Ticket #620 (new Feature Request)
Iptables nat request
Reported by: | jean-philippe.meni@… | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | Not yet assigned to a Milestone |
Component: | Gateway | Version: | scc |
Keywords: | iptables nat | Cc: |
Description
Hi
in cas of nat on a server, we insert these rules in iptables before the wifidog daemon start:
# Create a NAT
iptables -I FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT (Full nat, wifidog don't redirect anymore)
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
It is possible to do an Append instead of an Insert for the rule:
iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
in fw_iptables.c line 310
At this moment, it do that:
iptables -nvL
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 WiFiDog_eth1_WIFI2Internet all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
And it's better for cpu performance to have that:
iptables -nvL
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 WiFiDog_eth1_WIFI2Internet all -- eth1 * 0.0.0.0/0 0.0.0.0/0