Most organizations are allotted a limited number of publicly
routable IP addresses from their ISP. Due to this limited
allowance, administrators must find creative ways to share access
to Internet services without giving limited public IP addresses to
every node on the LAN. Using private IP address is the common way
to allow all nodes on a LAN to properly access internal and
external network services. Edge routers (such as firewalls) can
receive incoming transmissions from the Internet and route the
packets to the intended LAN node. At the same time,
firewall/gateways can also route outgoing requests from a LAN node
to the remote Internet service. This forwarding of network traffic
can become dangerous at times, especially with the availability of
modern cracking tools that can spoof internal IP addresses and make the remote attacker's
machine act as a node on your LAN. To prevent this, iptables provides routing and forwarding policies
that can be implemented to prevent aberrant usage of network
resources.
The FORWARD policy allows an
administrator to control where packets can be routed within a LAN.
For example, to allow forwarding for the entire LAN (assuming the
firewall/gateway is assigned an internal IP address on eth1), the
following rules can be set:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
|
This rule gives systems behind the firewall/gateway access to
the internal network. The gateway routes packets from one LAN node
to its intended destination node, passing all packets through its
eth1 device.
 |
Note |
| |
By default, the IPv4 policy in Red Hat Enterprise Linux kernels
disables support for IP forwarding, which prevents boxes running
Red Hat Enterprise Linux from functioning as dedicated edge
routers. To enable IP forwarding, run the following command:
sysctl -w net.ipv4.ip_forward=1
|
If this command is run via shell prompt, then the setting is not
remembered after a reboot. You can permanently set forwarding by
editing the /etc/sysctl.conf file. Find
and edit the following line, replacing 0 with 1:
Execute the following command to enable the change to the
sysctl.conf file:
sysctl -p /etc/sysctl.conf
|
|
Accepting forwarded packets via the firewall's internal IP
device allows LAN nodes to communicate with each other; however
they still are not allowed to communicate externally to the
Internet. To allow LAN nodes with private IP addresses to
communicate with external public networks, configure the firewall
for IP masquerading, which masks requests
from LAN nodes with the IP address of the firewall's external
device (in this case, eth0):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain
for NAT (-A POSTROUTING) on the firewall's
external networking device (-o eth0).
POSTROUTING allows packets to be altered as they are leaving the
firewall's external device. The -j
MASQUERADE target is specified to mask the private IP address
of a node with the external IP address of the firewall/gateway.
If you have a server on your internal network that you want make
available externally, you can use the -j
DNAT target of the PREROUTING chain in NAT to specify a
destination IP address and port where incoming packets requesting a
connection to your internal service can be forwarded. For example,
if you wanted to forward incoming HTTP requests to your dedicated
Apache HTTP Server server system at 172.31.0.23, run the following
command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to 172.31.0.23:80
|
This rule specifies that the NAT table use the built-in
PREROUTING chain to forward incoming HTTP requests exclusively to
the listed destination IP address of 172.31.0.23.
|
Note |
| |
If you have a default policy of DROP in your FORWARD chain, you
must append a rule to allow forwarding of incoming HTTP requests so
that destination NAT routing can be possible. To do this, run the
following command:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
|
This rule allows forwarding of incoming HTTP requests from the
firewall to its intended destination of the Apache HTTP Server
server behind the firewall.
|
iptables rules can be set to route
traffic to certain machines, such as a dedicated HTTP or FTP
server, in a demilitarized zone
(DMZ) — a special local
subnetwork dedicated to providing services on a public carrier such
as the Internet. For example, to set a rule for routing incoming
HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of
the 192.168.1.0/24 range of the LAN), NAT calls a PREROUTING table to forward the packets to
their proper destination:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to-destination 10.0.4.2:80
|
With this command, all HTTP connections to port 80 from the
outside of the LAN are routed to the HTTP server on a separate
network from the rest of the internal network. This form of network
segmentation can prove safer than allowing HTTP connections to a
machine on the network. If the HTTP server is configured to accept
secure connections, then port 443 must be forwarded as well.
