Setting up NAT using IPTABLES

[ChrisH]

Im trying to set up nat on one of my Linux boxes. I have read a few guides and have even remembered the free oreilly book I got free once with something "Linux iptables Pocket Reference" .

I want to start simple with just setting nat up for now and locking the ports down more later.
From what ive seen I need to use a SNAT rule and enable forwarding. This needs to be run as a script on startup from /etc/init.d
Given that eth0 is public and eth1 is private:

The script will contain the following:
Delete all current rules:

Code:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

Rules to allow all connections out and existing and related ones in:

Code:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

The actual NAT rule where 10.0.0.1 is the address of eth0

Code:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1

Then enable packet forwarding by kernel

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Does this look right? I seem to be reading confilcting stuff so just want to make sure.

[Geoff]

yes, that looks correct. However rather than writing your iptables rules directly you might find using a set of premade scripts like Shorewall is less likely to lead to serious brain ache.

http://www.shorewall.net/

[ChrisH]

Aye I have looked at other pre made stuff but just wanted to do a bit manually so I could understand it better.

[Geoff]

Fair enough. Be careful though if your playing with a live system. You can do serious damage to your networks routing and security.

I use shorewall on all my systems these days. I'm lazy and it works. Plus I don't have to audit it for security because its done for me by the shorewall community.

[ChrisH]

Well as long as I know that code would work I I understand most of it so.... Times a ticking so I will got with the shorewall

[Geoff]

You can always look at the rulechains shorewall produces from your configuration. thats usually fairly educational.

[ChrisH]

Oh btw I set your quakenet account to +ao in the #edugeek channel. I will get the ident stuff sorted tonight then apply for a trusted IP.

[Geoff]

Fair enough. If you have trouble with the trust give me a shout. I know a few IRCOps that owe me favors. Also, I have an eggdrop floating around. So if you want a bot to police the channel against usual lameness (floods, spam, control avalanches) then I can bring him in too.

[ChrisH]

Been playing with shorewall for a bit and have got the hang of it just about. I have downloaded the two-interface example and Im using that. Only problem is it ignores everything in the policy file and I have to make all changes in the rules file :? . I havent even touched it really aprt from uncomment the bit about giving users access to all port internally.

[Geoff]

did you define your interfaces?

[ChrisH]

The interfaces look ok in the predefined set that came with the example I downloaded so I havent altered it.

[Geoff]

So you've correctly associated the right interface with the right zone?

[ChrisH]

Yes just checked the zones file and the interface file seem to be set as they should be. I assume it always knows fw is the local machine and that it doesnt need setting anywhere?

[Geoff]

Does your external interface use a public internet IP or are you natted out somehow by your provider? Is your internal network using an RFC1918 compatible network range?

[ChrisH]

Network 192.168.0.0/23---------- 192.168.0.0/23 Firewall 10.x.x.x --> Cleo Router.

Is my current setup.