Laboratorio Firewall

Paquetes Entrantes/Salientes

Para filtrar la respuesta al comando ping podemos realizar lo siguiente:

Filtrar el paquete entrante: echo-request
En el equipo 10.0.0.2 ejecutamos:
debian:~# iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.1 -j DROP

debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
DROP
icmp -- 10.0.0.1
echo-request
Chain FORWARD (policy ACCEPT)

destination
anywhere

icmp

target

prot opt source

Chain OUTPUT (policy ACCEPT)

target
prot opt source
debian:~#

destination

destination

Filtrar el paquete saliente: echo-reply

En el equipo 10.0.0.2 ejecutamos:
debian:~# iptables -A OUTPUT -p icmp --icmp-type 0 -d 10.0.0.1 -j DROP

debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source

destination

Chain FORWARD (policy ACCEPT)

target
prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target
prot opt source
DROP
icmp -- anywhere
echo-reply
debian:~#

destination
10.0.0.1

icmp

Paquetes Salientes/Entrantes

En el caso de que se desee bloquear el comando ping desde la maquina firewall

podemos hacer lo siguiente:
Filtrar el paquete saliente: echo-request
En el equipo 10.0.0.2 ejecutamos:
debian:~# iptables -A OUTPUT -p icmp --icmp-type 8 -d 10.0.0.1 -j DROP
debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target
prot opt source
destination
DROP
icmp -- anywhere
10.0.0.1
echo-request
debian:~#
debian:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

icmp

--- 10.0.0.1 ping statistics --4 packets transmitted, 0 received, 100% packet loss, time 3000ms
debian:~#

Filtrar el paquete entrante: echo-reply

En el equipo 10.0.0.2 ejecutamos:
debian:~# iptables -A INPUT -p icmp --icmp-type 0 -s 10.0.0.1 -j DROP
debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
DROP
icmp -- 10.0.0.1
anywhere
icmp
echo-reply
Chain FORWARD (policy ACCEPT)

target

prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target
prot opt source
destination
debian:~#
debian:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
--- 10.0.0.1 ping statistics --8 packets transmitted, 0 received, 100% packet loss, time 6998ms
debian:~#

Paquetes Reenviados
Poltica predeterminada: ACEPTAR TODO

Salida de la LAN a Internet sin haber configurado el FW

debian:~# ifconfig eth0
eth0
Link encap:Ethernet HWaddr 00:00:21:B6:27:22
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::200:21ff:feb6:2722/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5552 (5.4 KiB) TX bytes:50668 (49.4 KiB)
Interrupt:11 Base address:0x6400
debian:~# route -n
Kernel IP routing table
Destination
Gateway
Use Iface
10.0.0.0
0.0.0.0
0 eth0
0.0.0.0
10.0.0.1
0 eth0
debian:~# cat /etc/resolv.conf
search home
nameserver 208.67.222.222

Genmask

Flags Metric Ref

255.0.0.0

0.0.0.0

UG

nameserver 208.67.220.220
#nameserver 200.48.225.130
#nameserver 200.48.225.146
debian:~# host www.google.com
Nameserver not responding
www.google.com A record not found, try again
debian:~#

Configuracin del FW para permitir la salida a Internet

[root@FW ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@FW ~]# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source
192.168.1.3
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy ACCEPT)
target prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
[root@FW ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT
all -- 10.0.0.0/8
anywhere

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
Despus de configurar el FW podemos salir a Internet
debian:~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.914 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.728 ms
--- 10.0.0.1 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.728/0.821/0.914/0.093 ms
debian:~# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=127 time=1.28 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=127 time=1.16 ms
--- 192.168.1.2 ping statistics --2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.165/1.226/1.287/0.061 ms
debian:~# host www.google.com
www.google.com
CNAME
google.navigation.opendns.com

google.navigation.opendns.com
google.navigation.opendns.com
debian:~#

A
A

208.67.219.230
208.67.219.231

Para permitir que los paquetes se reenven al Servidor HHTP de la LAN

Si no se configura el Servidor Firewall desde Internet no podrn ingresar al Servidor

HTTP

 Ejecutar en el Servidor Firewall los siguientes comandos:

[root@FW ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT
--to-destination 10.0.0.2
[root@FW ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- anywhere
anywhere
tcp dpt:http to:10.0.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT
all -- 10.0.0.0/8
anywhere

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
Como se muestra ya se puede ingresar al Servidor HTTP

Paquetes Reenviados
Poltica predeterminada: DENEGAR TODO
Creacin de script bsico:
[root@FW ~]# cat fw.sh
iptables -F
iptables -X
iptables -Z
iptables -t nat F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -j LOG
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.1.3
[root@FW ~]#
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- anywhere
anywhere

LOG level warning

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
[root@FW ~]#
Por el momento estn bloqueados los paquetes reenviados, por lo tanto no hay salida
de la LAN a Internet y tampoco pueden ingresar al Servidor HTTP
Permitir consultas a los Servidores DNS

[root@FW ~]# iptables -A FORWARD -i eth1 -p tcp --dport 53 -j ACCEPT

[root@FW ~]# iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
[root@FW ~]# iptables -A FORWARD -i eth0 -p tcp --sport 53 -j ACCEPT
[root@FW ~]# iptables -A FORWARD -i eth0 -p udp --sport 53 -j ACCEPT
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- anywhere
anywhere
ACCEPT all -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere

LOG level warning

tcp dpt:domain
tcp spt:domain
udp dpt:domain
udp spt:domain

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
[root@FW ~]# cat /proc/net/ip_conntrack
tcp 6 431999 ESTABLISHED src=192.168.1.2 dst=192.168.1.3 sport=1456
dport=22 packets=2019 bytes=182276 src=192.168.1.3 dst=192.168.1.2 sport=22
dport=1456 packets=2617 bytes=180216 [ASSURED] mark=0 use=1 rate=100
udp
17 6 src=10.0.0.2 dst=10.255.255.255 sport=138 dport=138 packets=2
bytes=500 [UNREPLIED] src=10.255.255.255 dst=10.0.0.2 sport=138 dport=138
packets=0 bytes=0 mark=0 use=1 rate=70
udp
17 177 src=10.0.0.2 dst=208.67.222.222 sport=1068 dport=53 packets=5
bytes=340 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1068 packets=5
bytes=607 [ASSURED] mark=0 use=1 rate=80
[root@FW ~]#
Esto no es suficiente para que desde la LAN puedan navegar
[root@FW ~]# cat /proc/net/ip_conntrack
tcp 6 52 SYN_RECV src=10.0.0.2 dst=208.111.148.94 sport=1035 dport=80 packe
ts=1 bytes=60 src=208.111.148.94 dst=192.168.1.3 sport=80 dport=1035 packets=5 b
ytes=320 mark=0 use=1 rate=10
udp
17 6 src=10.0.0.2 dst=208.67.222.222 sport=1070 dport=53 packets=1 byte
s=60 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1070 packets=1 bytes=108
mark=0 use=1 rate=30
udp
17 6 src=10.0.0.2 dst=208.67.222.222 sport=1071 dport=53 packets=1 byte
s=60 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1071 packets=1 bytes=92 m
ark=0 use=1 rate=20
udp 17 156 src=10.0.0.2 dst=208.67.222.222 sport=1069 dport=53 packets=2 by
tes=120 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1069 packets=2 bytes=2
00 [ASSURED] mark=0 use=1 rate=20
udp
17 6 src=10.0.0.2 dst=208.67.222.222 sport=1072 dport=53 packets=1 byte
s=60 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1072 packets=1 bytes=108
mark=0 use=1 rate=30

tcp 6 40 SYN_RECV src=10.0.0.2 dst=208.111.148.94 sport=1033 dport=80 packe

ts=1 bytes=60 src=208.111.148.94 dst=192.168.1.3 sport=80 dport=1033 packets=6 b
ytes=384 mark=0 use=1 rate=0
udp 17 133 src=10.0.0.2 dst=208.67.222.222 sport=1068 dport=53 packets=6 by
tes=400 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1068 packets=6 bytes=6
99 [ASSURED] mark=0 use=1 rate=20
tcp 6 51 SYN_RECV src=10.0.0.2 dst=208.111.148.94 sport=1034 dport=80 packe
ts=1 bytes=60 src=208.111.148.94 dst=192.168.1.3 sport=80 dport=1034 packets=5 b
ytes=320 mark=0 use=1 rate=10
[root@FW ~]#
Como se muestra las nicas conexiones ASEGURADAS son las consultas DNS.
Permitir la salida de las peticiones al puerto 80
[root@FW ~]# iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
[root@FW ~]# iptables -A FORWARD -i eth0 -p tcp --sport 80 -j ACCEPT
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- anywhere
anywhere
ACCEPT all -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere

LOG level warning

tcp dpt:domain
tcp spt:domain
udp dpt:domain
udp spt:domain
tcp dpt:http
tcp spt:http

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
[root@FW ~]# cat /proc/net/ip_conntrack
tcp 6 7 TIME_WAIT src=10.0.0.2 dst=208.111.148.94 sport=1112 dport=80
packets=5 bytes=755 src=208.111.148.94 dst=192.168.1.3 sport=80 dport=1112
packets=5 bytes=1596 [ASSURED] mark=0 use=1 rate=570
udp
17 60 src=10.0.0.2 dst=208.67.222.222 sport=1136 dport=53 packets=2
bytes=120 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1136 packets=2
bytes=200 [ASSURED] mark=0 use=1 rate=60
tcp 6 8 TIME_WAIT src=10.0.0.2 dst=66.29.38.249 sport=1114 dport=80
packets=6 bytes=850 src=66.29.38.249 dst=192.168.1.3 sport=80 dport=1114
packets=4 bytes=581 [ASSURED] mark=0 use=1 rate=230
udp
17 59 src=10.0.0.2 dst=208.67.222.222 sport=1122 dport=53 packets=2
bytes=120 src=208.67.222.222 dst=192.168.1.3 sport=53 dport=1122 packets=2
bytes=184 [ASSURED] mark=0 use=1 rate=50

 Permitir al acceso al Servidor HTTP

[root@FW ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT

--to-destination 10.0.0.2
[root@FW ~]# iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 10.0.0.2 -j
ACCEPT
[root@FW ~]# iptables -A FORWARD -i eth1 -p tcp --sport 80 -s 10.0.0.2 -j
ACCEPT
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- anywhere
anywhere
ACCEPT all -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
10.0.0.2
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
[root@FW ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- anywhere
anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT
all -- 10.0.0.0/8
anywhere

LOG level warning

tcp dpt:domain
tcp spt:domain
udp dpt:domain
udp spt:domain
tcp dpt:http
tcp spt:http
tcp dpt:http

tcp dpt:http to:10.0.0.2

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
Permitir sesiones remotas en el Servidor HTTP
[root@FW ~]# iptables -A FORWARD -d 192.168.1.10 -p tcp --dport 22 -d
10.0.0.2 -j ACCEPT
[root@FW ~]# iptables -A FORWARD -p tcp --dport 22 -d 10.0.0.2 -j ACCEPT
[root@FW ~]# iptables -A FORWARD -i eth1 -p tcp --sport 22 -s 10.0.0.2 -j
ACCEPT
[root@FW ~]#
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)

target

prot opt source

destination

Chain FORWARD (policy DROP)

target prot opt source
destination
LOG
all -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT udp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
anywhere
ACCEPT tcp -- anywhere
10.0.0.2
ACCEPT tcp -- 10.0.0.2
anywhere
ACCEPT tcp -- anywhere
10.0.0.2
ACCEPT tcp -- 10.0.0.2
anywhere

LOG level warning

tcp dpt:domain
udp dpt:domain
tcp spt:domain
udp spt:domain
tcp dpt:http
tcp spt:http
tcp dpt:http
tcp spt:http
tcp dpt:ssh
tcp spt:ssh

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- anywhere
anywhere
DNAT
tcp -- anywhere
192.168.1.10
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT
all -- 10.0.0.0/8
anywhere

tcp dpt:http to:10.0.0.2

tcp dpt:ssh to:10.0.0.2

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
[root@FW ~]# cat /proc/net/ip_conntrack
tcp 6 431999 ESTABLISHED src=192.168.1.2 dst=192.168.1.3 sport=1456
dport=22 packets=4158 bytes=374816 src=192.168.1.3 dst=192.168.1.2 sport=22
dport=1456 packets=5267 bytes=453188 [ASSURED] mark=0 use=1 rate=940
tcp 6 431926 ESTABLISHED src=192.168.1.2 dst=192.168.1.10 sport=2623
dport=22 packets=23 bytes=2379 src=10.0.0.2 dst=192.168.1.2 sport=22 dport=2623
packets=27 bytes=3213 [ASSURED] mark=0 use=1 rate=500
[root@FW ~]#

[root@FW ~]# iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0

LOG flags 0 level 4

tcp dpt:53
udp dpt:53

ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT

tcp -- 0.0.0.0/0
udp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 10.0.0.2
tcp -- 0.0.0.0/0
tcp -- 10.0.0.2

0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
10.0.0.2
0.0.0.0/0
10.0.0.2
0.0.0.0/0

tcp spt:53
udp spt:53
tcp dpt:80
tcp spt:80
tcp dpt:80
tcp spt:80
tcp dpt:22
tcp spt:22

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
[root@FW ~]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- 0.0.0.0/0
0.0.0.0/0
DNAT
tcp -- 0.0.0.0/0
192.168.1.10

tcp dpt:80 to:10.0.0.2

tcp dpt:22 to:10.0.0.2

Chain POSTROUTING (policy ACCEPT)

target prot opt source
destination
SNAT
all -- 10.0.0.0/8
0.0.0.0/0

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#

Estados de conexin

Usando el estado de conexin podemos usar el siguiente script

[root@FW ~]# cat fw1.sh
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -j LOG
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.1.3
iptables -A FORWARD -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination
10.0.0.2
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 10.0.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 22 -j DNAT --todestination 10.0.0.2
iptables -A FORWARD -p tcp --dport 22 -d 10.0.0.2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@FW ~]#

[root@FW ~]# iptables -L -n

Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0
10.0.0.2
ACCEPT tcp -- 0.0.0.0/0
10.0.0.2
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0

LOG flags 0 level 4

tcp dpt:53
udp dpt:53
tcp dpt:80
tcp dpt:80
tcp dpt:22
state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#
[root@FW ~]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- 0.0.0.0/0
0.0.0.0/0
DNAT
tcp -- 0.0.0.0/0
192.168.1.10

tcp dpt:80 to:10.0.0.2

tcp dpt:22 to:10.0.0.2

Chain POSTROUTING (policy ACCEPT)

target prot opt source
destination
SNAT
all -- 10.0.0.0/8
0.0.0.0/0

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@FW ~]#

Lnea interesante:
iptables -t nat -A PREROUTING -m mac --mac-source 00:16:76:8f:DE:F2 -i
eth1 -s
! 192.168.1.22 -j DROP
Le estas diciendo que si esa mac tiene un ip DIFERENTE (!) al
192.168.1.22 elimine los paquetes.