Ticket #620 (new Feature Request)

Opened 8 years ago

Last modified 8 years ago

Iptables nat request

Reported by: jean-philippe.meni@… Owned by:
Priority: normal Milestone: Not yet assigned to a Milestone
Component: Gateway Version: scc
Keywords: iptables nat Cc:

Description

Hi
in cas of nat on a server, we insert these rules in iptables before the wifidog daemon start:
# Create a NAT
iptables -I FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT (Full nat, wifidog don't redirect anymore)
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
It is possible to do an Append instead of an Insert for the rule:
iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
in fw_iptables.c line 310
At this moment, it do that:
iptables -nvL
Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 WiFiDog_eth1_WIFI2Internet all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

And it's better for cpu performance to have that:
iptables -nvL
Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 WiFiDog_eth1_WIFI2Internet all -- eth1 * 0.0.0.0/0 0.0.0.0/0


Change History

Changed 8 years ago by gbastien

  • version set to scc
  • severity set to sergio

This is specific to your case and it does not apply for say, a router, whose default FORWARD rules are really different. On a router, appending would make the rule useless and inserting is the right logic.

What you should do, if you don't do that already, is run a simple script on your server after wifidog initialization that will make those adjustments for your system.

Note: See TracTickets for help on using tickets.