1:1 NAT with a Linksys WRT54GL router (with Tomato firmware)

For a long time I have used a Debian based machine called megatron as a gateway at home. Megatron had two NIC’s where one was connected to an SDSL modem, and the other was connected to a Linksys WRT54GL router (which is running the Tomato firmware). These two switched places a while back so that the router is connected to the modem, and megatron is behind the router. There are a couple of services running on megatron that needs to be accessible from the internets, so I had to do some iptables magic on the router to be able to do this. This post is more of a reminder to myself of how to do this, but there might be someone else out there who wants to do the exact same thing.

Earlier megatron had two official ip addresses (I have 5 from my ISP) on the NIC connected to the modem. One of them is used for SSL traffic to megatron and the other is used for everything else. The setup now is that megatron only has one NIC with two internal addresses: and My router has three addresses. Lets say these are: 193.n.n.122, 193.n.n.123 and 193.n.n.124. The first one is the one I will let the router have and the other two I will forward to megatron.

First I had to add two addresses to the router since it only had one. To do this I logged in the router using ssh and ran the following commands:

# Add ip addresses
ifconfig vlan1:1 193.n.n.123 netmask broadcast 193.n.n.127
ifconfig vlan1:2 193.n.n.124 netmask broadcast 193.n.n.127

To test if these two worked I simply pinged the new ip addresses.

Now I needed to tell the router to forward traffic on these two addresses to the ip’s specified on megatron. iptables to the rescue:

# To megatron
iptables -t nat -I PREROUTING -p all -d 193.n.n.123 -j DNAT --to-destination
iptables -t nat -I PREROUTING -p all -d 193.n.n.124 -j DNAT --to-destination

# From megatron
iptables -t nat -I POSTROUTING -p all -s -j SNAT --to-source 193.n.n.123
iptables -t nat -I POSTROUTING -p all -s -j SNAT --to-source 193.n.n.124

# Accept all ports
iptables -I FORWARD -p tcp -d -j ACCEPT
iptables -I FORWARD -p tcp -d -j ACCEPT

And that’s that really. One last thing I had to do was to make these changes permanent. This can be done by putting the ifconfig and iptables commands in this post in the Administration->Scripts part of the Tomato web-gui. Click on Administration and then Scripts in the gui and enter the commands in the firewall tab:

Remember to click the save button on the bottom of the page after these changes.

This entry was posted in Technology and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s