Thursday, July 4, 2019

SNAT Server Sanity Check

I need a quick sanity check on my iptables config for SNAT. I've a bunch of servers in a private IP space with no external access 10.0.10.0/24 that I'd like to have access out to the internet when needed.

I've a CentOS box that has firewalld disabled and the below iptables rules added after clearing everything out. I believe this should allow anything within that network to set it's gateway to my CentOS box and get access out. I'm confident that only computers in the defined range can go in through the SNAT internally, I'm just concerned I'm opening up the public side of the SNAT to allow stuff in to my internal side. Or some other security issues I'm totally missing.

There just doesn't seem to be a whole lot written about implementing SNATs!

```

ens6 internal

ens9 external

-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT

-A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.10.0/24 -i ens6 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --sport 80 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --sport 443 -m state --state ESTABLISHED -j ACCEPT

-A FORWARD -i ens9 -o ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.10.0/24 -i ens6 -o ens9 -j ACCEPT ```



No comments:

Post a Comment