Tuesday, 27 May 2008

Linux - Router NAT with some restrictions

A simple IPtables script that allows forwarding from one interface to the other connecting 2 subnets while restricting access to the second.

eth0:192.168.0.1 (internet)

eth1:192.168.1.1 (lan)

The /bin/nat-up script:
iptables -t nat -F POSTROUTING
iptables -F FORWARD
iptables --policy FORWARD DROP
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 192.168.0.1
# Full forwarding access to one host
iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
# Access to one host only for the rest of the subnet
iptables -A FORWARD -s 192.168.1.0/24 -d host1 -j ACCEPT
iptables -A FORWARD -s host1 -d 192.168.1.0/24 -j ACCEPT
# Enable Forwarding...
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT enabled ... "

Another script has been created to disable the NAT on demand (/bin/nat-down) containing:
iptables -t nat -F POSTROUTING
iptables -F FORWARD
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "IPtables - NAT disabled ... "

Thank you for playing :)

No comments:

Post a Comment