I am new to iptables and need some guidance. I have done a good bit of reading over the past few days and have learned much. With this knowledge I have come up with a solution for my task, but am not convinced that it is the most efficient approach. I was hoping that I could get some guidance from someone who is more knowledgeable. My Setup: Red Hat ES3 uname -r = 2.4.21-20.0.1.ELsmp iptables -V = iptables v1.2.8 ip -V = ip utility, iproute2-ss010824 Dual NIC server eth1 - To Router (internet) eth0 - Internal public space IP range The Task: Block all traffic from the internal interface except port 80/443. Forward 80/443 to my web server which will have a rewrite rule. The user will then be shown a web page for authentication. Once the user is validated they will be granted outbound access for a specified time period (on most ports). For my test setup I did not have public IP space to play with so I created a private network (192.168.0.0). I then created the following rule to get access to the external network. MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to external_network This is the part that I am not to sure about. NAT - [One entry for each ip address] iptables -t nat -A PREROUTING -p tcp -s 192.168.0.2 -i eth0 --d 0/0 --dport 80,443 -j DNAT --to my_web_server iptables -t nat -A PREROUTING -p tcp -s 192.168.0.3 -i eth0 --d 0/0 --dport 80,443 -j DNAT --to my_web_server iptables -t nat -A PREROUTING -p tcp -s 192.168.0.4 -i eth0 --d 0/0 --dport 80,443 -j DNAT --to my_web_server ... This rule should forward all internal web/ssl traffic to my web server. I tested a command that was a similar and it worked. Now the problem â If I had 500 internal IP addresses I would have to create a NAT for each one of them. Once the user authenticated I would have to remove the NAT for that users IP for a specified time period. Then I would have to create a filter to allow outbound access to the ports that I wanted to allow for that IP. After their time has expired I would have to add the NAT back and delete the filter rule. This seems like it would work, but it is a lot of management. I tried to just make one NAT to forward any internal IP address on port 80/443 to my web server and that worked until the user authenticated. Once the user was authenticated I had no way of getting around the NAT rule for 80/443. If I understand what I have been reading correctly the NAT PREROUTING rule is evaluated first. Therefore there is not way for me to allow an ip address in my internal network range to bypass this rule. Any guidance is appreciated. -- Bracey Summers
