Re: [Bastille-linux-discuss] Q: Allow port-forwarding through Bastille 1.3 firewall?
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Jeremy G. <jg...@cr...> - 2002-09-30 15:59:27
|
> I would like the NAT/router to forward, for example, requests to port > 110 to one of the machines in the private network. > > My plan is to > 1/ use the iptables command to add the port forwarding rules to the > running Bastille firewall > 2/ run iptables-save > /etc/sysconfig/iptables to save the in-memory rules > 3/ switch off the Bastille firewall, and use the iptables deamon to > control the firewall > > Does this seem like a reasonable plan? Reasonable? Not really. Ideal? Definitely not. Here's how I did it (actually, this is simplified; let me know if you want the nicer version) 1) Setup the bastille-firewall scripts as normal. 2) Create the file/directory /etc/Bastille/firewall.d/pre-chain-split.sh 3) In pre-chain-split do this: $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d x.y.w.z --dport 110 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d j.k.l.m --dport 110 -j DNAT --to x.y.w.z Where x.y.w.z is the destination of your port forward and j.k.l.m is your internet IP. The nicer version I have is an init.d script called ip_portfw that just takes a config file; the config file /etc/sysconfig/ip_portfw has a line for each forward and the script loops through it and does the above iptables commands. It's nicer because it looks up the source IP based on a particular ethernet device rather than you having to hard code it into your forward script. > Finally, while experimenting, I think I have damaged my routing in a > bizaare way. I can no-longer telnet port 25 (one of the ports that I > tried to forward) *on* certain machines *from* certain machines behind > the firewall. This persists even after a reboot of the affected > machines?? Has any idea how this kind of state could be preserved? If they are behind the firewall then there should not be any routing performed by the server (unless your netmasks are a little wonky). Does it just hang or do you get a connection refused? J |