• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Is this safe?/Does it work?

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Silver_Pharaoh

Likes the big ones n00b Member
Joined
Sep 7, 2013
I'm running this in my DD-WRT router's firewall startup:
Code:
#!/bin/sh 
PROXY_IP=192.168.1.3
PROXY_PORT=80
LAN_IP=`nvram get lan_ipaddr` 
LAN_NET=$LAN_IP/`nvram get lan_netmask` 


iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j DNAT --to 104.156.81.194
iptables -t nat -A PREROUTING -i br0 -d 104.156.85.194 -p tcp --dport 80 -j DNAT --to 104.156.85.194
iptables -t nat -A PREROUTING -i br0 -d 23.235.33.194 -p tcp --dport 80 -j DNAT --to 23.235.33.194
iptables -t nat -A PREROUTING -i br0 -d 23.235.37.194 -p tcp --dport 80 -j DNAT --to 23.235.37.194
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT 
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT 
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP 
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT

The above forwards all port 80 traffic destined to Wikia.com to Wikia.com and everything else to my proxy server at 192.168.1.3.
The reason I need to bypass the proxy for Wikia pages is there is a bug in Wingate 7 related to colons : in the web URL. It will deny access to that site because Wingate thinks you are trying to access a drive letter...

So will running the above script open up any security vulnerabilities?
I made the PREROUTING rules for the ip addresses but I didn't do SNAT back is that an issue?
Will the above script do as I want it too? Bypass the proxy for Wikia pages and send everything else to the proxy server?

I'm not too advanced with Iptables so that's why I'm asking ;)
Thanks!
 
I don't see any policies or NAT being set there. You will want to make sure you are setting policies properly (eg: default deny; look at iptables -P).

Instead of this:
iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j DNAT --to 104.156.81.194

Do this:
iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j ACCEPT

iptables by accepting it in the nat/PREROUTING chain, it will skip the other rules in there (including the redirect later on)
 
I don't see any policies or NAT being set there. You will want to make sure you are setting policies properly (eg: default deny; look at iptables -P).

Instead of this:
iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j DNAT --to 104.156.81.194

Do this:
iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j ACCEPT

iptables by accepting it in the nat/PREROUTING chain, it will skip the other rules in there (including the redirect later on)

Thanks!
Yeah seems the default policy is accept in DD-WRT... Honestly right now it doesn't matter too much since this router is behind 2 other NAT routers. (For some reason in this build of ddwrt client mode acts as NAT and there's no way around it which puts a damper on having the other network see my computer for files sharing..)

About the NAT being setup, honestly those rules were a copy/paste from the DD-WRT forums from a thread explaining how to forward all traffic to another IP. So I guess that person never setup NAT correctly. I don't know but from what I'm seeing those rules do work :shrug:

Interestingly, I only see
Code:
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
in the Iptables rules list (iptables -L)... Maybe the other rules don't actually affect anything since they aren't listed with iptables -L?
 
iptables is split into "tables" and "chains". The "-t nat" changes the table from the default (filter). Chains are things like PREROUTING, POSTROUTING, and FORWARD.

To see the other tables, add the "-t nat", eg: "iptables -vnL -t nat". You should be able to see other rules to set up the NAT/masquerade in there.

By the looks of it, you are dealing with two interfaces here, one is your "external" or "internet" interface (not referenced in any of your rules), and the other is all other internal switch ports (br0).
 
iptables is split into "tables" and "chains". The "-t nat" changes the table from the default (filter). Chains are things like PREROUTING, POSTROUTING, and FORWARD.

To see the other tables, add the "-t nat", eg: "iptables -vnL -t nat". You should be able to see other rules to set up the NAT/masquerade in there.

By the looks of it, you are dealing with two interfaces here, one is your "external" or "internet" interface (not referenced in any of your rules), and the other is all other internal switch ports (br0).

AFAIK I do not have a bridge setup. It's acting a a router and client at the same time. hooking up to the main WI-FI and passing the internet access along to other LAN clients...

The -br0 flags are most likely from the rules I copy and pasted from here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=638811&sid=e0a49434ef8e3c306366e35c4c95296d The iptables script I copied is on post #10.

Copying someone else's firewall rules isn't the best option but I don't know iptables enough to create the rules myself :(
 
Back