Most organizations are allotted a limited number of publicly
routable IP addresses from their ISP. Due to this limited allowance,
administrators must find creative ways to share access to Internet
services without giving limited public IP addresses to every node on the
LAN. Using private IP address is the common way to allow all nodes on a
LAN to properly access internal and external network services. Edge
routers (such as firewalls) can receive incoming transmissions from the
Internet and route the packets to the intended LAN node. At the same
time, firewall/gateways can also route outgoing requests from a LAN node
to the remote Internet service. This forwarding of network traffic can
become dangerous at times, especially with the availability of modern
cracking tools that can spoof internal IP addresses
and make the remote attacker's machine act as a node on your LAN. To
prevent this, iptables provides routing and
forwarding policies that can be implemented to prevent aberrant usage of
network resources.
The FORWARD policy allows an
administrator to control where packets can be routed within a LAN. For
example, to allow forwarding for the entire LAN (assuming the
firewall/gateway is assigned an internal IP address on eth1), the
following rules can be set:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT |
This rule gives systems behind the firewall/gateway access to the
internal network. The gateway routes packets from one LAN node to its
intended destination node, passing all packets through its
eth1 device.
 | Note |
|---|
| | By default, the IPv4 policy in Red Hat Enterprise Linux kernels disables support
for IP forwarding, which prevents boxes running Red Hat Enterprise Linux from
functioning as dedicated edge routers. To enable IP forwarding, run
the following command: sysctl -w net.ipv4.ip_forward=1 |
If this command is run via shell prompt, then the setting is not
remembered after a reboot. You can permanently set forwarding by
editing the /etc/sysctl.conf file. Find and edit
the following line, replacing 0 with
1:
Execute the following command to enable the change to the
sysctl.conf file: sysctl -p /etc/sysctl.conf |
|
Accepting forwarded packets via the firewall's internal IP device
allows LAN nodes to communicate with each other; however they still are
not allowed to communicate externally to the Internet. To
allow LAN nodes with private IP addresses to communicate with external
public networks, configure the firewall for IP
masquerading, which masks requests from LAN nodes with the IP
address of the firewall's external device (in this case, eth0):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
The rule uses the NAT packet matching table (-t
nat) and specifies the built-in POSTROUTING chain for NAT
(-A POSTROUTING) on the firewall's external
networking device (-o eth0). POSTROUTING allows
packets to be altered as they are leaving the firewall's external
device. The -j MASQUERADE target is specified to mask
the private IP address of a node with the external IP address of the
firewall/gateway.
If you have a server on your internal network that you want make
available externally, you can use the -j DNAT target of
the PREROUTING chain in NAT to specify a destination IP address and port
where incoming packets requesting a connection to your internal service
can be forwarded. For example, if you wanted to forward incoming HTTP
requests to your dedicated Apache HTTP Server server system at 172.31.0.23, run the
following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to 172.31.0.23:80 |
This rule specifies that the NAT table use the built-in PREROUTING
chain to forward incoming HTTP requests exclusively to the listed
destination IP address of 172.31.0.23.
| Note |
|---|
| | If you have a default policy of DROP in your FORWARD chain, you
must append a rule to allow forwarding of incoming HTTP requests so that
destination NAT routing can be possible. To do this, run the following
command: iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT |
This rule allows forwarding of incoming HTTP requests from the
firewall to its intended destination of the Apache HTTP Server server behind the
firewall.
|
iptables rules can be set to route traffic to
certain machines, such as a dedicated HTTP or FTP server, in a
demilitarized zone (DMZ)
— a special local subnetwork dedicated to providing services on
a public carrier such as the Internet. For example, to set a rule for
routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2
(outside of the 192.168.1.0/24 range of the LAN), NAT calls a
PREROUTING table to forward the
packets to their proper destination:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
--to-destination 10.0.4.2:80 |
With this command, all HTTP connections to port 80 from the
outside of the LAN are routed to the HTTP server on a separate network
from the rest of the internal network. This form of network segmentation
can prove safer than allowing HTTP connections to a machine on the
network. If the HTTP server is configured to accept secure connections,
then port 443 must be forwarded as well.
