Sunday, March 10, 2013

Wide-open NAT firewall script using iptables

A couple years ago, I was trying to set up NAT on my home network's firewall/router using iptables, and I was desperate. It seemed that nothing I could do would convince "it" to work. (Hmm, maybe that's why they used to call it a "notwork" on alt.sysadmin.recovery . . . ) In desperation, I posted to a forum and good denizen Sum1 sent me this handy script, which I reproduce here in good will, but without his/her explicit permission:

#!/bin/sh
#
# Sum1's "wide-open, last-resort" NAT firewall
#
# Breathe, step away for a few, have a snack, and let the frustration level
# decline. You are not alone; I definitely know how you feel.
#
# I reserve the following rules for when I face utter frustration and meltdown:

IPTABLES="/usr/sbin/iptables"
LAN_INTERFACE="eth1"
INET_INTERFACE="eth0"
SUBNET1="192.168.0.0/24"

$IPTABLES -t filter -A INPUT -i $LAN_INTERFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $INET_INTERFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_INTERFACE -s $SUBNET1 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_INTERFACE -o $INET_INTERFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INET_INTERFACE -o $LAN_INTERFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_INTERFACE -s $SUBNET1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# Everything is now wide open and this is NOT SECURE, but it should allow
# any/every ethernet device on the subnet to access the internet.
#
# If it works, now add the following rule and see if it still does:

$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# If you still cannot ping eth1, eth0, and also your primary DNS address, then
# there's more issues to address like static ip's, dhcp servers, and icmp
# stuff.

By the way, the solution to my problem was hinted at in Sum1's last sentence - the problem with the NAT setup was not in the iptables script at all, it was in the DHCP server configuration. It's all inter-related, you see.

2 comments:

  1. Thanks for this. It came in real handy. However, there is an error in the third $IPTABLES line. It says "$INET_INERFACE" and should say "$INET_INTERFACE" (with a "T").

    ReplyDelete