iptables and one-to-one NAT help needed

[danlay]

Dear Community,

I need some help from someone who knows about configuring one-to-one nat using the iptables command.

Im in the process of setting up a wireless hotspot to grant internet access to our private network. I'm using DD-WRT and nocatsplash.

Im running a web server on my private LAN that is only accessible from the public side on port 80 where I will serve out landing pages including login.

The problem im having is that I cannot identify user's IP addresses on my webserver so I can grant them access. (I was planning to use the http servers client IP address and do an arp lookup to find the mac address)

Since my DD-WRT box is acting as router, the webserver sees all clients IP address as the IP of the router.

To solve this i've set up NAT using the following command:

/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.7.75 -j SNAT --to 192.168.7.75

(I do the above for all of the IPs in the 192.168.7.x public range) . Now, when a client connects the web server can identify them. So far so good.

The only problem is that when I run the above iptables command, nocatsplash stops working. (im using nocatsplash/splashd as the captive portal solution, it redirects users to my webserver if they access any URL and are not authenticated)

I suspect that nocatsplash uses iptables internally so when running the above command it conflicts.

Can anyone help shed some light on this or possibly help diagnose where the problem may be?

I can run any commands if you need to list the tables as they are before and after running the commands.

Any help would be much appreciated!

[dE_logics]

You don't need a web server to make a nat.

All you need is iptables; however I know how to get it done through wired networks only.

[danlay]

Hi. I am aware that I dont need a web server to set up NAT as these are completely unrelated. They are however both part of my system.

I have NAT working however its just an issue with nocatsplash that I need help with.

Ideally if someone understands how to read the NAT table listing they could possibly tell me whats going wrong.

Dan

[Lazydog]

/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.7.75 -j SNAT --to 192.168.7.75

This does nothing and is useless. If source is 192.168.7.75 then change the source to 192.168.7.75

Is this being used for inbound or outbound traffic?

[danlay]

This does nothing and is useless. If source is 192.168.7.75 then change the source to 192.168.7.75

Is this being used for inbound or outbound traffic?

Hi thanks for your reply, this is an unusual set up so i'll try and explain in more detail.
I see what your saying about the command being useless however when I run it, the originating address is then transmitted to the destination network.

Essentially my linux box sits between two networks as a router,

Network 1
192.168.1.x

Network 2
192.168.7.x

Router's IP's
192.168.1.109 and 192.168.7.1

In network 1 there is a web server listening.
In network 2 there is a client PC with a browser and it has an IP of 192.168.7.75.

Before running the iptables command the web server in network 1 sees the incoming client IP as 192.168.1.109, after running the command it sees it as 192.168.7.75 (actual originating address from the other network).

Hope this explains it more clearly?

Kind Regards,
Dan

[Lazydog]

Hi thanks for your reply, this is an unusual set up so i'll try and explain in more detail.

This is not an unusual setup. It is more common then you think unless you are injecting unusual into it.

[LAN1] <==> [ROUTER] <==> [LAN2]

The router know both networks so as long as you have the default GW setup to point to the router then there shouldn't be any need for NAT'ing.

Before running the iptables command the web server in network 1 sees the incoming client IP as 192.168.1.109, after running the command it sees it as 192.168.7.75 (actual originating address from the other network).

If this is in fact true then you must be doing NAT'ing somewhere.

With your simple setup and not needing to access the internet there is no reason for IPTABLEs to be running. You should be able to turn it off and then your server will see the correct ip address.

If you post your complete firewall rules I could look and see where your problem is. If you have not done it already dump your rules into a file with iptables-save > <file>. Then paste the contents of this file between code markers (this is done using the '#' in the tool bar on the reply page) which helps keep the format.