linux

Iptables: could you see the rules?

Good afternoon. I work as a programmer (backend), but I also want to develop in the direction of administration and try to understand netfilter in Linux in more detail. I used to set up only simple things like open a port on a machine and that's it. And then I decided to try to make a test bench from two virtual machines: a gateway and a client. In general, I'm doing NAT for the first time (I've been sitting for two evenings, redid it several times, but it all seems that I'm doing something wrong, although it works).

Could you look at my iptables rules with an experienced eye and suggest what is superfluous or what is missing?

On the gateway external interface enp0s3 with IP 192.168.88.27
Local grid 10.0.1.0/24
Gateway interface that looks to the local area: enp0s8 with IP10.0.1.1
IP of the local machine that needs to be connected and ports forwarded - 10.0.1.2

I want to forward the external port 192.168.88.27:8080 to the local machine 10.0.1.2:80

In the table filterfor all chains, the DROP

enp0s3 - inet, enp0s8 - local

INPUT policy is:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp0s8 -j ACCEPT

FORWARD:

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2/32 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
-A FORWARD -i enp0s8 -o lo -j ACCEPT

OUTPUT:

-A OUTPUT -o enp0s3 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp0s8 -j ACCEPT

Table nat(all policies ACCEPT)

PREROUTING:

-A PREROUTING -d 192.168.88.27/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.1.2:80

OUTPUT:

-A OUTPUT -d 192.168.88.27/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.1.2:80

POSTROUTING:

-A POSTROUTING -o enp0s3 -j SNAT --to-source 192.168.88.27
-A POSTROUTING -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 10.0.1.1
# Либо только:
# -A POSTROUTING -s 10.0.1.0/24 -j MASQUERADE

I have several doubts. If you need to forward the port, and so that from computers on the local network you can access the external IP:PORT of the gateway to a host from this network and everything works correctly, then I added as many as 4 rules:

# filter
-A FORWARD -d 10.0.1.2/32 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT

# nat
-A PREROUTING -d 192.168.88.27/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.1.2:80
-A OUTPUT -d 192.168.88.27/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.1.2:80
-A POSTROUTING -s 10.0.1.0/24 -d 10.0.1.2/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 10.0.1.1

Do I need to do this or remove / add / fix something? And besides nat - can something be removed or is it necessary to add?

I read this good wiki , but I didn’t manage to do it purely - then there is no Internet on the local machine, then the port is not forwarded

Thanks in advance!