FORWARD and NAT Rules
Most organizations are allotted a limited number of publicly routable IP addresses from their ISP. Due to this limited allowance, administrators must nd creative ways to share access to Internet services without giving scarce IP addresses to every node on the LAN. Using class C private IP address is the common way to allow all nodes on a LAN to properly access network services internally and externally. Edge routers (such as rewalls) can receive incoming transmissions from the Internet and route the bits to the intended LAN node; at the same time, it can also route outgoing requests from a LAN node to the remote Internet service. This forwarding of network trafc can become dangerous at times, especially with the availability of modern cracking tools that can spoof internal IP addresses and make the remote attacker's machine act as a node on your LAN. To prevent this, iptables provides routing and forwarding policies that you can implement to prevent aberrant usage of network resources.
The FORWARD policy allows an administrator to control where packets can be routed. For example, to allow forwarding for an entire internal IP address range, the following rule can be set:
iptables -A FORWARD -i eth1 -j ACCEPT
By default, IPv4 policy in Red Hat Linux kernels disables support for IP forwarding, which prevents boxes running Red Hat Linux from functioning as dedicated edge routers. To enable IP forwarding, run the following command or place it in your rewall initialization script:
echo "1" > /proc/sys/net/ipv4/ip_forward
FORWARD rules can be implemented to restrict certain types of trafc to the LAN only, such as local network le shares through NFS or Samba. The following rules reject outside connections to Samba shares:
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
To take the restrictions a step further, you can block all outside connections that attempt to spoof private IP address ranges to inltrate your LAN. If a LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default
policy, any other spoofed IP address will be rejected automatically.
policy, any other spoofed IP address will be rejected automatically.
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
Rules can also be set to route trafc to certain machines, such as a dedicated HTTP or FTP server, preferably one that is isolated from the internal network on a DMZ. To set a rule for routing all incoming HTTP requests to a dedicated HTTP server at IP address 10.0.4.2 and port 80 (outside of the 192.168.1.0/24 range of the LAN), network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination ( the \ denotes a continuation of a one-line command):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.4.2:80
With this command, all HTTP connections to port 80 from the outside of the LAN will be routed to the HTTP server on a separate network from the rest of the internal network. This form of network segmentation can prove safer than allowing HTTP connections to a machine on the network.
