For a long time I have used a Debian based machine called megatron as a gateway at home. Megatron had two NIC’s where one was connected to an SDSL modem, and the other was connected to a Linksys WRT54GL router (which is running the Tomato firmware). These two switched places a while back so that the router is connected to the modem, and megatron is behind the router. There are a couple of services running on megatron that needs to be accessible from the internets, so I had to do some iptables magic on the router to be able to do this. This post is more of a reminder to myself of how to do this, but there might be someone else out there who wants to do the exact same thing.
Earlier megatron had two official ip addresses (I have 5 from my ISP) on the NIC connected to the modem. One of them is used for SSL traffic to megatron and the other is used for everything else. The setup now is that megatron only has one NIC with two internal addresses: 192.168.1.10 and 192.168.1.11. My router has three addresses. Lets say these are: 193.n.n.122, 193.n.n.123 and 193.n.n.124. The first one is the one I will let the router have and the other two I will forward to megatron.
First I had to add two addresses to the router since it only had one. To do this I logged in the router using ssh and ran the following commands:
# Add ip addresses ifconfig vlan1:1 193.n.n.123 netmask 255.255.255.248 broadcast 193.n.n.127 ifconfig vlan1:2 193.n.n.124 netmask 255.255.255.248 broadcast 193.n.n.127
To test if these two worked I simply pinged the new ip addresses.
Now I needed to tell the router to forward traffic on these two addresses to the ip’s specified on megatron. iptables to the rescue:
# To megatron iptables -t nat -I PREROUTING -p all -d 193.n.n.123 -j DNAT --to-destination 192.168.1.10 iptables -t nat -I PREROUTING -p all -d 193.n.n.124 -j DNAT --to-destination 192.168.1.11 # From megatron iptables -t nat -I POSTROUTING -p all -s 192.168.1.10 -j SNAT --to-source 193.n.n.123 iptables -t nat -I POSTROUTING -p all -s 192.168.1.11 -j SNAT --to-source 193.n.n.124 # Accept all ports iptables -I FORWARD -p tcp -d 192.168.1.10 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.1.11 -j ACCEPT
And that’s that really. One last thing I had to do was to make these changes permanent. This can be done by putting the ifconfig and iptables commands in this post in the Administration->Scripts part of the Tomato web-gui. Click on Administration and then Scripts in the gui and enter the commands in the firewall tab:
Remember to click the save button on the bottom of the page after these changes.