iptables nat/masquerade - how to act as a basic firewall?


 
Thread Tools Search this Thread
Special Forums IP Networking iptables nat/masquerade - how to act as a basic firewall?
# 1  
Old 08-06-2013
Lightbulb iptables nat/masquerade - how to act as a basic firewall?

edit: SOLVED - see below for solution

Hi there,

I've inherited a gob of Linux hosts and so am learning linux from the bottom of the deep end of the pool (gotta say I'm warming up to Linux though - it's not half bad)

Right now iptables is confusing me and I could use some pointers as to how I can take a host using MASQEURADE rules between two NICs and have it only allow outbound connections, blocking inbound ones.

Current state:
iptables running on a reverse proxy host with two nics, one nic on a public IP in the DMZ, one on a private IP on a private LAN.
This box takes web requests from the DMZ and fires them at a cluster of webservers on the private net.

My predecessor has figured out that adding an iptables rule:
Code:
-A POSTROUTING -o eth1 -j MASQUERADE

Will allow hosts on the private net to get to the internet (rather handy)

The problem is, this also allows someone that owns any DMZ host to set up a route on it and connect directly to any port on any host on the private net *from the DMZ* Smilie Smilie Smilie

The Question:
How do I have the proxy host (the one with the MASQ rule) only do this from eth0 and going out eth1?

iptables --list:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

(ie blank)

iptables -t nat --list:
Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

(ie just the MASQ rule)


---------- Post updated at 09:24 AM ---------- Previous update was at 08:52 AM ----------
The Solution

Ah, I figured it out - but would still appreciate peer review if anyone has feedback on this.

Writing the question down must have helped my brain straighten the problem out as the solution popped into my head suddenly.

I need a FORWARD rule in the FILTER table because I'm trying to filter a forwarded packet.

I added these rules to the filter table and changed it's default policy to DROP:
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       45 11573 ACCEPT     all  --  any    eth0    anywhere             anywhere            state RELATED,ESTABLISHED 
2      414 36553 ACCEPT     all  --  eth0   any     anywhere             anywhere

I guess I could have had a DROP or REJECT rule that looked for a state of NEW on eth1 but I slightly prefer the paranoid approach of "drop it if I can't think of a reason not accept it" vs "accept it if I can't think of a reason to drop it"

So far, all seems to work.

Last edited by Smiling Dragon; 08-06-2013 at 06:24 PM.. Reason: Figured it out myself :)
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

iptables : How to apply masquerade while pinging from DUT to outside network

My Device is connected to eth1 interface of the host and eth0 is connected to network. Now when I am pinging google.com from device after executing below commands on host sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I am... (0 Replies)
Discussion started by: slathigara
0 Replies

2. UNIX for Dummies Questions & Answers

iptables conditional masquerade

Hi everyone, I have a LAN with : 1 internet box (192.168.1.1) 1 Debian host (192.168.1.224) 3 Windows hosts (192.168.1.32/33/34) The internet box is set to route all incoming traffic to the Debian host (DMZ). Then the Debian host is set to accept certain packets and forward others... (0 Replies)
Discussion started by: chebarbudo
0 Replies

3. Cybersecurity

iptables in a NAT scenario

Hi, I am learning IPTables have this question. My server is behind a firewall that does a PAT & NAT to the LAN address. Internet IP: 68.1.1.23 Port: 10022 Server LAN IP: 10.1.1.23 port: 22 Allowed Internet IPs: 131.1.1.23, 132.1.1.23 I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies

4. Red Hat

NAT Loopback and iptables

Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies

5. IP Networking

iptables: log connection after SNAT/MASQUERADE command

Hello! I have the following problem with iptables in Debian 6: My server works as a router and it needs to log server external IP+port for all outgoing connections. But after command SNAT or MASQUERADE traffic is "lost". I mean no following rules can catch those traffic. Everything looks... (0 Replies)
Discussion started by: unlimited
0 Replies

6. IP Networking

NAT Forwarding Issue Endian and Vyatta Firewall

I've experienced this same issue with both the Endian Firewall Appliance and a Vyatta Firewall Appliance. Conversely, it works with a Draytek Firewall/Router. I am trying to forward port 80 traffic to my internal web server which is located on the /24 subnet. I have an external static IP which... (0 Replies)
Discussion started by: mboudro
0 Replies

7. OS X (Apple)

[launchd] Creating a basic firewall

Hi, I'm trying to use launchd to detect whether certain ports are opened and if they are then to take some appropriate action, e.g. close the port or, worst case scenario, down the whole net connection. Apparently, force closing a port is not possible without killing the offending binary so... (3 Replies)
Discussion started by: ASGR
3 Replies

8. UNIX for Dummies Questions & Answers

Basic awk question...getting awk to act on $1 of the command itself

I have a script problem that I am not able to solve due my very limited understanding of unix/awk. This is the contents of test.sh awk '{print $1}' From the prompt if I enter: ./test.sh Hello World I would expect to see "Hello" but all I get is a blank line. Only then if I enter "Hello... (2 Replies)
Discussion started by: JasonHamm
2 Replies

9. IP Networking

Ftp'ing thru a Iptables NAT Masquerade

Greetings to all. My new firewall is giving me one hell of a problem. I'm running iptables and masquerading my intranet thru NAT. But here is the problem. Whenever I try to FTP to a server outside of my lan I get a 500 illegal port error. I've come to the conclusion that NAT is... (2 Replies)
Discussion started by: phrater
2 Replies
Login or Register to Ask a Question