i was wondering.. is there any way through IPTABLES to build "Static NAT" that will look like this:

and i want to make my network use this "Static NAT" option

So i've been reading lots of HOW-TO's but nowhere have "commands" how-to-make it work?
What do i have to set in my router so this Static NAT works?
Do i have to set my router in "STATIC IP" mode, or DHCP, or something..

I have one "ethernet lan cable" from my wireless that i plug it in my "Internet" PIN at "WRT54G" installed OpenWRT WHITE RUSSIAN (pre-RC4), and i got 1 other lan cable that i plug it into my switch and when i set it into "Static IP" it works only with one ip address, but i got from my isp 16 ip addresses, that i want to use in computers.

I hope someone will understand what i want, and will explain at least "what r the steps to fix it"

thanks in advance.

http://iptables-tutorial.frozentux.net/ … SNATTARGET

yea i have readed that, but i dont understand it?!
no one knows how to "explain" a command??????

like: iptables -d or -f or something?????

All the commands you need to NAT are "explained" in the link posted.
What did you expect, that someone would explain the tutorial ? and provide real working commands without you clearly explaining your setup ?

See the section on static NAT (1.1.3) in the Wiki. Note that you still may need to open some firewall rules in which case see the iptables reference already mentioned.

- DL

(Last edited by dl on 15 Nov 2005, 06:27)

Sorry dl, but you seem to be mixing static ADDRESSES with static NAT...

Oh, you're right. But in that case wouldn't the simplest solution be to assign one of the 16 assigned addresses to the lan (with appropriate subnet mask) and then you wouldn't have to mess with iptables at all, at least for basic purposes. And in any case doesn't pre-assigning a public address via DHCP work? I don't know - I haven't tried it.

- DL

(Last edited by dl on 15 Nov 2005, 11:56)

This is why I would like to have a detailled setup of what this guy wants...

I have posted it with "pictures"

DNSMAQ is not the preffered solution for this, i been told that it's "the best" to do it with iptables which it would look like this:

iptables -A PREROUTING -nat -j DNAT -d 212.114.14.78 --to-destination 192.168.1.5
iptables -A POSTROUTING -t nat -j SNAT -s 192.168.1.5 --to 212.110.14.78

that works on FreeBSD, but i've tested with the same commands in wrt54g, the iptables r all ok i mean when i type them but after sometime when i do iptables -L (LIST) they r not listed i was wondering why?

use iptables -L -n -v

# iptables -L -t nat

Doesn't this require arp proxying?  Ipchains was able to do what he wants with eth0, eth0:0, eth0:1, ... eth0:n, but iptables no - no?

im working on it 1 fucking month cant figure it out

ok guys, i think i found this "way" i could call and i'd preffer to the OpenWrt coders to include some "iptables" stuff that can be controled via httpd/web

${IPTABLES} -t nat -A PREROUTING -d ${host} -j DNAT --to-destination ${destip}
${IPTABLES} -t nat -A POSTROUTING -s ${destip} -j SNAT --to-source ${host}

Like this would look a classical static nat one example:

iptables -t nat -A PREROUTING -d 192.168.1.5 -j DNAT --to-destination 212.114.65.19
iptables -t nat -A POSTROUTING -s 212.114.65.19 -j SNAT --to-source 192.168.1.5

this would look like:

root@openwrt:~# iptables -t nat -A PREROUTING -d 192.168.1.5 -j DNAT --to-destination 212.130.74.189
root@openwrt:~# iptables -t nat -A POSTROUTING -s 212.130.74.189 -j SNAT --to-source 192.168.1.5
root@openwrt:~# nvram commit
root@openwrt:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  anywhere             anywhere
DNAT       all  --  anywhere             192.168.1.5         to:212.130.74.189

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere
SNAT       all  --  212.130.74.189       anywhere            to:192.168.1.5

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination
root@openwrt:~#

im sure 100% that this thing will work, now my point is how do i have to setup my router in what mode coz i got options "Static IP" "DHCP" "PPPOE" and "NONE" so this will work?

I have 1 LAN Cable from my wireless Antenna, and i plug it into my "Internet" port on my WRT54G, so from that i get internet and 1 cable from my other 4 ports into switch anyone have an idea "how-would-this-work" ?

(Last edited by bx on 16 Nov 2005, 01:56)

One thing for sure is you'll need to add the other external IP addresses to your $WAN interface. You then SNAT/DNAT via those addresses. Say you already have your $WAN configured with "212.114.14.1" and you have .2, .3 and .4 you want to 1-1 nat. Also assume these are 24 bit subnet mask (for ease of example). You need to set up the alias addresses something like this:

# ip addr add 212.114.14.2/24 brd 212.114.14.255 dev vlan1
# ip addr add 212.114.14.3/24 brd 212.114.14.255 dev vlan1
# ip addr add 212.114.14.4/24 brd 212.114.14.255 dev vlan1

This assumes vlan1 is your $WAN interface (or just use $WAN). Now you should be able to set up your DNAT/SNAT rules to each of those IP addresses to map to the internal address. I don't believe I saw you set up the aliases, if you did ignore this. Oh, you'll need the "ip" ipkg installed.

still, im asking for "router mode" DHCP/STATIC IP/PPPOE/NONE?

Is "router mode" a new term you just made up? Are you asking what your "wan_proto" variable should be set to? I assume you have subnet of IP addresses from your provider or you wouldn't even be here asking these questions. You would set your "wan_proto" variable to "static" and configure your "wan_ipaddr", "wan_gateway", "wan_netmask" with one of your addresses and other ip information for your subnet provided to you by your provider. Of course you would control this range of addresses so it is up to you whether you would want to use DHCP. Wouldn't make much sense for what you are doing though. You would then have to add all of the other addresses that you want to use in your 1-1 nat in a script. That's the commands I listed in the previous message. Or you could configure it manually every time you reboot but I'm sure that would get old.

yes, im asking about wan_proto

umm.. so?!

wan_proto=static maybe ?

heh thanks dude, but wan_proto=static seems to dont work as i noticed wrt does not support this feature