[CentOS] IPTables help

Fri May 23 03:20:16 UTC 2008
Joseph L. Casale <JCasale at activenetwerx.com>

>This CentOS wiki may help:
>
>http://wiki.centos.org/HowTos/Network/IPTables
>
>Akemi


Akemi,
That was helpful (I should have checked the wiki:>).

After reading that and the RH related links, I think I have what I need
but I am unclear about one aspect. What is the correlation between filtering
LAN based connections destined to be masqueraded out and what can even get to
the internal NIC? I see the chains are obviously distinct from each other, and
I assume the tables are as well. So to control what may ingress an interface destined
for the server itself, you write a rule for the default table's INPUT chain, to control
what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables
PREROUTING chain or the default table's FORWARD chain, or both?

In looking at examples for setting up NAT, I don't see people typically lockdown what
may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one
rule, am I properly prohibiting anything else? Is there any significance to the order
in which I setup masquerading and then lockdown what hits the FORWARD chain?

Do you not need to setup default policies for the chains on the nat table?

Thanks!
jlc


******************************************
#!/bin/bash

WAN="eth0"
LAN="eth1"

# Flush all current rules from iptables
iptables -F

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Setup masquerading on WAN interface
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# Allow incoming DNS/DHCP/HTTP/SIP connections from internal clients on LAN
iptables -A FORWARD -i $LAN -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT

# Allow incoming SIP connections from both of the provider's RTP Servers on WAN
iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT

# Forward smtp connections to mail server from WAN
iptables -A FORWARD -i $WAN -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 192.168.0.3:25

# Save settings
service iptables save
******************************************