iptables on dd-wrt router connected to isp modem/router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
BranlonMardo
DD-WRT Novice


Joined: 19 Mar 2023
Posts: 3

PostPosted: Tue Mar 21, 2023 0:51    Post subject: iptables on dd-wrt router connected to isp modem/router Reply with quote
I followed this https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=261864 to get Tor running on a Netgear WNDR3700v2 with its WAN connected to the LAN port of the ISP modem/router. The modem/router is not in bridge mode, so the secondary (dd-wrt) router is assigned its wan ip in 192.168.0.0/24



Everything works fine. But now I'd like some devices in the secondary router subnet 192.168.1.0/24 to connect without being routed through Tor. (Obviously a solution would be to connect these devices directly to isp modem/router but that's just not available).

The Tor iptables rules are:
iptables -t nat -I PREROUTING -i br0 -p udp -m iprange --src-range 192.168.1.99-192.168.1.254 --dport 53 -j DNAT --to 192.168.1.1:5300
iptables -t nat -I PREROUTING -i br0 -p tcp -m iprange --src-range 192.168.1.99-192.168.1.254 -j DNAT --to 192.168.1.1:9040

The devices I want to connect without Tor are assigned ips in the 192.168.1.2-192.168.1.98 range.

The primary router/modem does not give the option of setting static routes as suggested in https://wiki.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes
so, setting
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
on secondary router does not work on its own. I can't ping 192.168.0.1 from pc1/2/3

I also tested:
iptables -t nat -I PREROUTING -i br0 -p udp -m iprange --src-range 192.168.1.2-192.168.1.98 --dport 53 -j DNAT --to 192.168.0.1:53
iptables -t nat -I PREROUTING -i br0 -p tcp -m iprange --src-range 192.168.1.2-192.168.1.98 -j DNAT --to 192.168.0.1

but after running that I can't even connect to dd-wrt.

Don't have much experience with iptables and would appreciate some help.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Mar 21, 2023 7:38    Post subject: Reply with quote
Would not giving your clients, which you do not want to use Tor, a static lease of .98 or below do the trick?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BranlonMardo
DD-WRT Novice


Joined: 19 Mar 2023
Posts: 3

PostPosted: Wed Mar 22, 2023 0:01    Post subject: Reply with quote
It does not.. the client won't connect if assigned 192.168.1.2 but if assigned 192.168.1.102 will be routed through tor.

In case someone suggests to give something a try; I am going to be away for some days, but will be trying to get this working when I am back
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1410

PostPosted: Thu Mar 23, 2023 0:36    Post subject: Reply with quote
So if I understand the problem correctly you want some ip addresses routed through tor but others to not be?

you may need to post your iptables rules... I am assuming that you did not change anything else (routes)?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Mar 23, 2023 5:42    Post subject: Reply with quote
First, I would change the range so a CIDR notation can be used.
BranlonMardo
DD-WRT Novice


Joined: 19 Mar 2023
Posts: 3

PostPosted: Sun Apr 30, 2023 21:36    Post subject: Reply with quote
Got this working some time ago, sorry for late reply.
It turned out that I had several problems in my system that did not let me test the connection reliably. Apart from Tor Browser I use a single-process firefox fork that very easily gets stuck and when it does no new page can be loaded. Due to running low on memory I was hesitant to launch a 3rd browser, so until I did this was driving me insane.
The reason I was only able to connect through tor is that the torified device had a working browser 🤦

Secondary router in gateway mode connecting wan to the lan of the primary/isp router is a common use case and works as it should.


But I was also having another problem for which I needed to find a solution with iptables:
This rule:
Code:
iptables -t nat -I PREROUTING -i br0 -p ! tcp -m iprange --src-range 192.168.1.99-192.168.1.254 -j DROP

throws error:
Code:
iptables v1.8.5 (legacy): unknown protocol "!" specified
Try `iptables -h' or 'iptables --help' for more information.


Escaping ! does not help.

Perhaps I should have just updated iptables. But there is another way to prevent leaks, and not just udp leaks but also startup leaks before iptables rules are applied; running in router mode.

Code:
iptables -t nat -A POSTROUTING -o eth1 -m iprange --src-range 192.168.1.2-192.168.1.20 -j SNAT --to-source $(nvram get wan_ipaddr)


That's the rule I was looking for. I guess it's the difference between router and gateway modes.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon May 01, 2023 9:56    Post subject: Reply with quote
Your rule:
Quote:
iptables -t nat -I PREROUTING -i br0 -p ! tcp -m iprange --src-range 192.168.1.99-192.168.1.254 -j DROP

throws an error because the negation is wrong.

It should be *before* what you want to negate and yes that is new e.g.:
iptables -t nat -I PREROUTING -i br0 ! -p tcp -m iprange --src-range 192.168.1.99-192.168.1.254 -j DROP

It still will not work because DROP is not allowed in the nat table but at least it will say so because the rule in itself is OK

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum