Thread: Firewall ACLs
View Single Post
  #34  
Old 9th June 2008, 01:50
chillifire chillifire is offline
HowtoForge Supporter
 
Join Date: Oct 2007
Posts: 75
Thanks: 3
Thanked 3 Times in 3 Posts
Unhappy New iptables rules don't seem to be recognised by Bastille

I tried to add the following two rules

Code:
/sbin/iptables -t nat -A PREROUTING -d a.b.c.d -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
/sbin/iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 8007 -j DNAT --to-destination 10.8.0.7:8080
based on advice received from URL="http://www.howtoforge.com/forums/showthread.php?t=23889&goto=newpost"]this post [/URL]
(The purpose is to relay a http request from any external workstation via an OpenVPN server to an OpenVPN client which has no public IP address). a.b.c.d is obviously replaced with my public IP address on my system.

Now, I added a file pre-chain-split.sh to a new directory firewall.d under /etc/Bastille as decribed in this post. The restart runs through just fine:
Code:
root@blackbird:/etc/Bastille/firewall.d# /etc/init.d/bastille-firewall restart
Setting up IP spoofing protection... done.
Allowing traffic from trusted interfaces... done.
Setting up chains for public/internal interface traffic... done.
Setting up general rules... done.
Setting up outbound rules... done.
but no iptables rule seems to be appended. The output of iptables -L -v (as shown below) is exctly as before, and a PREROUTING chain is not even mentioned.

I deliberately put an error into pre-chain-split.sh to check whether it is even run. And yes, I get an error message, if I build in an error into the file, so we now it is executed fine.

Any idea anyone why this might not be working for me?

Cheers

chillifire


Appendix: Output of iptables -L -v
Code:
root@blackbird:/etc/Bastille/firewall.d# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  !lo    any     anywhere             127.0.0.0/8
 1505  160K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   37  1924 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere
   19  1046 PUB_IN     all  --  eth+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
    0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
    0     0 PUB_IN     all  --  venet+ any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 278 packets, 24730 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2361  474K PUB_OUT    all  --  any    eth+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    ppp+    anywhere             anywhere
    0     0 PUB_OUT    all  --  any    slip+   anywhere             anywhere
    0     0 PUB_OUT    all  --  any    venet+  anywhere             anywhere

Chain INT_IN (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain INT_OUT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PAROLE (16 references)
 pkts bytes target     prot opt in     out     source               destination
   18   976 ACCEPT     all  --  any    any     anywhere             anywhere

Chain PUB_IN (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp destination-unreachable
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain
   16   856 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:81
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:webmin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:radius-acct
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:openvpn
    2   120 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:munin
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:2812
    0     0 PAROLE     tcp  --  any    any     anywhere             anywhere            tcp dpt:4960
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
    1    70 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:openvpn
    0     0 DROP       icmp --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain PUB_OUT (4 references)
 pkts bytes target     prot opt in     out     source               destination
 2357  472K ACCEPT     all  --  any    any     anywhere             anywhere
Reply With Quote