Iptables - Forwarding + Masquerading
Solution 1:
First off, a couple of corrections: The table names are case sensitive, as are the command line switches: you need --table filter -A INPUT
. Also, the dport for https is 443 (probably a typo, but worth pointing out)
What you need to do next is to drop the INPUT rules at the bottom of your script. The INPUT
chain is only used by packets which are bound for a local process on the server itself. So those rules will allow client on the LAN to connect directly to services listening on port 80+443 on the server. This is correct for your initial SSH and HTTP rules, but not for the packet forwarding. Use the FORWARD
chain instead:
#http
iptables --table filter -A FORWARD -p tcp -dport 80 --in-interface eth1 -j ACCEPT
#https
iptables --table filter -A FORWARD -p tcp -dport 443 --in-interface eth1 -j ACCEPT
In addition to this, you'll need to enable IP forwarding in the kernel. Add this to the top of the script:
echo 1 > /proc/sys/net/ipv4/ip_forward
An additional recommendation: Rather than rules that drop packets at the end of the chains, consider using the policy settings:
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
For further reference, there's a good diagram of packet flow through netfilter, here: http://www.shorewall.net/NetfilterOverview.html