Iptables single host nat

maurer · August 1, 2022, 7:07am

so I'm using openfortivpn [on a tplink mr200 (LTE) running 21.02.3] to connect to a host behind vpn.
as I need to provide a sms totp I have to bypass the openwrt helper script& config(/etc/config/openfortivpn) and I'm running it via cli in screen session.
I've run the similar setup on 19.07 but I've lost my scripts as I've switched to freshtomato in that location (I know I need to be organized with my scripts )
in FT i only have to run the following /etc/ppp/ip-up script:

#!/bin/sh -e
hostip=192.168.1.101
ip r add 172.31.0.0/24  dev ppp1
ip r add 192.168.222.0/24 dev ppp1
iptables -t nat -A POSTROUTING -s $hostip -d 192.168.222.0/24 -o ppp1 -j MASQUERADE ;
iptables -t nat -A POSTROUTING -s $hostip -d 172.31.0.0/24 -o ppp1 -j MASQUERADE ;

I've tried the same on mr200 openwrt 21.03 (changing ppp1 to ppp0 as the ppp session is handled by the lte modem's android os) but it doesn't seem to be running.

PS: tunnel starts correctly and connection works correctly from openwrt to vpn host but it doesn't from my station behind mr200 - as a workaround I run a ssh port forwarding.

Can you help me to make it run?
thanks

trendy · August 1, 2022, 7:18am

Try something like this:

uci add firewall nat
uci set firewall.@nat[-1].name='masq2'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src_ip='192.168.1.101'
uci set firewall.@nat[-1].target='MASQUERADE'
uci set firewall.@nat[-1].dest_ip='192.168.222.0/24'
uci set firewall.@nat[-1].device='ppp1'
uci set firewall.@nat[-1].src='lan'
uci add firewall nat
uci set firewall.@nat[-1].name='masq2'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src_ip='192.168.1.101'
uci set firewall.@nat[-1].target='MASQUERADE'
uci set firewall.@nat[-1].dest_ip='172.31.0.0/24'
uci set firewall.@nat[-1].device='ppp1'
uci set firewall.@nat[-1].src='lan'
uci commit firewall
service firewall restart

Then try to create some interesting traffic and verify it works with iptables-save -c -t nat

maurer · August 1, 2022, 7:37am

thanks but it doesn't seem to work - no ping to my vpn host

root@OpenWrt:~# iptables-save -c -t nat
# Generated by iptables-save v1.8.7 on Mon Aug  1 07:34:10 2022
*nat
:PREROUTING ACCEPT [148:24044]
:INPUT ACCEPT [125:9246]
:OUTPUT ACCEPT [127:9345]
:POSTROUTING ACCEPT [116:8257]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[272:33258] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[265:31640] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[7:1618] -A PREROUTING -i usb0 -m comment --comment "!fw3" -j zone_wan_prerouting
[250:28744] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[12:592] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[135:20607] -A POSTROUTING -o usb0 -m comment --comment "!fw3" -j zone_wan_postrouting
[12:592] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.101/32 -d 192.168.222.0/24 -o ppp0 -m comment --comment "!fw3: masq2" -j MASQUERADE
[0:0] -A zone_lan_postrouting -s 192.168.1.101/32 -d 172.31.0.0/24 -o ppp0 -m comment --comment "!fw3: masq2" -j MASQUERADE
[265:31640] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1:64] -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
[123:9150] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
[135:20607] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[135:20607] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[7:1618] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Aug  1 07:34:10 2022

trendy · August 1, 2022, 8:34am

In which zone does ppp0 belong? It doesn't seem to be lan, as there are no hits in iptables and ppp0 is not assigned to any zone. You'd also need to fix that too.

maurer · August 1, 2022, 9:47am

fixed

config interface 'openforti'
        option proto 'none'
        option device 'ppp0'
        option auto '0'
        option defaultroute '0'
        option peerdns '0'
        option delegate '0'

and firewall:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'openforti'

config forwarding
        option src 'lan'
        option dest 'wan'

but traffic is still KO

trendy · August 1, 2022, 9:50am

Is there a static route for these 2 prefixes via ppp0? ip -4 ro
Since you added ppp0 in wan zone, everything will be masqueraded, so the rules don't matter anymore.

maurer · August 1, 2022, 9:53am

I confirm after firewall reload everything works now.
But how can I make the NAT work for only a single IP address behind openwrt router ?

trendy · August 1, 2022, 9:55am

Assign ppp0 in its own zone. Then you can fine tune the source address to be masqueraded and the destination as well.

maurer · August 1, 2022, 10:37am

thank you very much - that worked

system · August 11, 2022, 10:37am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.