5

I am trying to use this Guide to enable multiple IPs on TomatoUSB. Our Firewall rules need to NAT and allow a 1to1 to two servers. 

/usr/sbin/ip addr add 208.x.x.133/30 dev vlan1  
/usr/sbin/ip addr add 208.x.x.132/30 dev vlan1

/usr/sbin/iptables -t nat -I PREROUTING -d 208.x.x.133 -j DNAT --to-destination 192.168.7.100
/usr/sbin/iptables -t nat -I PREROUTING -d 208.x.x.132 -j DNAT --to-destination 192.168.7.130

/usr/sbin/iptables -I FORWARD -p tcp -d 192.168.7.130 --dport 25 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p tcp -d 192.168.7.101 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.7.130 -j SNAT --to 208.x.x.132
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.7.101 -j SNAT --to 208.x.x.133

enter image description here

I used the guide to write these but the router only forwards 1 IP , is what I did wrong or s the guide wrong? Can you point out what is wrong by chance?

Jacob
  • 9,114
  • 4
  • 44
  • 56
  • 2
    Add: '#ip ad' and '#ip ro' and '#iptables -nv -L' and '#iptables -t nat -nv -L' – alvosu Feb 03 '11 at 00:20
  • 1
    Assuming that you did a typo on '-I FORWARD -p tcp -d 192.168.7.101' instead of '192.168.7.100', provide what @alvosu asked you: 'iptables -vnL'. – Torian Feb 08 '11 at 13:49
  • Verify that you have not mistyped the IP addresses, in your post an in your firewall rules. Then again, please provide the updates requested so we can be able to try and give you an answer. – Torian Feb 12 '11 at 02:14

2 Answers2

1
#For each IP you need this command and this rule:
/sbin/ifconfig vlan1:0 208.x.x.130 netmask 255.255.255.224
/usr/sbin/iptables -t nat -I PREROUTING 2 -d 208.x.x.130 -j WANPREROUTING

#For each open port you need rules like these two:
/usr/sbin/iptables -t nat -A WANPREROUTING -p tcp -d 208.x.x.130 --dport 80 -j DNAT --to-destination 192.168.1.130:80
/usr/sbin/iptables -I wanin -p tcp -m tcp -d 192.168.1.130 --dport 80 -j ACCEPT

Enter these rules in the "Firewall" tab under "Administration". Works for me.

Antonius Bloch
  • 4,480
  • 6
  • 28
  • 41
0

It's been a few years since I have done something with two IPs on the same subnet, on the same interface, but it was not easy. I can't remember the exact commands, but just adding another IP address will not work.

That said, why are you trying to make this extra complex? Plug a switch into the Modem/DSL box and give both your servers an external IP address. Then install a good firewall on each server.

Porch
  • 680
  • 5
  • 12
  • I fully agree, but the client feels thats too risky, and he doesn't want to upgrade the Firewall. I think I'll just swap to a Pfsense install – Jacob Mar 06 '11 at 01:09
  • What's the goal? If you are doing 1to1 nat, aka with port forwarding every port to said box, then the firewall is doing nothing anyway. – Porch Mar 06 '11 at 06:27
  • Shorewall will do 1to1 nat. http://www.shorewall.net/NAT.htm – Porch Mar 06 '11 at 06:30