 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
I have a router running a version 2.6 Linux kernel and iptables.
Attached to its WAN interface is a DSL modem. Normally this interface
has no IP address assigned, as that gets assigned to the PPPoE virtual
interface. I'd like to expose the web management interface on the DSL
modem to the LAN. (Something I think ought to be a feature in the 3rd
party router firmwares.)
To sum up, the structure is like:
{ Internet } -- [ DSL Modem ] -- [WAN router LAN] -- { LAN }
To accomplish this, I assigned an IP address to the router's WAN port in
the same network range as the modem's default IP. I've successfully
pinged the modem and connected to its HTTP server via telnet from the
router. So that part is working.
I could then add an iptables rule to map port 80 on the modem to some
arbitrary port on the router, but I figured why bother with that when
LAN IPs are plentiful, and an IP alias would allow any and all ports of
the modem to be exposed.
So I created an IP alias on the router's LAN interface, and then
followed these guides on creating one-to-one NAT iptables rules:
http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
These are written from the perspective of someone adding additional
public IP addresses to their router and mapping them to machines on the
LAN. In this case I was inverting the model, and mapping a LAN-range IP
to a device on the WAN side.
I tried:
# iptables -t nat -I PREROUTING -i br0 -d 192.168.0.21 -j DNAT
--to-destination 192.168.1.1
# iptables -t nat -I POSTROUTING -s 192.168.1.1 -j SNAT --to-source
192.168.0.21
The first rule is supposed to take packets arriving on the LAN interface
(br0) destined for the IP alias (192.168.0.21, "public IP") and rewrite
them to go to the target device (192.168.1.1, DSL modem).
The second rule takes packets that were sent by the modem, and just
before they leave the router, rewrite them so the appear to have come
from the IP alias.
This gives me:
# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 3288K packets, 350M bytes)
pkts bytes target prot opt in out source
destination
1 60 DNAT all -- br0 * 0.0.0.0/0
192.168.0.21 to:192.168.1.1
1320K 124M WANPREROUTING all -- * * 0.0.0.0/0
66.x.x.x
0 0 DROP all -- ppp+ * 0.0.0.0/0
192.168.0.0/24
Chain POSTROUTING (policy ACCEPT 315K packets, 19M bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * * 192.168.1.1
0.0.0.0/0 to:192.168.0.21
2040K 216M MASQUERADE all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
When I try connecting to the modem's web interface from the LAN, the
browser just times out waiting for a reply. The packet/byte counts
reported seem to indicate that the packets to the modem are being sent,
but the replies are not passed back to the LAN.
Suggestions?
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
