In this hands-on lab, you will configure iptables on a Linux host to act as a secure, stateful gateway for a private subnet. You will implement default-deny policies, allow established connections, and enable NAT for outbound internet access.
Always start with a clean slate. Flush all existing rules and set the default policies for the INPUT and FORWARD chains to DROP, establishing a secure baseline.
💡 Pro-tip: Never lock yourself out. Ensure you have console access or explicitly allow SSH from your management IP before setting the INPUT policy to DROP.
This ensures that any traffic not explicitly permitted by subsequent rules will be silently discarded, enforcing the Zero Trust default-deny model.
Permit loopback traffic, established/related connections, and configure the nat table to masquerade outbound traffic from the internal subnet.
⚠️ Ensure IP forwarding is enabled in the kernel (sysctl -w net.ipv4.ip_forward=1) before configuring the FORWARD chain, or traffic will be dropped at the routing layer.
| Chain | Rule | Purpose |
|---|---|---|
| INPUT | -m state --state ESTABLISHED | Allow return traffic |
| FORWARD | -s 192.168.1.0/24 -j ACCEPT | Allow internal outbound |
| NAT | -j MASQUERADE | Hide internal IPs |
Verify exercises to earn ★ 230 XP and unlock next lab level.