Friday, September 16, 2011

TomatoUSB 1:1 NAT for Qwest 8 static ip block

This isn't what I want yet, but I may be closer to true routing where the router actually routes my ip addresses. I'll be sure to post what I find out.

For now, these are commands you need to run if you wish to do a 1:1 NAT setup on your tomato/dd-wrt/*wrt router firmware (or most things linux for that matter)

I have a block of 8 static IPs from Qwest/CenturyLink and in this configuration you can use all 8 (minus one for the router). Notice I skipped 14 because that address is the router's. Your exact configuration may vary but substitute your addresses as necessary. I used a 10.10.10.0 private network. The static IPs are mapped to a corresponding private IP address.

First section assigns the ip addresses to the router.
Second section does network address translation, so websites or services you connect to on the internet will show the associated static/public ip.
Third section maps incoming traffic to the associated address on your private network, this will allow you to login/access the devices by the associated public ip address.
Fourth section will open ALL ports incoming to the specified internal ip address. This will defeat all firewall rules on the router. Only do this if you are going to run firewall software on those machines. Lookup more information on how to block/enable ports for iptables to enable specific ports.

Here is the config:

ip addr add XXX.XXX.XXX.8/29 dev ppp0
ip addr add XXX.XXX.XXX.9/29 dev ppp0
ip addr add XXX.XXX.XXX.10/29 dev ppp0
ip addr add XXX.XXX.XXX.11/29 dev ppp0
ip addr add XXX.XXX.XXX.12/29 dev ppp0
ip addr add XXX.XXX.XXX.13/29 dev ppp0
ip addr add XXX.XXX.XXX.15/29 dev ppp0

iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.8 -j SNAT --to XXX.XXX.XXX.8
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.9 -j SNAT --to XXX.XXX.XXX.9
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.10 -j SNAT --to XXX.XXX.XXX.10
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.11 -j SNAT --to XXX.XXX.XXX.11
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.12 -j SNAT --to XXX.XXX.XXX.12
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.13 -j SNAT --to XXX.XXX.XXX.13
iptables -t nat -I POSTROUTING 1 -p all -s 10.10.10.15 -j SNAT --to XXX.XXX.XXX.15

iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.8 -j DNAT --to-destination 10.10.10.8
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.9 -j DNAT --to-destination 10.10.10.9
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.10 -j DNAT --to-destination 10.10.10.10
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.11 -j DNAT --to-destination 10.10.10.11
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.12 -j DNAT --to-destination 10.10.10.12
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.13 -j DNAT --to-destination 10.10.10.13
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.15 -j DNAT --to-destination 10.10.10.15

iptables -I FORWARD -p tcp -d 10.10.10.8 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.9 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.10 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.11 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.12 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.13 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.10.15 -j ACCEPT


Here's some more information I found:

No comments:

Post a Comment