I have a stateful firewall, it accepts already established and related connections in INPUT/OUTPUT/FORWARD chains in both ways. The firewall has two interfaces, eth0 - external and eth1 - internal. Next I would like to let web traffic from a certain IP address only to be forwarded (DNAT) to port 8080 on a server on the LAN. I noticed that it is possible to specify a source address in both my PREROUTING rule and in my FORWARD rule.
$SERVER: 192.168.0.2
$SOURCE: 172.16.0.1
Example of working rules:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $SERVER:8080
iptables -A FORWARD -i eth0 -o eth1 -p tcp -s $SOURCE --dport 8080 -m state --state NEW -j ACCEPT
Now, in addition to specifying the source address in the FORWARD chain, I could also specify both the source and state in PREROUTING too:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s $SOURCE --dport 80 -m state --state NEW -j DNAT --to-destination $SERVER:8080
iptables -A FORWARD -i eth0 -o eth1 -p tcp -s $SOURCE --dport 8080 -m state --state NEW -j ACCEPT
The question then boils down to this:
Does it make any sense to specify the source and/or state in the PREROUTING chain too when the filtering itself is done in the FORWARD chain?
I forgot to add that adding the source address in PREROUTING might make sense if you already have a PREROUTING rule for port 80 traffic that is forwarded to a different server or port?