Forward And Nat Rules - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

There may be times when you require remote access to the LAN from outside the LAN. Secure
services such as SSH, can be used for encrypted remote connection to LAN services. For
administrators with PPP-based resources (such as modem banks or bulk ISP accounts), dial-up
access can be used to circumvent firewall barriers securely, as modem connections are typically
behind a firewall/gateway because they are direct connections. However, for remote users with
broadband connections, special cases can be made. You can configure iptables to accept
connections from remote SSH clients. For example, to allow remote SSH access, the following rules
may be used:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -j ACCEPT
There are other services for which you may need to define rules. Refer to the Reference Guide for
comprehensive information on iptables and its various options.
These rules allow incoming and outbound access for an individual system, such as a single PC
directly connected to the Internet or a firewall/gateway. However, they do not allow nodes behind the
firewall/gateway to access these services. To allow LAN access to these services, you can use NAT
with iptables filtering rules.

7.4. FORWARD and NAT Rules

Most organizations are allotted a limited number of publicly routable IP addresses from their ISP. Due
to this limited allowance, administrators must find creative ways to share access to Internet services
without giving limited public IP addresses to every node on the LAN. Using private IP address is the
common way to allow all nodes on a LAN to properly access internal and external network services.
Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route
the packets to the intended LAN node. At the same time, firewall/gateways can also route outgoing
requests from a LAN node to the remote Internet service. This forwarding of network traffic can
become dangerous at times, especially with the availability of modern cracking tools that can spoof
internal IP addresses and make the remote attacker's machine act as a node on your LAN. To prevent
this, iptables provides routing and forwarding policies that can be implemented to prevent aberrant
usage of network resources.
The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For
example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal
IP address on eth1), the following rules can be set:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
This rule gives systems behind the firewall/gateway access to the internal network. The gateway
routes packets from one LAN node to its intended destination node, passing all packets through its
eth1 device.
Note
By default, the IPv4 policy in Red Hat Enterprise Linux kernels disables support for IP
forwarding, which prevents boxes running Red Hat Enterprise Linux from functioning as
dedicated edge routers. To enable IP forwarding, run the following command:
FORWARD and NAT Rules
67