-   Linux - Security (
-   -   iptables rules to limit nat forwarding (

sleepylight 07-19-2012 03:33 PM

iptables rules to limit nat forwarding

I need to build a DMZish firewall. I have two networks. One local to a lab with a 10.40.1.X/24 network and a second, which is a subnet of a much larger network (we'll say 192.168.14.X/24). I have a host sitting between the two networks acting as a router, and my IP forwarding works just fine, but what I'd like to do is restrict any traffic coming from the 10.40.1.X network to only access hosts in the 192.168.14.X network. Right now, my firewall allows anything on the 10.40.1.X network to pass through the router, through the network and out to the internet. It's the last hop I need to curtail.

If I'm unclear, let me try and draw what I have and what I need.

lab (NATed) network 10.40.1.X
infrastructure network 192.168.14.X
lab router eth0 =
lab router eth1 =
infrastructer router

lab -> lab is ok
10.40.1.X to 10.40.1.X OK

lab -> infrastucture is ok
10.40.1.X -> OK

lab -> infrastucture router needs to be disallowed
10.40.1.X -> NOT OK

lab -> anything other than infrastructure network to be disallowed
10.40.1.X -> NOT OK

I'll post the iptables I have now, but I'd really appreciate some help getting them into shape. I'm sure I need to adjust the FORWARD and input chains, I'm just not sure of the syntax. Thanks for the help.

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

jschiwal 07-19-2012 06:06 PM

You could simply remove the default gateway entry from your router host's routing table. The there won't be a matching route for an external IP address but one for the infrastructure network.

The default gateway for hosts in the lab should be That will allow traffic to the infrastructure via eth0 on the lab router.

You could replace these two rules:

-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT

with rules allowing forwarding only between and but it shouldn't be absolutely necessary unless you can't trust the hosts in the lab not to change the default gateway to the infrastructure's router.

All times are GMT -5. The time now is 02:27 AM.