RE: help on NAT Configuration

"Gaby Schilders" <G.Schilders@xxxxxxxx> · Tue, 21 Oct 2003 15:04:44 +0200

I 
wouldn't place default policies of drop on mangle or nat 
tables.
Furthermore, on your INPUT chain, you can kill all the spt rules. Better 
create OUTPUT rules for those services and leave the ESTABLISHED,RELATED in 
the INPUT.
I 
would limit the masquerade by setting the outgoing interface and use -s 
<localnet>/<localnetmask>. At quick glance, I see nothing else 
amiss.

Gaby 
Schilders
IBFD 
network admin

  -----Original Message-----
From: Gilles Yue 
  [mailto:gyue@xxxxxxxxxxxxxxxxxx]
Sent: maandag 20 oktober 2003 
  15:12
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: help on 
  NAT Configuration

  Dear all

  I want to share internet access on 
  my LAN and my configurations are as below. (see picture)

  Is my NAT configuration correct? I 
  want to allow only some users to access the internet-and check mail using 
  outlook express.

  Thanks for 
  helping.

  Rgds
  gy

  iptables –vnL

  > Chain INPUT 
  (policy DROP 485 packets, 51391 bytes)

  > pkts bytes target     prot 
  opt in     out     
  source               

  > destination
  >    0     0 
  ACCEPT     tcp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          tcp 
  spt:53
  >   21  4504 
  ACCEPT     udp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          udp 
  spt:53
  >    0     0 
  ACCEPT     udp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          udp 
  spt:80
  >  813  704K 
  ACCEPT     tcp  --  
  *      *       
  0.0.0.0/0  

  > 
  0.0.0.0/0          tcp 
  spt:80
  >    0     0 
  ACCEPT     udp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          udp 
  spt:443
  >   16  3793 
  ACCEPT     tcp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          tcp 
  spt:443
  >    0     0 
  ACCEPT     tcp  --  
  *      *       
  0.0.0.0/0            

  > 
  0.0.0.0/0          state 
  RELATED,ESTABLISHED
  >    0     0 
  ACCEPT     all  --  lo     
  *       
  0.0.0.0/0            

  > 0.0.0.0/0
  >
  > Chain FORWARD (policy 
  DROP 0 packets, 0 bytes)
  > pkts bytes target     prot 
  opt in     out     
  source               

  > destination
  >    0     0 
  ACCEPT     all  --  eth1   
  eth0    
  0.0.0.0/0            

  > 
  0.0.0.0/0          state 
  RELATED,ESTABLISHED
  >    0     0 
  ACCEPT     all  --  eth0   
  eth1    
  0.0.0.0/0           

  > 0.0.0.0/0
  >
  > Chain OUTPUT (policy 
  ACCEPT 3465 packets, 286K bytes)
  > pkts bytes target     prot 
  opt in     out     
  source               

  > destination

  > [root@rh9 root]# iptables -t nat 
  -L
  > Chain PREROUTING 
  (policy ACCEPT)
  > target     prot opt 
  source               
  destination
  >
  > Chain POSTROUTING 
  (policy DROP)
  > target     prot opt 
  source               
  destination
  > MASQUERADE  all  --  
  anywhere             
  anywhere
  >
  > Chain OUTPUT (policy 
  ACCEPT)
  > target     prot opt 
  source               
  destination