Hello,
I have recently migrated from TomatoUSB 1.28 to Merlin's 3.0.0.4.374.43 on my ASUS RT-N16 and I like the idea of having a firmware close to the original, but with additional features.
I am trying to setup the router for private browsing from work, checking personal e-mails, etc.
I activated the ssh on port 22, allowed SSH port forwarding, NAT is enabled, the jffs partition is enabled. Allow ssh access from WAN is not allowed, however I created nat-start script and saved it under:
/jffs/scripts. The script has permissions 777 and the following content:
#!/bin/sh
# VPN from work
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 1>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 2>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 1>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 2>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22
My router's address is 192.168.0.1. From work I am going out by one of two proxies and using my DDNS name and port 443, however it is re-routed to port 22 on the router. If I execute the script manually from shell it works fine and I can connect from work:
#iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- <work proxy IP 1>/16 router.asus.com tcp dpt:ssh
ACCEPT tcp -- <work proxy IP 2>/16 router.asus.com tcp dpt:ssh
#iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere <my public IP>
DNAT tcp -- <work proxy IP 1>/16 <my public IP> tcp dpt:https to:192.168.0.1:22
DNAT tcp -- <work proxy IP 2>/16 <my public IP> tcp dpt:https to:192.168.0.1:22
However it does not work when the script is executed with router restart. The INPUT chain entries are missing, only the PREROUTING are there. The script gets executed, but my first two iptables commands don't work. If I change it to iptables -A INPUT, the entries are added at the bottom of the chain, and that is not what I want. I also tried iptables -I 1 INPUT and still it did not work. The same script worked fine on TomatoUSB 1.28 beta with kernel 2.6.
Please, help to get this working.
Thanks.
I have recently migrated from TomatoUSB 1.28 to Merlin's 3.0.0.4.374.43 on my ASUS RT-N16 and I like the idea of having a firmware close to the original, but with additional features.
I am trying to setup the router for private browsing from work, checking personal e-mails, etc.
I activated the ssh on port 22, allowed SSH port forwarding, NAT is enabled, the jffs partition is enabled. Allow ssh access from WAN is not allowed, however I created nat-start script and saved it under:
/jffs/scripts. The script has permissions 777 and the following content:
#!/bin/sh
# VPN from work
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 1>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 2>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 1>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 2>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22
My router's address is 192.168.0.1. From work I am going out by one of two proxies and using my DDNS name and port 443, however it is re-routed to port 22 on the router. If I execute the script manually from shell it works fine and I can connect from work:
#iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- <work proxy IP 1>/16 router.asus.com tcp dpt:ssh
ACCEPT tcp -- <work proxy IP 2>/16 router.asus.com tcp dpt:ssh
#iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere <my public IP>
DNAT tcp -- <work proxy IP 1>/16 <my public IP> tcp dpt:https to:192.168.0.1:22
DNAT tcp -- <work proxy IP 2>/16 <my public IP> tcp dpt:https to:192.168.0.1:22
However it does not work when the script is executed with router restart. The INPUT chain entries are missing, only the PREROUTING are there. The script gets executed, but my first two iptables commands don't work. If I change it to iptables -A INPUT, the entries are added at the bottom of the chain, and that is not what I want. I also tried iptables -I 1 INPUT and still it did not work. The same script worked fine on TomatoUSB 1.28 beta with kernel 2.6.
Please, help to get this working.
Thanks.
