Iptables - Forwarding + Masquerading

Solution 1:

First off, a couple of corrections: The table names are case sensitive, as are the command line switches: you need --table filter -A INPUT. Also, the dport for https is 443 (probably a typo, but worth pointing out)

What you need to do next is to drop the INPUT rules at the bottom of your script. The INPUT chain is only used by packets which are bound for a local process on the server itself. So those rules will allow client on the LAN to connect directly to services listening on port 80+443 on the server. This is correct for your initial SSH and HTTP rules, but not for the packet forwarding. Use the FORWARD chain instead:

#http
iptables --table filter -A FORWARD -p tcp -dport 80 --in-interface eth1 -j ACCEPT
#https
iptables --table filter -A FORWARD -p tcp -dport 443 --in-interface eth1 -j ACCEPT

In addition to this, you'll need to enable IP forwarding in the kernel. Add this to the top of the script:

echo 1 > /proc/sys/net/ipv4/ip_forward

An additional recommendation: Rather than rules that drop packets at the end of the chains, consider using the policy settings:

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

For further reference, there's a good diagram of packet flow through netfilter, here: http://www.shorewall.net/NetfilterOverview.html