Setting up NAT for multiple isolated networks with iptables

user192826 asked:

I have a gateway machine connected to multiple internal networks that I would like to set up NAT on. The catch, though, is that these networks need to be isolated from each other, which I haven’t been able to figure out. Here’s my configuration:

eth0: (upstream), gateway is assigned
eth1: (downstream 1), gateway is assigned
eth2: (downstream 2), gateway is assigned

So far, I’ve configured iptables to allow on default chains:

iptables -P INPUT ALLOW
iptables -P OUTPUT ALLOW

Then, I’ve enabled IP forwarding in the kernel and set up iptables:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

However, this configuration allows one machine on eth1 to access another machine on eth2, even though I haven’t explicitly specified a rule to allow this. How do I isolate these networks, or at most only allow access to certain hosts/ports?

My answer:

You set the policy of the FORWARD chain to ALLOW, so even if nothing in the chain matches, the traffic will be allowed.

You probably should set it to DROP instead.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.