Hi,
I have bridged my WLAN and LAN interfaces to br0.
I want people from the outside and the inside of the internal network to access my www server through the public ip port 8181. That works fine for people accessing from WAN and WLAN but not from LAN. I don't understand why it works for WLAN but not for LAN if they are bridged. Any suggestions ?
That`s what I use :
LAN=br0
WAN=vlan1
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8181 -j DNAT --to $DEUX:8181
iptables -A forwarding_rule -i $WAN -p tcp --dport 8181 -d $DEUX -j ACCEPT
echo port forwarding pour www du lan
iptables -t nat -A prerouting_rule -i $LAN -p tcp --dport 8181 -j DNAT --to $DEUX:8181
iptables -A forwarding_rule -i $LAN -p tcp --dport 8181 -d $DEUX -j ACCEPT
The complete script in case there is come incompatibility with other commands:
#echo final
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
AUTH=192.168.5.100
DEUX=192.168.5.200
## CLEAR TABLES
for T in filter nat mangle; do
iptables -t $T -F
iptables -t $T -X
done
echo partie 0
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
echo partie 1
### Allow SSH from WAN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8181 -j ACCEPT
#iptables -A input_rule -i $WAN -p tcp --dport 8181 -j ACCEPT
echo partie 2
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 81 -j ACCEPT
echo partie 3
#iptables -t nat -A input_rule -i $WAN -p tcp --dport 81 -j ACCEPT
#forwards
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8181 -j DNAT --to $DEUX:8181
iptables -A forwarding_rule -i $WAN -p tcp --dport 8181 -d $DEUX -j ACCEPT
echo port forwarding pour www du lan
iptables -t nat -A prerouting_rule -i $LAN -p tcp --dport 8181 -j DNAT --to $DEUX:8181
iptables -A forwarding_rule -i $LAN -p tcp --dport 8181 -d $DEUX -j ACCEPT
#----------
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE