Was auditing my firewall recently and realized that the systems I have setup with their own public IP are exposing all open ports. I believe this started when I upgraded to 14.07. In general I try to do as much of my config via luci as possible. That said I have never found a way to setup this 1:1 nat (dnat + nat) for my static IP’s.
What I have done is setup new interfaces for the two additional static IP’s. Then added the following lines to my firewall.user file.. # host1 Static NAT iptables -t nat -I PREROUTING -d 20.22.23.117 -j DNAT --to-destination 10.1.1.89 iptables -t nat -I POSTROUTING -s 10.1.1.89 -j SNAT --to-source 20.22.23.117 # host2 Static NAT iptables -t nat -I PREROUTING -d 20.22.23.115 -j DNAT --to-destination 10.1.1.94 iptables -t nat -I POSTROUTING -s 10.1.1.94 -j SNAT --to-source 20.22.23.115 This results in the correct behavior for rewriting the IP addresses and works like a champ. Previously this also applied the firewall filtering rules to the traffic. What I’m seeing now is all ports are allowed and seem to skip the filtering rules. I have done a fair bit of troubleshooting so far. Disabling all my firewall rules, tweaking the wan config zone settings. It’s always all or nothing with ports on these 1:1 nat hosts. Is there a better approach for doing this? Other suggestions? Thanks, Blake _______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
