NAT ports - how do they work?
- by Davidoper
I have the following network schema:
Computer A: three nics:
NIC 1 (eth0): dhcp, public internet
NIC 2 (eth1): static 192.168.1.1, gateway for Computer B
NIC 3 (eth2): static 192.168.2.1, gateway for Computer C
Computer B: static 192.168.1.2, using gateway 192.168.1.1 (NIC 2).
Computer C: static 192.168.2.2, using gateway 192.168.2.1 (NIC 3).
So I applied this to get NAT working:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Every computer can connect to the internet now. I have been applying rules to the main computer (Computer A), like dropping connections to some ports, e.g ssh:
iptables -A INPUT -p tcp --dport 22 -j DROP
But for instance, now I would like only allow connections for ports 20,21,22,53 and 80 in Computer C, and ignore the outside traffic if it's not related to those ports. The allowed connections should be FROM Computer C to outside, but not from outside to Computer C (I mean - Computer C is not hosting any HTTP or SSH, but it is going to use them as a client).
I guess this sould be done like this:
iptables -A OUTPUT -i eth2 -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth2 -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
The last rule (dropping any other traffic different from those) is at the end of the configuration, so -A should be working correctly.
The thing is... it is not working. If I put the last rule like this:
iptables -A FORWARD -i eth2 -o eth0 -j DROP
It just drops everything and, for instance, port 21 (previously opened as you can see above) is not either working.
Can you tell me what could I have done wrong? I have been struggling with this problem for some time and I am unable to solve it. Thanks!
