# I'm confused... (IPTables, nat'ing, saving rules, etc)

## nasaiya

So I have a gentoo box that I'm using as a router/firewall for my lan. I have one NIC for wan which unfortunately gets it's IP from dhcp, and a couple lan subnets on seperate NICs. After some reading, it's come to my attention that the way I'm adding my rules to iptables (a shell script that runs at boot right after all the eth's start) is bad because packets could be processed by an incomplete firewall amongst other issues... 

Ideally I'd like to just have my script add the rules once, run "/etc/init.d/iptables save" and let the iptables init script handle loading it...

My problem is the way some of my rules are written I need to know the IP of eth0 (WAN).

eg.

```
$IPTABLES -t nat -A POSTROUTING -o $WANIF -j SNAT --to-source $WANIP
```

Since the ip of my $WANIF comes from dhcp I can't figure out how this could be done. 

Since there doesn't appear to be an "--to-source {whatever the IP is at the moment}" option I don't know what to do.

Am I missing something obvious here? 

The only idea I've come up with so far is let the init script save all the other rules and put ip based rules like these in a separate script that runs after the nic's are up but that seems a little hackish to me...

There's gotta be a better way -- please enlighten me  :Smile: 

----------

## Hu

You should use MASQUERADE rather than SNAT if your external IP address is dynamically configured.  This handles the address lookup for you.  You may still have to resort to unclean tricks if you use the WAN IP anywhere else.

----------

## nasaiya

Thanks! That was exactly what I was looking for!

----------

## eulogious

This is the command I use to get my IP on my external network card:

```
`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`
```

I then use this in a script to start and stop my firewall, then I have another script that checks my ip every min, and if it changes, it restarts my firewall, which then updates with the new ip address as well and everything starts working again.  

I then have no-ip setup to register my domain name for free, and they have a linux client that updates my ip to them for me automatically, so I have that setup to check every 5 min, so that combined with my other scripts means that if comcast changes my IP on me, within 5 min max, I will be back on the web, including my domain name and all.  This combo has worked great for years, through several IP changes.  Hope it helps  :Very Happy: 

----------

