Posted: Sun Jul 06, 2008 14:26 Post subject: Iptables question
Hello.
I am new to the world of dd-wrt. I have installed it on two different routers in just the last few days. The latest being a wrt350n v1. It is working great.
I have a unique situation that I would like to use the router for. I have a couple web servers here at the house, one is an exact copy of the other. I have this in case of failure. Sadly I have not figured out how to have the router automatically fail over to the second server if the first has failed.
My idea was to create a script to ping box 1, if dd-wrt finds the box is down, then run a script that would set the iptables to box 2. Does that sound like a descent idea? Is there a better way to do it.
My problem with this idea is that I am used to having a iptables.conf file. I cannot seem to find one here.
Joined: 13 Jul 2007 Posts: 48 Location: Martinez, CA
Posted: Sun Jul 06, 2008 14:58 Post subject:
Mike,
Your script idea sounds good but I'm not very proficient with Linux so others may be able to offer more advice.
iptables settings are entered on the Administration -> Commands tab of the router's web page. Enter them into the commands box and press Save Firewall. You can also enter a script here which sends your ping script to a file in /tmp and starts it. Use 'Save Startup' to save it.
I was able to get iptables-save to work, so now I need to modify the config file saved from iptables-save to reflect the second server. I have tried this and ran iptables-restore < config_file and it did not work. Meaning it did not change the iptables with the new iptables. Not sure why as of yet. I might be missing something.
This is what I did.
# iptables-save /tmp/iptables_config.txt
# vi /tmp/iptables_config.txt (changed server 1 ip to server 2 ip)
# iptables-restore /tmp/iptables_config.txt
# iptables -L (this shows server 1 ip)
Of course I rebooted and its still showed my original settings.
Joined: 13 Jul 2007 Posts: 48 Location: Martinez, CA
Posted: Sun Jul 06, 2008 19:15 Post subject:
Most routers have limited flash space for storing code so many of the features available on standard linux versions have been omitted to save space.
The iptables rules that the firmware loads during boot up can be found in /tmp/.ipt. You can also list all of the in-use rules using 'iptables -L --line-numbers -v'.
You can then remove rules you don't want with:
iptables -D chain-name # (#=line number)
(chain-name = FORWARD, INPUT, etc)
Then add your own rules using
iptables -A or iptables -I
Where 'iptables -I chain-name ...' adds the rule to the beginning of the list.
And 'iptables -I chain-name # ...' adds the rule before rule number #
Put all of the delete, add, and insert rules in the 'Firewall' section under Admin -> Commands. They will be run after the default rules are loaded.
If you delete existing rules or insert rules, just be sure to check the results if you change any of the web configuration settings because some of them cause changes in initial rule set loaded by the firmware.
1. cron a script to ping the box
2. if the box is down then execute the custom script followed by a reboot.
[add these two lines to the script]
nvram set forward_spec="WWW:on:tcp:80>192.168.0.4:80 FTP:on:tcp:21>192.168.0.4:21 SMTP:on:both:25>192.168.0.4:25 POP:on:both:110>192.168.0.4:110 DNS:on:both:53>192.168.0.4:53 IMAP:on:both:143>192.168.0.4:143"
nvram commit
reboot
It seems to change all the correct IP's. That is all I was wanting.
Now to test it...
Here is the actual script if you are interested.
Code:
######################################
#!/bin/sh
# Script to change iptables when server 1 is down.
# Server 1 = 192.168.0.2
# Server 2 = 192.168.0.4
HOSTS="192.168.0.2"
# no ping request
COUNT=1
for myHost in $HOSTS
do
count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
if [ $count -eq 0 ]; then
# 100% failed
nvram set forward_spec="WWW:on:tcp:80>192.168.0.4:80 FTP:on:tcp:21>192.168.0.4:21 SMTP:on:both:25>192.168.0.4:25 POP:on:both:110>192.168.0.4:110 DNS:on:both:53>192.168.0.4:53 IMAP:on:both:143>192.168.0.4:143"
nvram commit
reboot
fi
done
######################################