Allowing the Packets to be Forwarded

It is all well and good setting up SNAT, but the astute among you will probably realize that you have already told netfilter not to allow any forwarded traffic through the firewall (the default FORWARD policy is DROP). To correct this, you need to allow the firewall to forward these packets before they can be manipulated by the SNAT rule.

To do this, you enable forwarding for traffic from the private network to the Internet:

bible:- # iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -o ethl -j ACCEPT

Here, iptables is being used to append (-A) to the FORWARD chain any traffic that enters and then leaves the firewall on separate interfaces. Any traffic from the 192.168.1.0/24 network entering the firewall on interface eth0 and leaving on interface eth1 will be allowed through.

So, in this example, we have told netfilter that any traffic from the 192.168.1.0/24 network coming in on eth0 and leaving the firewall on ethl should be allowed through. Again, we are relying on the fact that any traffic coming in on eth0 and leaving on ethl that is from 192.168.1.0/24 will be traffic we want to go out to the Internet.

In this example, we have been quite liberal in what we are allowing our users to ,-W -a i-.-.,".access on the Internet. It is usually the policy of most companies that IM clients, P2P, and IRC should not be allowed from the corporate network. As it stands, users can access anything on the Internet as if they were directly connected. For the home network example, this is fine because the users are trusted. However, if you are implementing a corporate firewall, you will probably need to have quite a few DROP rules in the FORWARD chain, or do the right thing and deny everything and allow only essential traffic (maybe only HTTP).

Was this article helpful?

0 0

Post a comment