Joseph L. Casale wrote:
This CentOS wiki may help:
http://wiki.centos.org/HowTos/Network/IPTables
Akemi
Akemi, That was helpful (I should have checked the wiki:>).
After reading that and the RH related links, I think I have what I need but I am unclear about one aspect. What is the correlation between filtering LAN based connections destined to be masqueraded out and what can even get to the internal NIC? I see the chains are obviously distinct from each other, and I assume the tables are as well. So to control what may ingress an interface destined for the server itself, you write a rule for the default table's INPUT chain, to control what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables PREROUTING chain or the default table's FORWARD chain, or both?
The norm is to add rules to the FORWARD chain of the default filter table.
In looking at examples for setting up NAT, I don't see people typically lockdown what may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one rule, am I properly prohibiting anything else? Is there any significance to the order in which I setup masquerading and then lockdown what hits the FORWARD chain?
Do you not need to setup default policies for the chains on the nat table?
By default (once forwarding is enabled), masquerading will allow all outgoing connections and block all new incoming connections. Finer control is applied via the FORWARD chain. You can see the default policy of the FORWARD chain with the command 'iptables -L' and you can set the policy of the FORWARD chain in exactly the same manner as you would for the INPUT and OUTPUT chains.
The Linux documentation project has a HOWTO on masquerading here which is probably the definitive documentation on the subject:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
Ned
Thanks! jlc