iptables: about FORWADING and nat
 

I have been thinking about how to solve one problem for a long time. Then, finally decided to ask on the forum.

I want to use iptables to build a firewall. The current network infrastucture is

Internet
172.16.0.2
|
|
eth2 - 172.16.0.1(172.16.0.1/30)
Router (firewall)
eth0 - 192.168.1.1(192.168.1.1/24)
|
|
192.168.1.11
Internel Ethernet

What I want to do is to configure the firewall, so the router can forwad the Ethernet request to the Internet. For example, the Ethernet can ssh to the Internet through the firewall. My questions are: (1) how to use FORWARD to implement this? (2) Do I need to use nat (PREROUTING and POSTROUTING) for this case? If no, When should I use nat for forwarding packets?

Thanks!

Re: iptables: about FORWADING and nat
 

you just need FORWARD and POSTROUTING...

to allow SSH from your LAN to the Internet, something like this should do the trick:
just my :twocents:...

Re: Re: iptables: about FORWADING and nat
 

Thanks for your reply. It saves me a lot time. One more thing: What if I had a wireless LAN, and I only wanted to allow Ethernet to access the Internet. How could I apply this rule to the firewall?

Fei

you mean like if you had a wireless router connected to the switch on eth0??

if so, then a simple way to make sure the rule only applies to the ethernet clients is by creating a rule blocking any packets coming from the external IP of the wireless router... if the wireless router was using IP (for example) 192.168.1.254 then this would do the trick (effectively blocking that IP from starting ANY connections through eth2):

I mean another wireless lan, say on eth2 on router. I think your rules only allow forwarding from eth0. So It already force the forwarding connections only from Ethernet. Sorry for asking this.

sorry, i'm not sure i understand what you're asking... :confused:

Sorry. I was out of my mind. I was trying to say that if there was another networking interface, eth3, on the router, that connects to a wireless lan. And I only want packets been forwarded if they come from eth0. So, ther ethernet can ssh to internet, but wireless lan cann't.

oh, okay... well, the rules i posted would NOT allow anything coming from eth3 to go out... the rules specify the packets must come in through eth0 and go out through eth2... anything coming from eth3 would be met with the default policy of DROP... you'd need to add rules for packets coming from eth3 so they could get forwarded...

so basically the rules as posted do what you want... :)

I realised that after I asked the question. Anyway, Thanks a lot.

Fei

I tried the code. It won't work. On a machine with IP 192.168.1.11 on Ethernet, I tried to ssh to the Internet using IP 172.16.0.2. Is something wrong with the code?

do you have forwarding enabled??

I have ip_forward enabled. The code is not working. How can I test the firewall, using tcpdump?

please post the output of these:

Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.

After that, the output of ssh 172.16.0.2 is :
ssh: connect to host 172.16.0.2 port 22: Connection refused

have any idea what's wrong?