Posted: Wed Apr 07, 2021 13:05 Post subject: IPtables for second IP on br0
Hi,
for my system to work correctly and manage the intermingling and crossing devices i had to add a secondary ip on a different subnet to my bridge br0.
i use
Code:
ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev br0
then to give it access to internet and to enable port forwarding on this device with this second ip subnet whose wan ip is 192.168.2.2 and wan gateway us 192.168.2.1 i use
now everything works like i want it to, but i am not knowledgeable to iptables and its chains so wanted to ask does by anychance these rules open my firewall completely?
or am i safe as i was before.
edit just noticed my static routes entered in advanced routing stop working after these commands.
what can i do to retain them?
regards
Given the WAN ip of the dd-wrt router is using a private IP, I assume this is a double NAT situation, w/ your primary router upstream of the dd-wrt router. Assuming that's the case, seems to me the following is sufficient.
Code:
# startup script
ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev br0
Code:
# firewall script
iptables -t nat -I POSTROUTING -o $(nvram get wan_iface) -j SNAT --to $(nvram get wan_ipaddr)
Note, I purposely used variables because I don't know how accurate your explicit use of network interfaces and IP addresses may be. You provided scant details about this configuration. So my rules are designed to work regardless how the dd-wrt router is configured. But if you wish to use hardcoded values, that's fine too. Just be sure they're right!