I can now offer a better solution that is based on a script from the Bastille guys as well (see code below). What I added was the MASQUERADE rule and the switch that ensures that port forwarding is actually activated on your LINUX server (tested for Ubuntu/Debian, please check with your LINUX distro the same switch exists in the same location or adjust the script accordingly in the line starting with "echo 1 > ...". Other than being fully compliant with iptables and Bastille the script offers the additional advantage that only port forwarding for explicitly specificied ports is opened, as opposed to the entire tun+ interfaces as was done in my solution. Here goes:
Code:
mkdir /etc/Bastille/firewall.d
mkdir /etc/Bastille/firewall.d/pre-chain-split.d
touch portforward.sh
chmod 755 /etc/Bastille/firewall.d/pre-chain-split.d/portforward.sh
Now copy all the following code into the file portforward.sh
The magic is happening in the lines under item 1. Adjust to suit your port forwarding needs. The explanation in the script should be quite sufficient. This script should be able to handle port forwarding within your network, to connected VPN networks, and to external servers (the latter may require the activation of another line in the script under section0 in some cases).
Code:
# portforward.sh
#
# designed for bastille-firewall
# Copyright (c) 2002 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# place in /etc/Bastille/firewall.d/pre-chain-split.d
# as portforward.sh (directory name and .sh suffix are critical)
#
###########################################################################
# 0) Addition to Peter Watkins script by Hanno Scihupp July 2008
#
# a) Switch on port forwarding for your server
# Ensure port forwarding is actually switched on - other wise nothing works
# Having it in this script ensures the setting survives a reboot
# This is working on Ubutu/Debian. Check the filesystem and doku of your
# favourite Linux distro that this switch exixts and is valid
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# b) Enable port forwardiing to an address outside your external network
# (i.e. to a VPN network address or an external server)
# The line below enables forwarding to tunnel connected severs
# (i.e. servers connected through a VPN network)
/sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE
# The line below enables forwarding to external severs
# /sbin/iptables -A POSTROUTING --table nat -o eth0 -j MASQUERADE
#########################################################################
#
# Settings:
#
# 1) IP_FORWARDS (all OSes/kernel versions)
#
# List your port forwarding info here. This should be a whitespace
# separated list. Each item in the list should be be a hyphen-separated
# list including the following, in this order
# - interface name, e.g. "eth0" (blank for all)
# - destination address, e.g. "192.168.1.1" for the single
# address 192.168.1.1, "0.0.0.0" for any address, etc.
# (this address may contain a netmask, e.g. 192.168.1.1/24)
# - the destination port number, e.g. "80" for standard HTTP
# - the protocol type or number, e.g. "tcp"
# - the forwarding service address, e.g. "172.19.1.2"
# - the forwarding service port, e.g. "8000"
#
# Example:
# IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000"
# This says we only have one forwarding rule to establish. Any TCP
# traffic destined for any address bound to the "eth0" interface's port
# 80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical
# rule for a site that wants to run its Web server on an internal
# machine, using a high port so the Web server can be started by a
# non-root user. Whether the forwarding or running on a high port are
# a *good* idea is a question we won't address here.
#
IP_FORWARDS="eth0-1.2.3.4-8004-tcp-10.8.0.4-8080 eth0-1.2.3.4-8005-tcp-10.8.0.5-8080"
#
#
# 2) IPFWADM (Linux 2.2/ipchains only)
#
#
# For 2.2-based kernels, where is ipfwadm?
IPFWADM="/sbin/ipfwadm"
#
if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then
echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr
elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then
echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr
else
if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then
# flush ipfwadm rules
${IPFWADM} portfw -f
fi
for fw_rule in ${IP_FORWARDS} ; do
# ugly awk hack
fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
if [ -n "${fw_iface}" ]; then
# we have an interface specified
if [ -n "${IPTABLES}" ]; then
${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT
### debug ###
#echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport"
#echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT"
### debug ###
else
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
fi
else
# apply forward to all interfaces
if [ -n "${IPTABLES}" ]; then
${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
${IPTABLES} -A FORWARD -p $fw_inproto -d $fw_outaddr --dport $fw_outport -j ACCEPT
else
# same as ipfwadm rule above, actually
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
fi
fi
done
fi
English | 
Deutsch
Even better solution ...
Linear Mode
Recent comments
19 hours 37 min ago
22 hours 32 min ago
23 hours 46 min ago
1 day 1 hour ago
1 day 2 hours ago
1 day 4 hours ago
1 day 5 hours ago
1 day 21 hours ago
1 day 22 hours ago
2 days 2 hours ago