Skip to content

Instantly share code, notes, and snippets.

@icy

icy/snat_dnat_advantech.md

Forked from tomasinouk/snat_dnat_advantech.md
Created April 12, 2023 06:18
Show Gist options
  • Save icy/eba0af9270ded7202c2291b7abd44111 to your computer and use it in GitHub Desktop.
Save icy/eba0af9270ded7202c2291b7abd44111 to your computer and use it in GitHub Desktop.
Download ZIP
examples of SNAT, DNAT with iptables for Advantech, Conel routers, with comments (probably will work on other routers where iptables can be manipulated, care needs to be taken on applying these commands after reboot).
Raw
snat_dnat_advantech.md

Some examples of SNAT, DNAT with iptables with comments

mainly used in start-up script

How to test 'safely'

When we play with iptables aka firewall we might end up in situation, where we execute rule, which has unforseen impact - lock yourself out. Recovering from this situation is necessity.

How to:

  • Enable reboot via SMS.
  • Test all commands in shell first before putting them into Start-up script. This way the command will be wiped out, when unit is rebooted.

masquarade all outgoing packets to be WLAN0 IP

iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE

All packets leaving eth0 will have src eth0 ip address

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1

Match rule specifying a source port

Below makes sure packets from Eth Devices have correct source IP Address Notice, when specifying a port, protocol needs to be specified as well

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp --dport 16020 -j SNAT --to 10.1.1.7:51889
iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp --dport 21 -j SNAT --to 10.1.1.7:21
iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT --to 10.1.1.9


# Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
# Packets destined for IP 10.1.1.9 will be forwaded to 192.168.1.3 UDP,TCP
# Does work with ping (ICMP) correctly
iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT --to-destination 192.168.1.3

Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP

Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol WLAN IP reply on a ping without

iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2

Change SNMP port of outgoing SNMP messages

iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination 192.168.1.33:1162

Add secondary IP to WLAN0

ip addr add 10.1.1.7/24 dev wlan0
ip addr add 10.1.1.9/24 dev wlan0

List all IP addresses asign to wlan0

ip add list dev wlan0

All packets leaving eth1 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1

All TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443

All ICMP packets leaving eth1 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1

All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1

SNAT on dynamically assign interface

usage with WIFI dual mode where WiFi can be AP and STA at the same time add to start-up script

# assuming wlan1 is STA interface
ip=$(ip -o addr show up primary scope global wlan1 |
      while read -r num dev fam addr rest; do echo ${addr%/*}; done)
echo $ip

# all packets leaving wlan1 will change source IP to STA interface IP
iptables -t nat -A POSTROUTING -o wlan1 -j SNAT --to $ip

Block traffic from ETH0 to Cell except NTP

Order is important as the DROP will end up after allowing communication with NTP server. For that reason we need to INSERT the rules. If used APPEND the order of commands have to be reversed to ensure DROP is the last.

iptables -I FORWARD -i eth0 -o usb0 -j DROP
iptables -I FORWARD -d pool.ntp.org -i eth0 -o usb0 -j ACCEPT

Block traffic on ETH1 based on ports

Useful when you have a device behind the router and want to limit it's ability to use/exploit resources on the router.

Use with caution as you can lock yourself out.

# Block port 80 (http) only on ETH1 interface
iptables -t filter -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# Block port 443 (https) only on ETH1 interface
iptables -t filter -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# Block port 22 (ssh) only on ETH1 interface
iptables -t filter-A INPUT -i eth1 -p tcp --dport 22 -j DROP
# Block ping (icmp) on ETH1 interface unit does not response to ping
iptables -t filter -A INPUT -i eth1 -p icmp -j DROP

Check NAT table

The iptables table needs to be specified for listing. EG. nat, mangle.

iptables -t nat -L -n -v
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment