0
I have a host that acts as a gateway for routing a home network to Internet. IP Masquerading has been enabled for months now and the system has worked fine.
How do I configure it to function also as a firewall? Any conditions I put on traffic in the FORWARD
chain just dont work.
For example
-A FORWARD -i eth1 -p tcp -j ACCEPT
Just drops all TCP traffic from routing, instead of just restricting it to traffic originating from eth1. Also...
-A FORWARD -s 192.168.2.0/24 -p tcp -j ACCEPT
...doesn't just allow TCP traffic from the 192.168.2.0 subnet, the moment I apply the rule all TCP traffic stops routing.
I have been unable to find any clear documentation on packet mangling with masquerade, or on how to ditch masquerade and instead use SNAT.
eth0
is external interface, on same subnet as DSL routereth1
is internal interface, with all my hosts working fine on DHCP
How do I configure iptables to do both IP masquerading and firewalling?
# Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*nat
:PREROUTING ACCEPT [10859:2328892]
:INPUT ACCEPT [1002:126271]
:OUTPUT ACCEPT [1256:91484]
:POSTROUTING ACCEPT [638:43890]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Oct 29 12:48:19 2015
# Generated by iptables-save v1.4.21 on Thu Oct 29 12:48:19 2015
*filter
:INPUT ACCEPT [5:803]
:FORWARD ACCEPT [127:18532]
:OUTPUT ACCEPT [5:431]
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "HTTP Serve eth1"
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "SSH Serve eth1"
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "ssh on eth1"
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j DROP -m comment --comment "drop dns from eth0"
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j REJECT
-P INPUT DROP
-A FORWARD -p tcp -j ACCEPT -m comment --comment "all tcp from internal"
-A FORWARD -p udp -j ACCEPT -m comment --comment "all udp from internal"
-A FORWARD -p icmp -j ACCEPT
-P FORWARD DROP
-A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-P OUTPUT DROP
COMMIT
# Completed on Thu Oct 29 12:48:19 2015
NB, I disabled masquerading (seems an inferior solution) and enabled SNAT as follows, however, I lost all Internet and SSH connectivity to the router within five minutes of this. I guess if I can just crack this then we have an answer workable for my (and many others situations?) -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1 – TemperedGlass – 2015-10-31T15:23:26.187
If
SNAT
is not working, you’re probably using the wrong source address. – Daniel B – 2015-10-31T15:28:13.097Also, what are you even trying to accomplish? Please provide the output of
iptables-save
with your desired rules as well as a verbal description of them. – Daniel B – 2015-10-31T15:29:44.300I am SNATING it now with 192.168.1.1 - Internet is working, but I cant filter the traffic (nat tables tell me not to do it there, and if I apply subnets / interfaces etc in the FORWARD table then the traffic for the protocol fails. I want to block certain hosts from accessing the Internet. So an example failed rule (the save file above is the only working config) would be -A FORWARD -p tcp -s 192.168.2.123 -j DROP -m comment --comment "block tcp from 192.168.2.123" effect of above = all tcp forwarding fails after iptables-restore from config with that rule. – TemperedGlass – 2015-10-31T15:40:40.453
Thanks for responses so far btw. Hopefully its clearer now? – TemperedGlass – 2015-10-31T15:42:33.763
Which one is your WAN NIC (eth0/eth1?) and which one is your LAN NIC (eth1/eth0)? – MariusMatutiae – 2015-10-31T15:48:30.480
Thats pretty clear from the original post, surely?... – TemperedGlass – 2015-10-31T16:02:26.443
Actually just to be clear, I have re-worded, the home router to router / ADSL broadband. – TemperedGlass – 2015-10-31T16:21:42.410