Dúvida de iniciante IPTABLES.

[MegaRevolt]

Senhores, comecei a aprender iptables e estou com algumas dúvidas.
Segue a imagem da minha topologia de teste.

http://tinypic.com/r/2w3p1ed/8
No caso não estou conseguindo criar uma regra que libere o cliente 1 (10.0.3.2) para passar direto pelo NAT do firewall,
ele só tem acesso externo quando eu mudo a política padrão do FORWARD para ACCEPT, mas neste caso todos os hosts da rede local conseguem o acesso.
Preciso que a política padrão do FORWARD continue DROP mas que o cliente 1 consiga acesso externo normalmente.

Segue meu script.
E já agradeço qualquer ajuda.

#!/bin/bash

IF_WEB=eth0
IF_LAN=eth1


stop(){

##########################
# Limpa as Regras #
##########################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

}

start(){
##########################
# Limpa as Regras #
##########################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


###############################
# Aplica as Políticas padrões #
###############################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


###############################################
# Permite host da rede local pingar o firewall#
###############################################
iptables -A INPUT -i $IF_LAN -p icmp -j ACCEPT
iptables -A OUTPUT -o $IF_LAN -p icmp -j ACCEPT

#################################################################
# Permite os que o Hosts da rede local acessem a porta do squid #
#################################################################
iptables -A INPUT -i $IF_LAN -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $IF_LAN -p tcp --sport 3128 -j ACCEPT

#########################
# Nat Para Internet #
#########################
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $IF_WEB -j MASQUERADE


######################################################
# Libera a Saída full Para uma excessão (cliente 1) #
######################################################
??????????????????????????



}

case $1 in

start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

*)
echo "Erro, utilize os seguintes parâmetros: start | stop | restart"
exit 0
;;
esac

[spikey]

Olá,

Tente isso, lembrando que com a opção -A as regras são adicionadas uma abaixo da outra:

Código:

iptables -t filter -A FORWARD -s 10.0.3.2 -d 0.0.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o $IF_WEB -s 10.0.3.2 -j MASQUERADE