Skip to content

Instantly share code, notes, and snippets.

@malikshi

malikshi/snat_dnat_advantech.md

Forked from tomasinouk/snat_dnat_advantech.md
Created August 21, 2021 04:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save malikshi/f80343c5e046759c0e684a469b060426 to your computer and use it in GitHub Desktop.
Save malikshi/f80343c5e046759c0e684a469b060426 to your computer and use it in GitHub Desktop.
Download ZIP
examples of SNAT, DNAT with iptables for Advantech, Conel routers, with comments (probably will work on other routers where iptables can be manipulated, care needs to be taken on applying these commands after reboot)
Raw
snat_dnat_advantech.md

Some examples of SNAT, DNAT with iptables with comments

mainly used in start-up script

masquarade all outgoing packets to be WLAN0 IP

iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE

All packets leaving eth0 will have src eth0 ip address

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1

Match rule specifying a source port

Below makes sure packets from Eth Devices have correct source IP Address Notice, when specifying a port, protocol needs to be specified as well

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp --dport 16020 -j SNAT --to 10.1.1.7:51889
iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp --dport 21 -j SNAT --to 10.1.1.7:21
iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT --to 10.1.1.9


# Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
# Packets destined for IP 10.1.1.9 will be forwaded to 192.168.1.3 UDP,TCP
# Does work with ping (ICMP) correctly
iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT --to-destination 192.168.1.3

Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP

Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol WLAN IP reply on a ping without

iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2

Change SNMP port of outgoing SNMP messages

iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination 192.168.1.33:1162

Add secondary IP to WLAN0

ip addr add 10.1.1.7/24 dev wlan0
ip addr add 10.1.1.9/24 dev wlan0

List all IP addresses asign to wlan0

ip add list dev wlan0

All packets leaving eth1 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1

All TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443

All ICMP packets leaving eth1 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1

All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1

SNAT on dynamically assign interface

usage with WIFI dual mode where WiFi can be AP and STA at the same time add to start-up script

# assuming wlan1 is STA interface
ip=$(ip -o addr show up primary scope global wlan1 |
      while read -r num dev fam addr rest; do echo ${addr%/*}; done)
echo $ip

# all packets leaving wlan1 will change source IP to STA interface IP
iptables -t nat -A POSTROUTING -o wlan1 -j SNAT --to $ip

Check NAT table

iptables -t nat -L -n -v
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment