I have recently switch from a single IP address to a block on my home broadband. Normally you don't need more than one as you can handle everything with NAT - but I have some special requirements that requires more than one IP. But I still only have one physical connection.
This means my router (running DD-WRT) needs to accept and handle traffic for all my external IP addresses.
What I'm doing is "one-to-one" NAT, that is, I'm translating one of my external IP addresses to an IP address of an internal computer on my local network.
There is a guide to One to one NAT for DD-WRT, alas it's not massively clear to me.
The Firewall and NAT process in DD-WRT is all handled by the widely used Netfilter's IPTables command. Even with a good grasp of networking it can still be a tad difficult to get your head around - fortunately there is a good guide to iptables.
My scenario is to connect up a single TCP port on one of my external IP addresses to a different port on an internal computer.
The first step is to get DD-WRT to work with multiple external IP addresses. The guide works fine if you're entirely on static addressing, but I like most use PPPoE to connect to my DSL modem and get an IP address assigned. The impact that this has is if you follow the guide and add your extra IP addresses in a startup script it won't work. The fix is to apply the extra addresses in the firewall script, which I'm told runs when a connection is dialled.
The script itself though is fine:
WANIF=`get_wanface`
ifconfig $WANIF:1 [PUBLIC_IP1] netmask [NETMASK] broadcast [BROADCAST]
Replacing the relevant sections appropriately. The :1 after the interface name refers to virtual interface 1 against the interface. By referencing it directly (instead of using ADD) you are sure to always adjust the same entry.
To remove this entry you can run the command ifconfig $WANIF:1 down. I never got these scripts to run from the UI, but they do work from telnet and on startup. As soon as you've added your extra IP the router will start responding to it - but it won't actually do a lot due to firewalls etc.
When a connection comes into the router it first goes through IPTable's NAT rules, it then goes through the Firewall/Filter rules.
So first thing, you want to add your NAT rules, again this can go in your firewall script or in telnet for testing:
iptables -t nat -I PREROUTING -d [NEW_EXTERNAL_IP] -j DNAT -p tcp --dport [EXTERNAL_PORT] --to-destination [LAN_IP]:[INTERNAL_PORT]
So to route traffic from the external IP of 1.2.3.4 on port 80 (HTTP) to an internal address of 192.168.1.100 on port 8080 then you'd use: iptables -t nat -I PREROUTING -d 1.2.3.4 -j DNAT -p tcp --dport 80 --to-destination 192.168.1.100:8080
So now you have the routing rule for your port setup you need to allow it to pass through the firewall. But as you've changed the destination you need to use your final port number:
iptables -I FORWARD -d 192.168.1.100 -p tcp --dport 8080 -j ACCEPT
Obviously change the values for whatever it is you're trying to achieve.
Do this for as many rules as you want to setup, obviously not as swanky as the web-interface for setting things up, but once you've got it into your firewall script its just a case of copy and pasting the line and amending the bits you need.