What's new

Trouble with nat-start script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

vnenov

New Around Here
Hello,

I have recently migrated from TomatoUSB 1.28 to Merlin's 3.0.0.4.374.43 on my ASUS RT-N16 and I like the idea of having a firmware close to the original, but with additional features.

I am trying to setup the router for private browsing from work, checking personal e-mails, etc.
I activated the ssh on port 22, allowed SSH port forwarding, NAT is enabled, the jffs partition is enabled. Allow ssh access from WAN is not allowed, however I created nat-start script and saved it under:
/jffs/scripts. The script has permissions 777 and the following content:


#!/bin/sh

# VPN from work
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 1>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -p tcp -s <work proxy IP 2>/16 -d 192.168.0.1 --dport 22 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 1>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22
/usr/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s <work proxy IP 2>/16 -d $(nvram get wan_ipaddr) --dport 443 --to 192.168.0.1:22

My router's address is 192.168.0.1. From work I am going out by one of two proxies and using my DDNS name and port 443, however it is re-routed to port 22 on the router. If I execute the script manually from shell it works fine and I can connect from work:

#iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- <work proxy IP 1>/16 router.asus.com tcp dpt:ssh
ACCEPT tcp -- <work proxy IP 2>/16 router.asus.com tcp dpt:ssh

#iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere <my public IP>
DNAT tcp -- <work proxy IP 1>/16 <my public IP> tcp dpt:https to:192.168.0.1:22
DNAT tcp -- <work proxy IP 2>/16 <my public IP> tcp dpt:https to:192.168.0.1:22

However it does not work when the script is executed with router restart. The INPUT chain entries are missing, only the PREROUTING are there. The script gets executed, but my first two iptables commands don't work. If I change it to iptables -A INPUT, the entries are added at the bottom of the chain, and that is not what I want. I also tried iptables -I 1 INPUT and still it did not work. The same script worked fine on TomatoUSB 1.28 beta with kernel 2.6.

Please, help to get this working.

Thanks.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top