2

I want to set up some NAT policies so that certain machines will only have outbound access to http/https. They should not be able to do port scans or anything else from their machine.

Currently my NAT rules are:

-A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.10.1.10
-A POSTROUTING -s 10.10.1.10 -j SNAT --to-source 1.2.3.4

And I have this shared rule:

-A POSTROUTING -o eth0 -j MASQUERADE

1.2.3.4 is a public IP, and 10.10.1.10 is an internal IP.

This allows all inbound and outbound access to NAT directly through.

I tried the following POSTROUTING rule instead of the one above:

-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80

However, that didn't seem to work. After adding that rule I could still use RDP from the workstation.

To recap, my goal is to allow certain workstations to only have http/https access to the Internet. All other outbound traffic should be blocked. All traffic should be allowed. I want all other workstations in the network to use the existing NAT policy to allow all outbound traffic to be NAT'ed.

Update Based on @Zoredache's reply, I now have the following Postrouting rules.

-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 443 -j SNAT --to-source 1.2.3.4:443
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m tcp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -p tcp -m udp --dport 53 -j SNAT --to-source 1.2.3.4:53
-A POSTROUTING -s 10.10.1.10/32 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

They don't quite work yet but they are getting close. More in my reply to @Zoredache below.

Scott Forsyth
  • 16,449
  • 3
  • 37
  • 56
  • I suggest posting the (sanitized) output of `iptables-save` command. That way, we can easily see if there are any other rules that rendered your rules to be ineffectual. – pepoluan Jan 23 '14 at 09:04
  • Another question, for clarification: the `iptables` rules are located on a Linux gateway, that stands between the Internet and your LAN, and the workstations live in your LAN. Am I right? Please also indicate which interface connects to which side. – pepoluan Jan 23 '14 at 09:06
  • @pepoluan, I've added the rules now, and I'll reply with more details to zoredache. – Scott Forsyth Jan 23 '14 at 15:20

1 Answers1

6

The key to iptables is the first match wins.

Assuming the client machine is 10.10.1.10 then you just have to look at these rules in order. If the first rule doesn't match it is going to pass down MASQ rule which it will match.

-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -o eth0 -j MASQUERADE

If you were to add another rule before the final MASQUERADE rule should result in the NAT not happening. Since the packets from 10.10.1.10 will that are not destined to tcp/80 or tcp/443 will match the ACCEPT rule, meaning that they will not be translated by the SNAT/MASQ rules.

-A POSTROUTING -s 10.10.1.10 -p tcp --dport 80 -j SNAT --to-source 1.2.3.4:80
-A POSTROUTING -s 10.10.1.10 -p tcp --dport 443-j SNAT --to-source 1.2.3.4:443
-A POSTROUTING -s 10.10.1.10 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Thanks, that's exactly what I was looking for. It almost works, but something isn't quite working. I realize that I need DNS access too for a functioning web browsing machine, so I added ports 53 for TCP and UDP. (see my update on my original question) RDP is now blocked, so that's good, but pinging a new DNS name sometimes works and sometimes doesn't. What would cause that to be intermittent? Would it have something to do with udp and tcp using the same destination port? – Scott Forsyth Jan 23 '14 at 15:24
  • First, I am kinda surprised PING is working. Is there some reason why you are trying to force a particular source port in your `--to-source`? That is probably wrong, I suggest removing the port – Zoredache Jan 23 '14 at 17:32
  • That did it! I dropped the port and everything appears to work perfectly. You're right, the ping itself didn't work, although it still let me know if it would resolve DNS. I also added a policy for ICMP and even that is working now. – Scott Forsyth Jan 23 '14 at 18:56