iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Yeah, my R7800 has eth0 as the LAN and eth1 as the WAN.
My question is this:
Does your rule affect all LAN segments? I have created a new bridge group (br1) for guest access. My understanding is that by default br0 is already setup in the default rules and I only had to add a rule to enable NAT for the guest LAN, hence my rule:
Code:
iptables -t nat -A POSTROUTING -s y.y.y.y/24 -o eth1 -j SNAT --to-source $(nvram get wan_ipaddr)
I'm assuming the MASQUERADE operation is essentially hide NAT, which negates the need for SNAT. But don't I still need the -s source operator to specify the rule is for traffic coming from the guest subnet? _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Wed Apr 17, 2019 16:45 Post subject:
As long as you don't have any networks behind the router with public IP, you can just NAT everything out the WAN without any need to specify the source interface.
Some of these rules I've been using for years and I can't honestly remember how I arrived at using them other than knowing they still work.
So that rule does contain eth1, which is the LAN interface, and it still works. I just don't remember why I wrote it that way. Obviously, the SNAT is old. _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
As long as you don't have any networks behind the router with public IP, you can just NAT everything out the WAN without any need to specify the source interface.
So just replace that rule altogether with the one you gave me?
Replace:
Code:
iptables -t nat -A POSTROUTING -s y.y.y.y/24 -o eth1 -j SNAT --to-source $(nvram get wan_ipaddr)
With:
Code:
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Also, any ideas on restricting access to management GUI? _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
# Allow any traffic from guest LAN not satisfying other rules to be forwarded
iptables -I FORWARD -i br1 -j ACCEPT
# Block traffic from being forwarded between private LAN and guest LAN
iptables -I FORWARD -i br0 -o br1 -j DROP
iptables -I FORWARD -i br1 -o br0 -j DROP
# Enable Internet and NAT for all LAN segments
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Folks, I was initially happy enough with closed as the status for ports 135,139 and 445 but now like a child in a candy shop I want to see stealth too. I have a simple config on my R7800. One guest WiFi vlan with different DHCP scope to main Lan, and my hardwired devices are also on vlan with different scope using one of the routers Ethernet ports. I only have br0 though.
Can anyone please shed light why the code below does not work ie ports still seen as 'closed'
# Enable Internet and NAT for all LAN segments
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Hopefully one of the experts can respond because honestly I don't see anything wrong. _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
Thank you.. for your reply, I have now also added the following line to my firewall but again my ports are still seen as closed. Any thoughts on possible reasons would be really appreciated
