IPTables Routing (Forward Chain)
The Forward chain holds the rules that take care of routing
Enabling the Routing.
#sysctlThis is the key utilities which shows the running kernel parameters.
This will show the status of the IPV4 routing in our local system.
This will turn on the routing in kernel.
# echo 1 > /proc/sys/net/ipv4/ip_forward
This will make the routing permanent.
# vim /etcv/sysctl.conf
net.ipv4.ip_forward = 1
This will make the net routing in Linux host.
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.10
Forward Chain to Manage the Routing.
All the packets that is subjected to route will traverse through Forward Chain in a Linux router.
Defining the Forward chain policy
1. Initially make the default policy to Drop all the routing traffic in firewall
This will make all the routing traffic to be dropped as a default policy.
# iptables -P FORWARD DROP
2. Specify only certain source network to be routed
This will allow the traffic from 192.168.1.0 network to 10.0.0.0. But the traffic from 10.0.0.0/8 network if comes back will not be accepted until & unless we define a state rule or a rule that allows the traffic from the given source.
# iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.0/8 -j ACCEPT
This will allow and route all the new and established connection from the network 192.168.1.0 to any destination
# iptables -A FORWARD -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 -j ACCPET
3. Accept the return traffic
This will allow/accept all the established connection in the forward chain. This will allow the return traffic.
# iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
or define a rule that allows the return traffic from the network 10.0.0.0/8. Here usage of the "state" rule makes the definition of the firewall rule more easier and secure.
Logging the routing traffic in FORWARD Chain:
This will create a new chain and starts logging all the routing activities.
# iptables -N ROUTELOG
# iptables -A FORWARD -j ROUTELOG
# IPTABLES -I ROUTELOG -j LOG
Allowing a subnet to access outer world web
# iptables -A FORWARD -s 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT
Allow the UDP(DNS) queries to outside
# iptables -A FORWARD -s 10.0.0.0/24 -p udp --dport 53 -j ACCEPT