Iptables - Forwarding + Masquerading

linux iptables linux-networking

Solution 1:

First off, a couple of corrections: The table names are case sensitive, as are the command line switches: you need --table filter -A INPUT. Also, the dport for https is 443 (probably a typo, but worth pointing out)

What you need to do next is to drop the INPUT rules at the bottom of your script. The INPUT chain is only used by packets which are bound for a local process on the server itself. So those rules will allow client on the LAN to connect directly to services listening on port 80+443 on the server. This is correct for your initial SSH and HTTP rules, but not for the packet forwarding. Use the FORWARD chain instead:

#http
iptables --table filter -A FORWARD -p tcp -dport 80 --in-interface eth1 -j ACCEPT
#https
iptables --table filter -A FORWARD -p tcp -dport 443 --in-interface eth1 -j ACCEPT

In addition to this, you'll need to enable IP forwarding in the kernel. Add this to the top of the script:

echo 1 > /proc/sys/net/ipv4/ip_forward

An additional recommendation: Rather than rules that drop packets at the end of the chains, consider using the policy settings:

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

For further reference, there's a good diagram of packet flow through netfilter, here: http://www.shorewall.net/NetfilterOverview.html

Related

Are there any benefits to using a Distributed vSwitch for iSCSI?
Robocopy silently missing files
rsyslog configuration syntax
Is there a limitations to the number of cores on Windows 7 64 operating system?
SMB2 traffic crashes network?
Domain User can RDP into Domain Controller?
Barracuda not delivering external email
Server installation logging / logbook / diary?
Grant access rights to a MySQL instance based on hostname instead of IP address?
Change MSS in iptables
Understanding core dump (Solaris 11 crash)
Installed php-mcrypt but it doesn't show up in phpinfo()