Joseph L. Casale wrote:
This CentOS wiki may help:
http://wiki.centos.org/HowTos/Network/IPTables
Akemi
Akemi,
That was helpful (I should have checked the wiki:>).
After reading that and the RH related links, I think I have what I need
but I am unclear about one aspect. What is the correlation between filtering
LAN based connections destined to be masqueraded out and what can even get to
the internal NIC? I see the chains are obviously distinct from each other, and
I assume the tables are as well. So to control what may ingress an interface destined
for the server itself, you write a rule for the default table's INPUT chain, to control
what may be masqueraded/DNAT'ed, you write a rule for the either the NAT tables
PREROUTING chain or the default table's FORWARD chain, or both?
The norm is to add rules to the FORWARD chain of the default filter table.
In looking at examples for setting up NAT, I don't see people typically lockdown what
may masqueraded, so I am not seeing how to do this. Buy my inclusion of at least one
rule, am I properly prohibiting anything else? Is there any significance to the order
in which I setup masquerading and then lockdown what hits the FORWARD chain?
Do you not need to setup default policies for the chains on the nat table?
By default (once forwarding is enabled), masquerading will allow all
outgoing connections and block all new incoming connections. Finer
control is applied via the FORWARD chain. You can see the default policy
of the FORWARD chain with the command 'iptables -L' and you can set the
policy of the FORWARD chain in exactly the same manner as you would for
the INPUT and OUTPUT chains.
The Linux documentation project has a HOWTO on masquerading here which
is probably the definitive documentation on the subject:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
Ned
Thanks!
jlc
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
