OpenWrt Forum Archive

Topic: (easy?) iptables question

The content of this topic has been archived on 15 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mactalla
12 Feb 2008, 19:31

Ok, I think this should be a pretty easy question for anyone that knows their way around routing and iptables.  Unfortunately I don't fit in that category sad

I have an adsl modem that provides a telnet interface.  Ideally, I would like to access that from my computer directly.  The biggest problem is already solved, which is to have access while it's plugged into the WAN port of my wrtsl54gs (running WR RC5).  Following the instructions here: http://www.dd-wrt.com/wiki/index.php/Ac … figuration I can telnet from OpenWRT into the modem.  I don't know why the modem and LAN ports need to be on different networks (I'm using 192.168.1 for the modem and 192.168.0 for my LAN), but I followed the instructions and it works.  As a bonus when I try telnetting from my computer it's silent instead of giving me no route to host.

So now it's a firewall issue.  I verified that disabling the firewall lets me telnet to the modem.  But I can't find the magic incantation to get iptables to allow me access without disabling the entire firewall.  Help would be appreciated.

Notes:
modem IP: 192.168.1.1
WAN alias: eth1:1  (IP: 192.168.1.10)
LAN interface: br0 (I believe that's the interface covering both wired & wireless, which is what I want)
machines on LAN: 192.168.0.xxx

Anything else that would be useful?

Post #2
bkloppenborg
22 Feb 2008, 03:22

I created a new file, /etc/init.d/S52modemroute with the following contents:

#!/bin/sh

# Establish a route between the LAN and the DSL Modem

# Get the protocol of the WAN connection
WANPROTO="$(nvram get wan_proto)"

if [  "$WANPROTO" = "pppoe" ]; then
        # Static IP addresses for the modem and WAN device:
        MODEM_IP="192.168.0.1"
        WANDEV_IP="192.168.0.2"

        # Assign a static IP address to the WAN interface
        ifconfig eth1 $WANDEV_IP

        # Create firewall rules
        iptables -A forwarding_rule -d $MODEM_IP -j ACCEPT
        iptables -t nat -A POSTROUTING -d $MODEM_IP -j MASQUERADE
fi

That creates the necessary route to the modem.  Make sure you chmod the file too.  Of course, try out the iptables rules before creating the file and committing the changes, otherwise you might need to boot the router into safemode to remove the rules.

Post #3
mactalla
23 Feb 2008, 18:18
bkloppenborg wrote:

I created a new file, /etc/init.d/S52modemroute with the following contents:

Thanks bkloppenborg for that script.  Those commands were essentially what I had, but much cleaner.  I ran them and got the same situation as I had -- after executing then I am able to telnet to the modem from my ssh session on the router.  However, any requests from clients on the LAN to the modem get lost in the void.  But since the script was so nice I made it execute on boot just like you had and lo and behold, after a reboot I *CAN* telnet directly from a machine on the LAN.  I really have no idea what the difference is (timing of the commands?) but at this point I no longer care 'cause It Works smile

Thanks again.

... now, how do I edit the topic to say [SOLVED]?

The discussion might have continued from here.