One-to-one NAT
From DD-WRT Wiki
One-to-one NAT (aka Static NAT) is a way to make systems behind a firewall and configured with private IP addresses (those addresses reserved for private use in RFC 1918) appear to have public IP addresses.¹
These examples have been tested and work with multiple public static IPs. Tested with:
- WRT54GL v.1.1 with DD-WRT RC6 and it works just fine.²
- DD-WRT v24-sp2 (01/01/09) mega on Linksys WRT 600N V1
- Tomato 1.23 (which sounds odd, but this is just iptables; it should work in any Linux-based router, except for the interface names)
Contents |
[edit] Setup
Everything in square brackets needs to be replaced by your values. Examples are at the bottom.
[edit] Startup
Set up new public static IP on dd-wrt WAN interface vlan1. This must be done for each public static IP and should be save to the Startup script using the Save Statup button.
ifconfig vlan1:1 [PUBLIC_IP1] netmask [NETMASK] broadcast [BROADCAST] ifconfig vlan1:2 [PUBLIC_IP2] netmask [NETMASK] broadcast [BROADCAST]
[edit] Firewall
[edit] SNAT/DNAT
Route all packets for the new public ip, to a certain local IP.
iptables -t nat -I [PREROUTING] -p all -d [PUBLIC_IP] -j DNAT --to-destination [LAN_IP]
Masquerade returned packets from the local ip to the public IP
iptables -t nat -I [POSTROUTING] 1 -p all -s [LAN_IP] -j SNAT --to-source [PUBLIC_IP]
Translate anything else from the lan to the "main" router IP.
iptables -t nat -I [POSTROUTING] -o br0 -s [LAN_SUBNET] -j SNAT --to-source [MAIN_IP]
In that last line, br0 may not always be correct; it's br0 on Tomato at least. You can telnet to the router and use the ifconfig command to see the correct value; it's the one with the router's internal IP associated with it.
[edit] PORT FORWARD
Forward port X to above local IP
iptables -I FORWARD -p tcp -i vlan1 -d [LAN_IP] --dport X -j ACCEPT
You could also replace above rule(s) with the following:
iptables -I FORWARD -p all -i vlan1 -d [LAN_IP] -j ACCEPT
Which instead of forwarding just a single port, will let through all tcp/udp connections on all ports to this public ip-->lan ip.
In other words, forwarding all connections would be no firewalling for that IP address.
[edit] Copy/Paste Examples
[edit] Startup Script
# Save Startup ifconfig vlan1:1 173.xxx.xxx.250 netmask 255.255.255.240 broadcast 173.xxx.xxx.255 ifconfig vlan1:2 173.xxx.xxx.251 netmask 255.255.255.240 broadcast 173.xxx.xxx.255
[edit] Firewall Script
# Save Firewall iptables -t nat -I POSTROUTING -o br0 -s 192.168.0.0/24 -j SNAT --to-source 192.168.0.1 # WAN .250 -> LAN .15 iptables -t nat -I PREROUTING -p all -d 173.xxx.xxx.250 -j DNAT --to-destination 192.168.0.15 iptables -t nat -I POSTROUTING -p all -s 192.168.0.15 -j SNAT --to-source 173.xxx.xxx.250 iptables -I FORWARD -p tcp -d 192.168.0.15 --dport 21 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.15 --dport 80 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.15 --dport 5900 -j ACCEPT # WAN .251 -> LAN .20 # The original post has 192.168.0.15 and it should be 192.168.0.20. I fixed it. iptables -t nat -I PREROUTING -p all -d 173.xxx.xxx.251 -j DNAT --to-destination 192.168.0.20 iptables -t nat -I POSTROUTING -p all -s 192.168.0.15 -j SNAT --to-source 173.xxx.xxx.251 iptables -I FORWARD -p tcp -d 192.168.0.20 --dport 21 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.20 --dport 80 -j ACCEPT iptables -I FORWARD -p tcp -d 192.168.0.20 --dport 5900 -j ACCEPT
[edit] Resources
¹ http://www.shorewall.net/NAT.htm
² http://www.dd-wrt.com/phpBB2/viewtopic.php?t=24555