RE: [CentOS] IPTables help

This CentOS wiki may help:

http://wiki.centos.org/HowTos/Network/IPTables

Akemi

Akemi, That was helpful (I should have checked the wiki:>).

After reading that and the RH related links, I think I have what I need but I am unclear about one aspect. What is the correlation between filtering LAN based connections destined to be masqueraded out and what can even get to the internal NIC? I see the chains are obviously distinct from each other, and I assume the tables are as well. So to control what may ingress an interface destined for the server itself, you write a rule for the default table's INPUT chain, to control what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables PREROUTING chain or the default table's FORWARD chain, or both?

In looking at examples for setting up NAT, I don't see people typically lockdown what may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one rule, am I properly prohibiting anything else? Is there any significance to the order in which I setup masquerading and then lockdown what hits the FORWARD chain?

Do you not need to setup default policies for the chains on the nat table?

Thanks! jlc

****************************************** #!/bin/bash

WAN="eth0" LAN="eth1"

# Flush all current rules from iptables iptables -F

# Set default policies for INPUT, FORWARD and OUTPUT chains iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

# Set access for localhost iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Setup masquerading on WAN interface iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow incoming DNS/DHCP/HTTP/SIP connections from internal clients on LAN iptables -A FORWARD -i $LAN -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $LAN -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT

# Allow incoming SIP connections from both of the provider's RTP Servers on WAN iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT

# Forward smtp connections to mail server from WAN iptables -A FORWARD -i $WAN -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 192.168.0.3:25

# Save settings service iptables save ******************************************