[CentOS] CentOS as a router

Fri Aug 7 16:07:43 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

I am setting up a small CentOS-5.3 host to act as a router.  I have
the device configured and working.  What I am trying to accomplish
now is configuring the firewall so as to protect both the router and
the LAN.

The host configuration has the WAN attached to eth0 (IP_ADDR = A)
and the LAN attached to eth1 (IP_ADDR = B).  The default gateway for
B is A.  The default gateway for B is B-1.  There is a static route
set for eth0 (A) to route traffic for B/24 to B.

My understanding is that INCOMING packets, for the purposes of
iptables, originate outside the host interfaces and that OUTGOING
packets originate from, or are forwarded across, the host itself. 
So, as I understand things, traffic from network C/24 destined to
B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1. 
Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT
eth0.  Is my understanding correct?

I have set up four custom chains, one each for IN and OUT on each of
the two eth i/f.  Incoming packets for eth0 are sent to the
WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN.  In a similar
fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN.

My confusion arises from trying to setup an iptables filter on the
WAN-In-CHAIN so that traffic arriving to eth0 cannot connect to
either A or B, but can nonetheless pass through B to B/24.  I cannot
seem to discover an arrangement whereby I can do this and still
maintain network connectivity to B/24 from a console session running
on the router itself.

Further, I wish to prevent any incoming connection from the WAN for
any source address purporting to belong to the B/24 netblock (IP
spoofing). Again, whatever arrangements that I try, whenever I
enable such a rule I lose network connectivity from the console
session to the LAN.

I would appreciate some guidance and an explanation of what
fundamental issue it is that I am missing.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3