Posted: Tue Mar 21, 2023 0:51 Post subject: iptables on dd-wrt router connected to isp modem/router
I followed this https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=261864 to get Tor running on a Netgear WNDR3700v2 with its WAN connected to the LAN port of the ISP modem/router. The modem/router is not in bridge mode, so the secondary (dd-wrt) router is assigned its wan ip in 192.168.0.0/24
Everything works fine. But now I'd like some devices in the secondary router subnet 192.168.1.0/24 to connect without being routed through Tor. (Obviously a solution would be to connect these devices directly to isp modem/router but that's just not available).
The devices I want to connect without Tor are assigned ips in the 192.168.1.2-192.168.1.98 range.
The primary router/modem does not give the option of setting static routes as suggested in https://wiki.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes
so, setting
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
on secondary router does not work on its own. I can't ping 192.168.0.1 from pc1/2/3
Got this working some time ago, sorry for late reply.
It turned out that I had several problems in my system that did not let me test the connection reliably. Apart from Tor Browser I use a single-process firefox fork that very easily gets stuck and when it does no new page can be loaded. Due to running low on memory I was hesitant to launch a 3rd browser, so until I did this was driving me insane.
The reason I was only able to connect through tor is that the torified device had a working browser 🤦
Secondary router in gateway mode connecting wan to the lan of the primary/isp router is a common use case and works as it should.
But I was also having another problem for which I needed to find a solution with iptables:
This rule:
iptables v1.8.5 (legacy): unknown protocol "!" specified
Try `iptables -h' or 'iptables --help' for more information.
Escaping ! does not help.
Perhaps I should have just updated iptables. But there is another way to prevent leaks, and not just udp leaks but also startup leaks before iptables rules are applied; running in router mode.
Code:
iptables -t nat -A POSTROUTING -o eth1 -m iprange --src-range 192.168.1.2-192.168.1.20 -j SNAT --to-source $(nvram get wan_ipaddr)
That's the rule I was looking for. I guess it's the difference between router and gateway modes.
It should be *before* what you want to negate and yes that is new e.g.:
iptables -t nat -I PREROUTING -i br0 ! -p tcp -m iprange --src-range 192.168.1.99-192.168.1.254 -j DROP