>This CentOS wiki may help:
>
>http://wiki.centos.org/HowTos/Network/IPTables
>
>Akemi
Akemi,
That was helpful (I should have checked the wiki:>).
After reading that and the RH related links, I think I have what I need
but I am unclear about one aspect. What is the correlation between filtering
LAN based connections destined to be masqueraded out and what can even get to
the internal NIC? I see the chains are obviously distinct from each other, and
I assume the tables are as well. So to control what may ingress an interface destined
for the server itself, you write a rule for the default table's INPUT chain, to control
what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables
PREROUTING chain or the default table's FORWARD chain, or both?
In looking at examples for setting up NAT, I don't see people typically lockdown what
may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one
rule, am I properly prohibiting anything else? Is there any significance to the order
in which I setup masquerading and then lockdown what hits the FORWARD chain?
Do you not need to setup default policies for the chains on the nat table?
Thanks!
jlc
******************************************
#!/bin/bash
WAN="eth0"
LAN="eth1"
# Flush all current rules from iptables
iptables -F
# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Setup masquerading on WAN interface
iptables -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# Allow incoming DNS/DHCP/HTTP/SIP connections from internal clients on LAN
iptables -A FORWARD -i $LAN -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -i $LAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT
# Allow incoming SIP connections from both of the provider's RTP Servers on WAN
iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.162/32 -i $WAN -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s xx.xx.xxx.163/32 -i $WAN -m state --state NEW -m udp -p udp --dport 10000:60000 -j ACCEPT
# Forward smtp connections to mail server from WAN
iptables -A FORWARD -i $WAN -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 192.168.0.3:25
# Save settings
service iptables save
******************************************
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
