I've been reading (uh, oh) about iptables and I was wondering if the following would be a better or more generic way to set up the rule:
iptables -t nat -I POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o $(get_wanface) -j SNAT --to-source $(nvram get wan_ipaddr)
I read that SNAT is faster than MASQUERADE and that SNAT should be fine for those of us with a public (WAN side) static IP. What do you guys/gals think? My configuration idea works. I don't think there's any security issues but I'm not an iptables expert.
Using nvram variables is most advantageous for tech support when we're providing advice, since it applies more generally. But if you *know* what these values are, then at least in terms of performance, using fixed, known values is going to be more efficient. After all, those nvram variables have to be looked up continuously.
OTOH, it probably doesn't matter all that much in this particular case anyway. Many ppl don't realize that unlike the filter table, the NAT table is only referenced *once* for a given connection, so the *hit* taken for these continuous lookups isn't nearly as bad as it might first appear.
You're probably right that the rule would operate faster if the actual numbers were used. The only drawback would be if at some point you were assigned a new WAN IP and/or changed the openvpn network and have to remember to update the firewall rule. I suppose a firmware update might change the way it labels the outgoing port also. I'll leave it as is for now. If anything, I learned something about iptables.
You're probably right that the rule would operate faster if the actual numbers were used. The only drawback would be if at some point you were assigned a new WAN IP and/or changed the openvpn network and have to remember to update the firewall rule. I suppose a firmware update might change the way it labels the outgoing port also. I'll leave it as is for now. If anything, I learned something about iptables.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Feb 23, 2021 2:46 Post subject:
Please think a bit more on that notion of the nvram commands being rerun continually. It really isn't so. iptables is an ordinary linux command executed in the usual shell. It's arguments are subject to the usual shell expansions. Experiment: put "echo" in front of iptables and run the slightly longer command on the router using ssh. Then you can see what the iptables command will actually see as arguments once the shell is finished with its expansions.
Of course maybe I misread something horribly! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Please think a bit more on that notion of the nvram commands being rerun continually. It really isn't so. iptables is an ordinary linux command executed in the usual shell. It's arguments are subject to the usual shell expansions. Experiment: put "echo" in front of iptables and run the slightly longer command on the router using ssh. Then you can see what the iptables command will actually see as arguments once the shell is finished with its expansions.