Secure NAT setup with iptables
Posted
by
TheBigB
on Server Fault
See other posts from Server Fault
or by TheBigB
Published on 2012-06-16T20:44:03Z
Indexed on
2012/06/16
21:17 UTC
Read the original article
Hit count: 199
I have Debian running device that needs to act as an internet-gateway. On top of that I want to provide a firewall that not only blocks inbound traffic, but also outbound traffic. And I figured iptables should be able to do the job.
The problem: I've configured NAT properly (I think?), but once I set the default policy to DROP and add rules to for instance allow HTTP traffic from inside the LAN, HTTP is not going through. So basically my rules don't seem to work.
Below is the initialization script that I use for iptables. The device has two NICs, respectively eth0 (the WAN interface) and eth1 (the LAN interface).
echo 1 > /proc/sys/net/ipv4/ip_forward
# Flush tables
iptables -F
iptables -t nat -F
# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound HTTP from LAN?
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
Can anyone shed some light on this?
© Server Fault or respective owner