Re: [Bastille-linux-discuss] Q: Allow port-forwarding through Bastille 1.3 firewall?

[Jeremy G. <jg...@cr...>]

> I would like the NAT/router to forward, for example, requests to port 
> 110 to one of the machines in the private network.
> 
> My plan is to
> 1/ use the iptables command to add the port forwarding rules to the 
> running Bastille firewall
> 2/ run iptables-save > /etc/sysconfig/iptables to save the in-memory rules
> 3/ switch off the Bastille firewall, and use the iptables deamon to 
> control the firewall
> 
> Does this seem like a reasonable plan?

Reasonable? Not really. Ideal? Definitely not. Here's how I did it
(actually, this is simplified; let me know if you want the nicer version)

1) Setup the bastille-firewall scripts as normal.
2) Create the file/directory /etc/Bastille/firewall.d/pre-chain-split.sh
3) In pre-chain-split do this:

$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d x.y.w.z --dport 110 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d j.k.l.m --dport 110 -j DNAT --to x.y.w.z

Where x.y.w.z is the destination of your port forward and j.k.l.m is your
internet IP. The nicer version I have is an init.d script called ip_portfw
that just takes a config file; the config file /etc/sysconfig/ip_portfw
has a line for each forward and the script loops through it and does the
above iptables commands. It's nicer because it looks up the source IP
based on a particular ethernet device rather than you having to hard code
it into your forward script.

> Finally, while experimenting, I think I have damaged my routing in a 
> bizaare way. I can no-longer telnet port 25 (one of the ports that I 
> tried to forward) *on* certain machines *from* certain machines behind 
> the firewall. This persists even after a reboot of the affected 
> machines?? Has any idea how this kind of state could be preserved?

If they are behind the firewall then there should not be any routing
performed by the server (unless your netmasks are a little wonky). Does it
just hang or do you get a connection refused?

J