Hi,

I'm trying to understand how the forward chain works in iptables relative to nat. Namely, I'm interested in the stateful connections with nat.

Can this be done exactly? Basically my question is, what's the most secure way of configuring the FORWARD chain if you use SNAT/DNAT.
Let's say I'm using snat and the LAN is 10.0.0.0/24 (eth0) and the public ip is 1.2.3.4(eth1).

This wouldn't work:
I suppose it's normal for the second rule not to work, because by the time the packet reaches the FORWARD chain, the ip has already been translated to the server's public ip (1.2.3.4). But changing the rule to -s 1.2.3.4 doesn't seem right, because it's the server's own ip, right?

So my question stands, what would be the most secure way of doing it? Or should I just make do with -i eth0 -o eth1 and -i eth1 -o eth0, without any stateful rules?

Before pointing me to the iptables man pages and other tutorials, I'd appreciate it if you actually tried to answer my question, as I'm pretty certain you can't easily find it in tutorials (which I constantly read).

Hi there,

For SNAT, the address translation is done POSTROUTING, so the source (in rule 2) and destination (in rule 3) is still 10.0.0.0/24 when FORWARD rules are processed.

If you want to SNAT from the LAN to the internet, your first 2 rules should be OK, assuming you have and have IP forwarding enabled, and a NAT rule along the lines of:

Your 3rd rule should not be necessary - it allows NEW incoming connections from the internet to your LAN, most likely not what you want?

I must have made a mistake before writing this post. I also have a DNAT for Windows Remote Desktop, that's what the third rule is for. I must have mixed up the interfaces or the source/destination ip addresses. Now it works just fine. And I restricted it even more:
Seems to be working just fine I thought things were happening differently in the FORWARD chain, but everything looks as expected.