Iptables. Fully manual configuration

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there,
My WAN-type connection is "static ip" 10.120.29.250, so I would like to use SNAT instead of MASQ in Iptables.

I've tried:

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A FORWARD -i eth0.2 -o eth0.1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth0.1 -o eth0.2 -d 192.168.1.0/24 -j ACCEPT
iptables -P FORWARD DROP

and

iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0.1 -j SNAT --to-source 10.120.29.250

Is it possible to configure LEDE's firewall manually? Need some help or explanition.

UPD:My device is TL-WDR3600 and my ifconfig is br-lan, eth0, eth0.1, et0.2, lo, wlan0, wlan1

2

The easiest way to have a fully manual firewall config is to uninstall the firewall package:
opkg remove firewall or to disable the firewall service: /etc/init.d/firewall disable.

The you can stick your custom iptables rules into /etc/rc.local.

3

rc.local may not work. At the time of its execution network interfaces can be down.
Scripts /etc/hotplug.d/iface are called on interface up/down events

4

iptables rules can be installed even if the corresponding interface is down so this usually is no problem. You only need hotplug if those manual rules do something complex, like enumerating effective IP addresses.

5

rc.local may not work. At the time of its execution network interfaces can be down.
Scripts /etc/hotplug.d/iface are called on interface up/down events

interfaces don't need to be up to create iptables rules.

Arguably, you don't want them up until the rules are in place. Otherwise, you
have a window where the interfaces are up, but there are no restrictions, so
attackers can get through freely.

David Lang

6

Thank you for the explanation. Is there any other workaround to use SNAT instead of MASQ on WAN interface?

7

Yes, remove option masq 1 from the wan zone and declare an explicit SNAT rule yourself:

config nat
    option src wan
    option proto all
    option target SNAT
    option snat_ip 1.2.3.4

This will install a rule that maps all outgoing WAN traffic to the IP 1.2.3.4

8

Thank you very much sir. Now I'm happy with SNAT on WAN interface.