Google
 

IPTABLES Scenario 2 - Internet Sharing




Scenario 2: Internet Sharing

Example1

In this example, we will configure the machine to share internet connection.



eth0 – public connection with ip address 10.20.30.4

eth1 – LAN with network address 192.168.0.0/24




/etc/sysconfig/iptables

# NAT Table for ICS

*nat

# set up IP forwarding and nat

-A POSTROUTING -o eth0 -j SNAT --to 10.20.30.4

COMMIT

#Filter Table

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# allow local loopback connections

-A INPUT -i lo -j ACCEPT

# drop INVALID connections

-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j DROP

# allow all established and related

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connections to my ISP's DNS servers

-A OUTPUT -d 10.10.10.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A OUTPUT -d 10.10.10.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT

-A FORWARD -d 10.10.10.10 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT

-A FORWARD -d 10.10.10.11 -m state --state NEW -p udp --dport 53 -i eth1 -o eth0 -j ACCEPT

# allow outgoing connections to web servers

-A OUTPUT -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT

-A FORWARD -d 0/0 -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 -j ACCEPT

# allow outgoing mail connections to my ISP's SMTP and POP3 server only

-A OUTPUT -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT

-A FORWARD -d mail.my-isp.com -m state --state NEW -p tcp -m multiport --dport smtp,pop3 -o eth0 -j ACCEPT

# log all other attempted out going connections

-A OUTPUT -o eth0 -j LOG

-A FORWARD -j LOG

# default is to DROP out-going connections

COMMIT

Notes:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
You can place this line in the iptables startup scripts (usually /etc/rc.d/init.d/iptables) or, preferably, in the /etc/rc.d/rc.local script which is the last script executed during startup.

What if you are using a dynamic IP? Simply change line 43 to:
-A POSTROUTING -o eth0 -j MASQUERADE