This tutorial will demonstrate how SNAT can be setup - in a common configuration - where we have an internal subnet / interface (eno1) and external subnet/internet interface (wlp2s0) and we want to forward traffic from the clients on the internal subnet to the internet interface - while ensuring traffic is NAT'd when it leaves the egress (internet) interface.
Let's firstly enable ip forwarding:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sudo sysctl -p
Flush the IPTable chains:
Set the policy for the filter table chains:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
Flush all tables:
sudo iptables -F -t filter
sudo iptables -F -t nat
sudo iptables -F -t mangle
sudo iptables -F -t raw
Ensure traffic from eno1 is masqueraded - so it will get back to the interface:
iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
Allow eno1 to forward traffic to wlp2s0:
iptables -t filter -A FORWARD -i eno1 -o wlp2s0 -j ACCEPT
and the return traffic from wlp2s0 to eno1:
iptables -t filter -A FORWARD -i wlp2s0 -o eno1 -j ACCEPT
and block any other forwarding traffic:
iptables -t filter -A FORWARD -j DROP
Now try and ping a remote host from the internal device - if all goes to plan you should get a response back. If you encounter problems you might want to setup IPTables to log dropped packets to help you diagnose where exactly you are going wrong.
It goes without saying - but the final task is to tighten up the IPTables rules e.g. the INPUT/OUTPUT chains in the filter table.
No comments:
Post a Comment