Hi,
I recently switched our firewall at work from pfsense to tomato (various reasons). So far I have everything up and running and it all seems to behave well.
Now, we use bt infinity and we have 5 static IP's which route to us. BT have a slight weirdness in that when the WAN connection is made, they give out a dynamic IP address.
We run the "snom one" pbx software as our phone system, I have successfully set up port forwards to allow my home (static ip address) access to the PBX and vice versa, all works peachy.
Now, in the administration/scripts/firewall tab I have something like:
/usr/sbin/ip addr add 1.2.3.4/29 dev vlan1
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 10.5.0.2 -j SNAT --to 1.2.3.4
/usr/sbin/iptables -t nat -I PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.5.0.2
This does a NAT 1:1 mapping so that packets originating from the 10.5.0.2 machine on the local network leave with the external static IP address and vice versa.
Now, in the main port forward screen in tomato, I can set up port forwards which work correctly as long as I don't change the internal port, as soon as I change the internal port, the forwards don't work.
What I'm trying to do, is redirect say port 5678 on the external static IP to internal port 80. This doesn't work for whatever reason in the port forward interface, so I thought I'd try my hand at doing it in the firmwall script, but again, I can't get it to work.
I'm not a expert on Tomato or iptables!
/usr/sbin/ip addr add 1.2.3.4/29 dev vlan1
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 10.5.0.2 -j SNAT --to 1.2.3.4
/usr/sbin/iptables -I FORWARD -p tcp -s my.external.ip -d 10.5.0.2 --sport 8000 --dport 80 -j ACCEPT
/usr/sbin/iptables -t nat -I PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.5.0.2
Obviously my.external.ip is the static IP address that my home internet connection is on, I only want this port to be accessible from my home connection.
Any thoughts on why I can't get this to work?
Thanks.
Adrian
Previous Topic
Index