iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
And then reject the things you actually want to prohibit, e.g.:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp4s0 -p tcp --dport 25 -j REJECT --comment "no
spamming"
iptables -A FORWARD -i enp4s0 -p tcp --dport 80 -j REJECT --comment "no
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
That should've been this, using the internal interface rather than the
external one:
iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp5s5 -p tcp --dport 25 -j REJECT --comment "no
spamming"
iptables -A FORWARD -i enp5s5 -p tcp --dport 80 -j REJECT --comment "no
unencrypted HTTP"
iptables -A FORWARD -i enp5s5 -j ACCEPT
iptables -P FORWARD DROP
Note that this is a strong reason to rename your interfaces to something
meaningful instead of using the ugly meaningless default names.
