAN_INFILTER -j DROP
COMMIT
# Completed on Thu Feb 25 21:25:24 2021
# Generated by iptables-save v1.4.21 on Thu Feb 25 21:25:24 2021
*mangle
:PREROUTING ACCEPT [42331:8881456]
:INPUT ACCEPT [29716:7485804]
:FORWARD ACCEPT [10415:1252489]
:OUTPUT ACCEPT [28687:7955617]
:POSTROUTING ACCEPT [39144:9224902]
COMMIT
# Completed on Thu Feb 25 21:25:24 2021
# Generated by iptables-save v1.4.21 on Thu Feb 25 21:25:24 2021
*filter
:INPUT ACCEPT [29588:7478145]
:FORWARD ACCEPT [10231:1241814]
:OUTPUT ACCEPT [28644:7927631]
:ALG_FORWARD - [0:0]
:DMZ_FORWARD - [0:0]
:GRC_INPUT - [0:0]
:MACFILTER_FORWARD - [0:0]
:MINIUPNPD - [0:0]
:REMOTEMANGE_INPUT - [0:0]
:WLAN_GUEST_LOGIN_INPUT - [0:0]
-A INPUT -j GRC_INPUT
-A INPUT -j REMOTEMANGE_INPUT
-A INPUT -j WLAN_GUEST_LOGIN_INPUT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j MACFILTER_FORWARD
-A FORWARD -j DMZ_FORWARD
-A FORWARD -i eth0.1 ! -o eth0.1 -j MINIUPNPD
-A FORWARD -j ALG_FORWARD
-A DMZ_FORWARD -d 192.168.1.250/32 -i eth0.1 -j ACCEPT
-A GRC_INPUT -m state --state INVALID -j DROP
-A GRC_INPUT -p tcp -m tcp --dport 0 -j DROP
-A GRC_INPUT -p tcp -m tcp --dport 1 -j DROP
-A GRC_INPUT -p tcp -m tcp --dport 8081 -j DROP
-A REMOTEMANGE_INPUT -d 110.243.62.22/32 -p tcp -m tcp --dport 443 -j DROP
-A REMOTEMANGE_INPUT -d 110.243.62.22/32 -p tcp -m tcp --dport 80 -j DROP
-A REMOTEMANGE_INPUT -i br+ -p tcp -m tcp --dport 443 -j DROP
-A WLAN_GUEST_LOGIN_INPUT -d 192.168.1.1/32 -i br1 -p tcp -m tcp --dport 80 -j DROP
-A WLAN_GUEST_LOGIN_INPUT -d 192.168.1.1/32 -i br1 -p tcp -m tcp --dport 443 -j DROP
-A WLAN_GUEST_LOGIN_INPUT -d 192.168.7.1/32 -i br+ -p tcp -m tcp --dport 80 -j DROP
-A WLAN_GUEST_LOGIN_INPUT -d 192.168.7.1/32 -i br+ -p tcp -m tcp --dport 443 -j DROP
COMMIT
# Completed on Thu Feb 25 21:25:24 2021
What's the way to point traffic at an internal "public" IP? Is there a "-j NONAT" or similar trick that understands the "--to-destination" concept, without re-writing the IPs in the packet headers? (FYI - there's no other switches between my linux and the router).