pr0n DD-WRT Novice
Joined: 08 Mar 2014 Posts: 2
|
Posted: Sat Mar 08, 2014 23:09 Post subject: iptables NAT assistance |
|
The short of it: Need to NAT traffic leaving an interface.
I've got networking experience but I've never used iptables so I'm having some trouble figuring out how to accomplish this.
Physical setup
I have ddwrt on an Asus RT N66u. I have a Cisco ASA 5505 connected to one of the n66u ports as a client, the 5505 has a VPN setup on (which is working). The 5505 then connects back into the n66u on eth4.
5505 ip address 192.168.51.17
The network the 5505 vpn gets me to is (for now) 172.21.0.0/16, I have added this route to the routing table manually
eth4 is in vlan3
vlan 3 inet addr:192.168.51.18 Bcast:192.168.51.23 Mask:255.255.255.248
ip route
<Some WAN network>/22 dev vlan2 proto kernel scope link src <Some WAN ip>
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
172.21.0.0/16 via 192.168.51.17 dev vlan3
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
192.168.51.16/29 dev vlan3 proto kernel scope link src 192.168.51.18
The route and VPN works, I can ping 172.21.1.1 from ddwrt as expected and it takes the proper route through the 5505. However; none of the clients can get to it because the 172.21.0.0 network can't route back to my ddwrt clients properly but I don't want it to. I would like to setup NAT on vlan3 to NAT all traffic leaving the interface behind 192.168.51.17.
I've googled a bit but can't seem to find anything helpful as far as NAT goes. If someone could help out here that would be fantastic.
iptables -L
Code: | Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT gre -- 192.168.1.0/24 anywhere
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
lan2wan 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
|
|
|