[CentOS] IPTables help

Fri May 23 11:26:04 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Joseph L. Casale wrote:
>> This CentOS wiki may help:
>> http://wiki.centos.org/HowTos/Network/IPTables
>> Akemi
> Akemi,
> That was helpful (I should have checked the wiki:>).
> After reading that and the RH related links, I think I have what I need
> but I am unclear about one aspect. What is the correlation between filtering
> LAN based connections destined to be masqueraded out and what can even get to
> the internal NIC? I see the chains are obviously distinct from each other, and
> I assume the tables are as well. So to control what may ingress an interface destined
> for the server itself, you write a rule for the default table's INPUT chain, to control
> what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables
> PREROUTING chain or the default table's FORWARD chain, or both?

The norm is to add rules to the FORWARD chain of the default filter table.

> In looking at examples for setting up NAT, I don't see people typically lockdown what
> may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one
> rule, am I properly prohibiting anything else? Is there any significance to the order
> in which I setup masquerading and then lockdown what hits the FORWARD chain?
> Do you not need to setup default policies for the chains on the nat table?

By default (once forwarding is enabled), masquerading will allow all 
outgoing connections and block all new incoming connections. Finer 
control is applied via the FORWARD chain. You can see the default policy 
of the FORWARD chain with the command 'iptables -L' and you can set the 
policy of the FORWARD chain in exactly the same manner as you would for 
the INPUT and OUTPUT chains.

The Linux documentation project has a HOWTO on masquerading here which 
is probably the definitive documentation on the subject:



> Thanks!
> jlc