Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-19-2012, 03:33 PM   #1
Registered: Apr 2004
Location: Joppa
Posts: 32

Rep: Reputation: 16
iptables rules to limit nat forwarding


I need to build a DMZish firewall. I have two networks. One local to a lab with a 10.40.1.X/24 network and a second, which is a subnet of a much larger network (we'll say 192.168.14.X/24). I have a host sitting between the two networks acting as a router, and my IP forwarding works just fine, but what I'd like to do is restrict any traffic coming from the 10.40.1.X network to only access hosts in the 192.168.14.X network. Right now, my firewall allows anything on the 10.40.1.X network to pass through the router, through the network and out to the internet. It's the last hop I need to curtail.

If I'm unclear, let me try and draw what I have and what I need.

lab (NATed) network 10.40.1.X
infrastructure network 192.168.14.X
lab router eth0 =
lab router eth1 =
infrastructer router

lab -> lab is ok
10.40.1.X to 10.40.1.X OK

lab -> infrastucture is ok
10.40.1.X -> OK

lab -> infrastucture router needs to be disallowed
10.40.1.X -> NOT OK

lab -> anything other than infrastructure network to be disallowed
10.40.1.X -> NOT OK

I'll post the iptables I have now, but I'd really appreciate some help getting them into shape. I'm sure I need to adjust the FORWARD and input chains, I'm just not sure of the syntax. Thanks for the help.

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Old 07-19-2012, 06:06 PM   #2
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 657Reputation: 657Reputation: 657Reputation: 657Reputation: 657Reputation: 657
You could simply remove the default gateway entry from your router host's routing table. The there won't be a matching route for an external IP address but one for the infrastructure network.

The default gateway for hosts in the lab should be That will allow traffic to the infrastructure via eth0 on the lab router.

You could replace these two rules:
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
with rules allowing forwarding only between and but it shouldn't be absolutely necessary unless you can't trust the hosts in the lab not to change the default gateway to the infrastructure's router.

Last edited by jschiwal; 07-19-2012 at 06:18 PM.


dmz, iptables, nating

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat port forwarding.. Gangrif Linux - Networking 1 09-13-2011 03:49 PM
Programming iptables rules for 1:1 NAT jacques83 Linux - Security 18 09-21-2010 05:07 PM
IPTABLES rules for NAT of machines through the PPP interface MarkEHansen Linux - Networking 6 06-15-2007 01:19 PM
iptables rules for emule in nat box eantoranz Linux - Networking 3 08-08-2005 09:37 PM
iptables -t nat -L not showing all rules alpha-wolf Linux - Networking 0 08-14-2001 06:36 AM

All times are GMT -5. The time now is 11:31 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration