Running Linux, 5th Edition - Matthias Kalle Dalheimer [470]
iptables -A INPUT -j allowfwdin
iptables -A FORWARD -j allowfwdin
# Enable IP routing (required by all IP routers, regardless of the use
# of IP filtering).echo 1 >/proc/sys/net/ipv4/ip_forward
To keep track of any attempts to breach security, we've added a rule that will log any packets that would be dropped. However, if a large number of bad packets were to arrive, this rule might fill up the disk with log entries, or slow down the gateway to a crawl (as it takes much longer to log packets than it does to forward or filter them). So, we use the limit module, which controls the rate at which a rule action is taken. In the preceding example, we allowed an average rate of two bad packets per second to be logged. All other packets will pass through the rule and simply be dropped.
To view the rules that have been configured (see Example 26-3), use the iptables list option -L. Using the verbose mode (-v) displays more information than the basic output of the command.
Example 26-3. Listing iptables rulesets for Example 26-2
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
16 1328 ACCEPT all -- lo any anywhere anywhere
0 0 allowfwdin all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 allowfwdin all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 9756 packets, 819K bytes)
pkts bytes target prot opt in out source destination
Chain allowfwdin (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere \
state RELATED,ESTABLISHED
0 0 ACCEPT all -- !ppp0 any anywhere anywhere \
state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere \
state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any 192.168.0.0/24 anywhere \
state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any 10.21.2.4 anywhere \
state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any 172.18.0.0/24 anywhere \
state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any 172.25.0.0/24 anywhere \
state NEW tcp dpt:ftp
0 0 LOG all -- any any anywhere anywhere \
limit: avg 2/sec burst 5 LOG level warning
0 0 DROP all -- any any anywhere anywhere
IP masquerading example
netfilter rules can also be used to implement IP masquerading, a specific type of NAT that rewrites packets from an internal network to make them appear as though they are originating from a single IP address. This is often used in cases where one has a number of machines connected to a LAN, with a single Internet-connected machine with one IP address. This is a common situation in home networks where the ISP has allocated a single IP address; using IP masquerading, however, an entire network of machines can share the address. By having the gateway perform IP masquerading, packets from the internal LAN will appear as though they are originating from the gateway machine, and packets from the Internet will be forwarded to the appropriate host on the internal LAN. You can accomplish all of this with a bit of clever packet rewriting using netfilter.
Configuring netfilter to support IP masquerading is much simpler than explaining how it works! More complete information about how IP masquerading and NAT are accomplished is provided in the NAT HOWTO. We'll show the most basic configuration in Example 26-4.
Example 26-4. Basic IP masquerade configuration
# Load the module supporting NAT, if not compiled into the kernel.
modprobe iptables_nat
# Masquerade any routed connections supported by the ppp0 device.
iptables -t nat -A POSTROUTING -p ppp0 -j MASQUERADE
# Enable IP routing.echo 1 >/proc/sys/net/ipv4/ip_forward
In this configuration we assumed that we have a Linux system that will act as a gateway for an internal network. The gateway has a PPP connection to the Internet on interface ppp0, and a LAN connection to the internal network on interface eth0. This configuration allows outgoing connections from the internal network to the Internet,