Hi,
I'm trying to understand how the forward chain works in iptables relative to nat. Namely, I'm interested in the stateful connections with nat.
Can this be done exactly? Basically my question is, what's the most secure way of configuring the FORWARD chain if you use SNAT/DNAT.
Let's say I'm using snat and the LAN is 10.0.0.0/24 (eth0) and the public ip is 1.2.3.4(eth1).
This wouldn't work:
Quote:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i eth0 -o eth1 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i eth1 -o eth0 -d 10.0.0.0/24 -j ACCEPT
|
I suppose it's normal for the second rule not to work, because by the time the packet reaches the FORWARD chain, the ip has already been translated to the server's public ip (1.2.3.4). But changing the rule to
-s 1.2.3.4 doesn't seem right, because it's the server's own ip, right?
So my question stands, what would be the most secure way of doing it? Or should I just make do with -i eth0 -o eth1 and -i eth1 -o eth0, without any stateful rules?
Before pointing me to the iptables man pages and other tutorials, I'd appreciate it if you actually tried to answer my question, as I'm pretty certain you can't easily find it in tutorials (which I constantly read).