Iptables question

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
madkins
DD-WRT Novice


Joined: 06 Jul 2008
Posts: 3

PostPosted: Sun Jul 06, 2008 14:26    Post subject: Iptables question Reply with quote
Hello.

I am new to the world of dd-wrt. I have installed it on two different routers in just the last few days. The latest being a wrt350n v1. It is working great.

I have a unique situation that I would like to use the router for. I have a couple web servers here at the house, one is an exact copy of the other. I have this in case of failure. Sadly I have not figured out how to have the router automatically fail over to the second server if the first has failed.

My idea was to create a script to ping box 1, if dd-wrt finds the box is down, then run a script that would set the iptables to box 2. Does that sound like a descent idea? Is there a better way to do it.

My problem with this idea is that I am used to having a iptables.conf file. I cannot seem to find one here.

I appreciate the help.
Mike

DD-WRT v24 mega (c) 2008 NewMedia-NET GmbH
Release: 05/24/08 (SVN revision: 9526)
Sponsor
mtca
DD-WRT Novice


Joined: 13 Jul 2007
Posts: 48
Location: Martinez, CA

PostPosted: Sun Jul 06, 2008 14:58    Post subject: Reply with quote
Mike,

Your script idea sounds good but I'm not very proficient with Linux so others may be able to offer more advice.

iptables settings are entered on the Administration -> Commands tab of the router's web page. Enter them into the commands box and press Save Firewall. You can also enter a script here which sends your ping script to a file in /tmp and starts it. Use 'Save Startup' to save it.

Good luck :)
Frank
madkins
DD-WRT Novice


Joined: 06 Jul 2008
Posts: 3

PostPosted: Sun Jul 06, 2008 18:23    Post subject: Reply with quote
Thanks for your thoughts.

I was able to get iptables-save to work, so now I need to modify the config file saved from iptables-save to reflect the second server. I have tried this and ran iptables-restore < config_file and it did not work. Meaning it did not change the iptables with the new iptables. Not sure why as of yet. I might be missing something.

This is what I did.
# iptables-save /tmp/iptables_config.txt
# vi /tmp/iptables_config.txt (changed server 1 ip to server 2 ip)
# iptables-restore /tmp/iptables_config.txt
# iptables -L (this shows server 1 ip)

Of course I rebooted and its still showed my original settings.

Any ideas?

Thanks.
Mike
mtca
DD-WRT Novice


Joined: 13 Jul 2007
Posts: 48
Location: Martinez, CA

PostPosted: Sun Jul 06, 2008 19:15    Post subject: Reply with quote
Most routers have limited flash space for storing code so many of the features available on standard linux versions have been omitted to save space.

The iptables rules that the firmware loads during boot up can be found in /tmp/.ipt. You can also list all of the in-use rules using 'iptables -L --line-numbers -v'.

You can then remove rules you don't want with:
iptables -D chain-name # (#=line number)
(chain-name = FORWARD, INPUT, etc)

Then add your own rules using
iptables -A or iptables -I

Where 'iptables -I chain-name ...' adds the rule to the beginning of the list.
And 'iptables -I chain-name # ...' adds the rule before rule number #

Put all of the delete, add, and insert rules in the 'Firewall' section under Admin -> Commands. They will be run after the default rules are loaded.

If you delete existing rules or insert rules, just be sure to check the results if you change any of the web configuration settings because some of them cause changes in initial rule set loaded by the firmware.

Frank
madkins
DD-WRT Novice


Joined: 06 Jul 2008
Posts: 3

PostPosted: Mon Jul 07, 2008 17:02    Post subject: Reply with quote
Frank,

Thank you for your help. That help me out a ton.

Here is what I came up with.

1. cron a script to ping the box
2. if the box is down then execute the custom script followed by a reboot.
[add these two lines to the script]
nvram set forward_spec="WWW:on:tcp:80>192.168.0.4:80 FTP:on:tcp:21>192.168.0.4:21 SMTP:on:both:25>192.168.0.4:25 POP:on:both:110>192.168.0.4:110 DNS:on:both:53>192.168.0.4:53 IMAP:on:both:143>192.168.0.4:143"
nvram commit
reboot

It seems to change all the correct IP's. That is all I was wanting.

Now to test it...

Here is the actual script if you are interested.
Code:

######################################
#!/bin/sh
# Script to change iptables when server 1 is down.
# Server 1 = 192.168.0.2
# Server 2 = 192.168.0.4

  HOSTS="192.168.0.2"
  # no ping request
  COUNT=1

  for myHost in $HOSTS
  do
    count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
      if [ $count -eq 0 ]; then
          # 100% failed
          nvram set forward_spec="WWW:on:tcp:80>192.168.0.4:80 FTP:on:tcp:21>192.168.0.4:21 SMTP:on:both:25>192.168.0.4:25   POP:on:both:110>192.168.0.4:110 DNS:on:both:53>192.168.0.4:53 IMAP:on:both:143>192.168.0.4:143"
          nvram commit
          reboot
      fi
  done
######################################



Thanks again for your help.

Mike
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum