Building Firewalls with iptables, Part 2: Page 2
Sharing an Internet Connection
Network address translation/IP masquerading allows sharing a single Internet connection among several hosts -- a mixed LAN with Linux and Windows systems, for example. Assume a firewall box with two NICs and a static, routable IP address. eth0 is the "public" NIC, eth1 the "private." In other words, eth0 is assigned the static, routable IP, while eth1 is assigned a private, non-routable IP, and belongs to the LAN subnet. We need to add chains to the nat and filter tables:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT
This illustrates the great value of stateful packet inspection. Notice how only incoming packets that belong to an existing connection are allowed. All packets from the LAN headed outbound are allowed to pass. (Note: filter is the default table; it is not necessary to explicitly name it. Many iptables examples leave it out.) The first rule makes all outgoing traffic appear as though it comes only from the firewall machine, with no indication there is an entire LAN lurking behind it.
This example sets the default policies for the FORWARDand POSTROUTING chains. It is important to have a default POSTROUTING DROP policy when using masquerading; otherwise, it is possible for a malicious user to tunnel through your gateway and masquerade their own identity.
# iptables -t filter -P FORWARD DROP
# iptables -t nat -P POSTROUTING DROP
This example is for dialup connections, with dynamically-assigned IPs:
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
A popular way to pass time is to engage in arguments about whether it is better to put servers behind firewalls, or outside of them. If you choose to put them behind your firewall, iptables needs to know where to pass the packets:
# iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j DNAT -to 192.168.0.10:80
# iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 25 -j DNAT -to 192.168.0.11:25