Secure NAT setup with iptables

Posted by TheBigB on Server Fault See other posts from Server Fault or by TheBigB
Published on 2012-06-16T20:44:03Z Indexed on 2012/06/16 21:17 UTC
Read the original article Hit count: 199

Filed under:
|
|
|

I have Debian running device that needs to act as an internet-gateway. On top of that I want to provide a firewall that not only blocks inbound traffic, but also outbound traffic. And I figured iptables should be able to do the job.

The problem: I've configured NAT properly (I think?), but once I set the default policy to DROP and add rules to for instance allow HTTP traffic from inside the LAN, HTTP is not going through. So basically my rules don't seem to work.

Below is the initialization script that I use for iptables. The device has two NICs, respectively eth0 (the WAN interface) and eth1 (the LAN interface).

echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush tables
iptables -F
iptables -t nat -F

# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outbound HTTP from LAN? 
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

Can anyone shed some light on this?

© Server Fault or respective owner

Related posts about debian

Related posts about firewall