iptables forwarding

Iptables is open application that all linux has. Iptables controls the lan/internet traffic in or out from our computer. It will be very usefull when we are going to restricted access from a computer into the lan or to the internet. But we need to understand how it works. Things that I don’t fully understand since I have not learn to be a real administrator.

How ever I try to memorize the command that I will be use every day. Like this command to forwarding an ip address of certain port to another ip address (with different lan card) with different port.

#iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx –dport 80 -j DNAT –to xxx.xxx.xxx.xxx:3128
#iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 –dport 80 -j ACCEPT

Or to forward some port to another port. In this example I forwarded port 80 which is the common port for internet browsing to port 3128 which is the port of squid. The open source firewall.

#iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 80 -j DNAT –to 3128
or
#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

DNAT Target
Now in iptables there are SNAT and DNAT table type. What we disscus above is SNAT type. DNAT is opposite of SNAT. DNAT is used to do the translation of destination ip field or Destination Network Address Translation on to the headers of match package. DNAT only works for nat table in PREROUTING and OUTPUT chain. Or a chain that we made.
example

iptables –t nat –A PREROUTING –p tcp –d 15.45.23.67 –dport 80 –j DNAT –to-destination 192.168.0.2

block Forward access to web server

iptables -A FORWARD -p tcp -m mac –mac-source 0C-80-10-34-28-54 –dport 80 -j DROP

block INPUT to access to web server

iptables -A INPUT -p tcp -m mac –mac-source 0C-80-10-34-28-54 –dport 80 -j DROP

ip masquerading

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQUERADE

Anda mempunyai alamat alamat IP spt diatas tapi anda ingin hanya klien dengan IP bernomer 192.168.1.5 dan 192.168.0.10 saja yang bisa mengakses internet, maka seharusnya anda hanya mengetikkan perintah :
Access only some ip to the internet

iptables -t nat -A POSTROUTING -s 192.168.1.5/32 -d 0.0.0.0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.10/32 -d 0.0.0.0/0 -j MASQUERADE

Block only some ip to the internet

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
iptables -I INPUT -s 192.168.1.5/32 -d 0/0 -j DROP
iptables -I INPUT -s 192.168.1.10/32 -d 0/0 -j DROP

Block some package to some port. Example chatting port IRC

iptables -I INPUT -p tcp -s 192.168.1.5/32 -d 0/0 –destination-port 6667 -j DROP

To delete or the rule we made, use -D instead of -A

iptables -I INPUT -p tcp -s 192.168.1.5/32 -d 0/0 –destination-port 6667 -j DROP

erase it by:

iptables -D INPUT -p tcp -s 192.168.1.5/32 -d 0/0 –destination-port 6667 -j DROP

For you to know
-A adding a rule
-I inserting rule to above position
-D erasing rule
-s source address
-d destination address
DROP to deny package

There are lots of knowledges and forums in google. As long as you have a will to search for it. I learnt everything to google. So I met a friend that already learn about it. And now I shared it to you. hope it will be useful.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.