FORWARD and NAT Rules for nodes behind the firewall/gateway.
iptables provides routing and forwarding policies. The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), the following rules can be set:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its eth1 device.
To enable IP forwarding, run the following command:
sysctl -w net.ipv4.ip_forward=1
You can permanently set forwarding by editing the /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Execute the following command to enable the change to the sysctl.conf file:
sysctl -p /etc/sysctl.conf
To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device (in this case, eth0):
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).
POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
If you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at 192.168.0.10, run the following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 192.168.0.10:80
This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 192.168.0.10
This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall.
iptables -A FORWARD -i eth0 -p tcp –dport 80 -d 192.168.0.10 -j ACCEPT