edit: SOLVED - see below for solution
Hi there,
I've inherited a gob of Linux hosts and so am learning linux from the bottom of the deep end of the pool (gotta say I'm warming up to Linux though - it's not half bad)
Right now iptables is confusing me and I could use some pointers as to how I can take a host using MASQEURADE rules between two NICs and have it only allow outbound connections, blocking inbound ones.
Current state:
iptables running on a reverse proxy host with two nics, one nic on a public IP in the DMZ, one on a private IP on a private LAN.
This box takes web requests from the DMZ and fires them at a cluster of webservers on the private net.
My predecessor has figured out that adding an iptables rule:
-A POSTROUTING -o eth1 -j MASQUERADE
Will allow hosts on the private net to get to the internet (rather handy)
The problem is, this also allows someone that owns any DMZ host to set up a route on it and connect directly to any port on any host on the private net from the DMZ
The Question:
How do I have the proxy host (the one with the MASQ rule) only do this from eth0 and going out eth1?
iptables --list:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(ie blank)
iptables -t nat --list:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(ie just the MASQ rule)
---------- Post updated at 09:24 AM ---------- Previous update was at 08:52 AM ----------
The Solution
Ah, I figured it out - but would still appreciate peer review if anyone has feedback on this.
Writing the question down must have helped my brain straighten the problem out as the solution popped into my head suddenly.
I need a FORWARD rule in the FILTER table because I'm trying to filter a forwarded packet.
I added these rules to the filter table and changed it's default policy to DROP:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 45 11573 ACCEPT all -- any eth0 anywhere anywhere state RELATED,ESTABLISHED
2 414 36553 ACCEPT all -- eth0 any anywhere anywhere
I guess I could have had a DROP or REJECT rule that looked for a state of NEW on eth1 but I slightly prefer the paranoid approach of "drop it if I can't think of a reason not accept it" vs "accept it if I can't think of a reason to drop it"
So far, all seems to work.