I got a subnet that is protected by a computer that acts as a firewall. The rules I want this firewall to have are:
Deny all INPUT
iptables -A INPUT -j DROPAllow all OUTPUT
iptables -A OUTPUT -j ACCEPTRoute all packets FROM the subnet to the outside
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPTDrop all packets from the outside to the subnet ???
Route packets to port 80 to a server in the subnet
iptables -t nat -A PREROUTING -d 192.168.2.143 -p tcp --dport 80 -j DNAT --to 172.16.32.131The firewall's IP on eth0 is 192.168.2.143 and on eth1 is 172.16.32.254 and the server is 172.16.32.131
The subnet is 172.16.32.0/24
I got everything working except that it routes all packets from the outside to the subnet and not only those to the web server. How do I prevent this?
31 Answer
The default policy is to accept packets that do not match any rule. To change this, use:
iptables -P FORWARD DROPYou can check the current rule set with iptables -L. See also (the policy feature is mentioned on the bottom).
