Tuesday, December 28, 2010

System Configuration and Management -- Use iptables to implement packet filtering and configure network address translation (NAT)

Assuming you know basic networking, routing, and firewalling, basic packet filtering in RHEL is fairly easy. While you can get quite complex with solutions, all we are worrying about here is basic filtering.

Packet filtering in RHEL6 is controlled using a program called iptables. You can find the syntax for managing the tables by running iptables -h, or for more detail use man iptables. You can view the currently implemented rules by running iptables -L, or by viewing the file /etc/sysconfig/iptables (these are the rules loaded at startup). Viewing the /etc/sysconfig/iptables file is probably the easiest way to understand the syntax needed to add/modify the rules.

Configuring NAT
NAT'ing is similar to the process of setting up routing, except the firewall rules are different. Here I will be using the information from http://www.revsys.com/writings/quicktips/nat.html as a basis for the below steps.
SCENARIO:  Your server has 2 network cards: eth0 and eth1. The external network (internet) is connected to eth0, and the internal network is connected to eth1. You want all hosts from eth1 to be able to access resources on eth0 via a NAT'ed connection.


STEP 1: Enable IP Forwarding
Edit /etc/sysctl.conf and find the line net.ipv4.ip_forward = 0
Change the value of this line to 1, save and exit the file
Execute sysctl -p to reload the file (or simply reboot)

STEP 2: Enable Masquerading
Execute the following commands to enable Masquerading (NAT'ing)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Execute iptables-save > /etc/sysconfig/iptables to save the rules

No comments: