LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables: Source address, state and DNAT (https://www.linuxquestions.org/questions/linux-security-4/iptables-source-address-state-and-dnat-775291/)

zenith1 12-13-2009 03:45 AM
iptables: Source address, state and DNAT
 
I have a stateful firewall, it accepts already established and related connections in INPUT/OUTPUT/FORWARD chains in both ways. The firewall has two interfaces, eth0 - external and eth1 - internal. Next I would like to let web traffic from a certain IP address only to be forwarded (DNAT) to port 8080 on a server on the LAN. I noticed that it is possible to specify a source address in both my PREROUTING rule and in my FORWARD rule.

$SERVER: 192.168.0.2
$SOURCE: 172.16.0.1
Example of working rules:

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $SERVER:8080

iptables -A FORWARD -i eth0 -o eth1 -p tcp -s $SOURCE --dport 8080 -m state --state NEW -j ACCEPT
Now, in addition to specifying the source address in the FORWARD chain, I could also specify both the source and state in PREROUTING too:


Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s $SOURCE --dport 80 -m state --state NEW -j DNAT --to-destination $SERVER:8080

iptables -A FORWARD -i eth0 -o eth1 -p tcp -s $SOURCE --dport 8080 -m state --state NEW -j ACCEPT
The question then boils down to this:

Does it make any sense to specify the source and/or state in the PREROUTING chain too when the filtering itself is done in the FORWARD chain?

I forgot to add that adding the source address in PREROUTING might make sense if you already have a PREROUTING rule for port 80 traffic that is forwarded to a different server or port?

win32sux 12-13-2009 05:22 AM
Quote:
Originally Posted by zenith1 (Post 3789514)
Does it make any sense to specify the source and/or state in the PREROUTING chain too when the filtering itself is done in the FORWARD chain?
Generally speaking, no. There are of course, some exceptions.

Quote:
I forgot to add that adding the source address in PREROUTING might make sense if you already have a PREROUTING rule for port 80 traffic that is forwarded to a different server or port?
Yes, this would be one of the exceptions I was referring to. Personally, I try to abstain from any filtering in PREROUTING unless absolutely necessary (the first example you posted looks great to me).


All times are GMT -5. The time now is 06:34 AM.