PortForwarding eth0 to ppp0

iptables port-forwarding routing masquerade

I have a RaspberryPi which connects to the internet on eth0 which has static IP, I have installed Squid and I have also enabled 1694 port on my Mikrotik router to be forwarded to 3128 port on my raspberry, so I can use my raspberry as a proxy server. For example, when I test it like this from another device on another internet, it works:

$ curl -x MY.STAT.IC.IP:1694 https://wtfismyip.com/text

MY.STAT.IC.IP

Now I have add a 3g shield to my Raspberry and I was able to connect to 3g network and now I have internet on ppp0 interface which has a dynamic IP. Now I want to forward all incoming requests to eth0 to be routed over ppp0, so when I do above curl, I get my 3g network IP.

I don't want to use tcp_outgoing_address on squid, as it has lots of problems, I want to do port forwarding, and I have done the following but it still returns my static IP.

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

I have tried lots of other iptables forwarding, but none of them worked. I have tried this bash script (edited ofcourse) but it didn't worked either, I also tried ipt.sh from this link which I was sure it would work, but still no success, so, what am I missing?


Solution 1:

1. Check if PI uses the 3g

First you have to ensure, that the PI is using the 3g ppp0 connection for outgoing packets.

ip route

Should output something like:

default via XXXXXX dev ppp0

Also, doing that curl you mentioned (with the proxy ip set to localhost) on the pi should give you the 3g address.

2. Check if local proxying works

After this: Try if local proxying works. So use a computer in your network, set the PI as proxy and run the curl ip check. It should also return the 3g IP.

If that works you will have to put a rule into your Mikrotik that masquerades packets to squid as if they were originating from the Mikrotik:

3. Make Mikrotik look like the packet origin

So you have to add to your DSTNAT rule an analogous SRCNAT rule that has action set to the MASQUERADE option.

If done right, this will make any packet that gets forwarded to squid by the Mikrotik look like originating from the Mikrotik itself. Which is a local device. Which reduces your problem to one already solved above in point 2.

Related

how can we edit ssh keys of VM In GCP Please guide
Hosting docker images on multiple registries but reference them the same way e.g. in a k8s deployment
Ansible playbook starting with large forked host list, but spawning serial tasks for smaller subsets of hosts
Will a standard NAT-router firewall stop outgoing traffic?
Open FTP passive port on GCP for CentOS
Viewing IIS Web Configuration via PowerShell: HTTP Verbs
Postfix relay with STARTTLS - TLS is required, but was not offered by host
Add a prefix to all rows in R
Best practice for using $rootscope in an Angularjs application?
Convert binary string representation of a byte to actual binary value in Python
Ridge regression with `glmnet` gives different coefficients than what I compute by "textbook definition"?
How to parse csv using boost::spirit