FROM: Peter WDATE: 01/04/2002 16:41:58
SUBJECT: RE: [Bastille-linux-discuss] Adding custom rules to bastille-netfilter
At 11:37am Jan 4, 2002, kishan at hackorama wrote:
> I want to do do port forwarding for the http port 80
> on this gateway machine to one of the machines in the
> internal subnet.
> Since interactive bastille setup soes not have any option
> for port forwarding, should I be adding these custom rules
> by editing /sbin/bastille-netfiler. If so where is the
> right place to add the port forwarding rules ?
Kishan,
What you want to do is write a "supplemental" firewall script and put it
in /etc/Bastille/firewall.d/$FOO.d and call it $SOMETHING.sh where $FOO
matches one of the keywords in bastille-netfilter, where you see the
include_supplemental lines. ($SOMETHING is completely arbitrary, but I
expect spaces and special characters are a bad idea.) That way your rules
will be added in the correct order, and any upgrades of bastille-netfilter
should not disturb your port forwarding rules. This is probably the Number
One packet filtering request, so if you get something worked out, I'd love
to include it with bastille-firewall to 1) help people set this sort of
thing up and 2) illustrate how to build supplemental scripts.
The script should look something like this (completely untested):
# portforward.sh
#
# designed for bastille-firewall
# Copyright (c) 2002 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# place in /etc/Bastille/firewall.d/pre-chain-split.d
# as portforward.sh (directory name and .sh suffix are critical)
#
#
# Settings:
#
# 1) IP_FORWARDS (all OSes/kernel versions)
#
# List your port forwarding info here. This should be a whitespace
# separated list. Each item in the list should be be a hyphen-separated
# list including the following, in this order
# - interface name, e.g. "eth0" (blank for all)
# - destination address, e.g. "192.168.1.1" for the single
# address 192.168.1.1, "0.0.0.0" for any address, etc.
# (this address may contain a netmask, e.g. 192.168.1.1/24)
# - the destination port number, e.g. "80" for standard HTTP
# - the protocol type or number, e.g. "tcp"
# - the forwarding service address, e.g. "172.19.1.2"
# - the forwarding service port, e.g. "8000"
#
# Example:
# IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-80"
# This says we only have one forwarding rule to establish. Any TCP
# traffic destined for any address bound to the "eth0" interface's port
# 80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical
# rule for a site that wants to run its Web server on an internal
# machine, using a high port so the Web server can be started by a
# non-root user. Whether the forwarding or running on a high port are
# a *good* idea is a question we won't address here.
#
IP_FORWARDS="eth0-10.1.2.3-80-tcp-192.168.1.2-8000 eth1-192.168.1.2-25-tcp-172.19.1.20-25"
#
#
# 2) IPFWADM (Linux 2.2/ipchains only)
#
# For 2.2-based kernels, where is ipfwadm?
IPFWADM="/sbin/ipfwadm"
#
if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then
echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr
else if [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then
echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr
else
if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then
# flush ipfwadm rules
${IPFWADM} portfw -f
fi
for fw_rule in ${TCP_FORWARDS} ; do
# ugly awk hack
fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
if [ -n "${fw_iface}" ]; then
# we have an interface specified
if [ -n "${IPTABLES" ]; then
${IPTABLES} -A PREROUTING -t nat -i $fw_iface -d $fw_inaddr \
--dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
else
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport \
-R $fw_outaddr $fw_outport
fi
else
# apply forward to all interfaces
if [ -n "${IPTABLES" ]; then
${IPTABLES} -A PREROUTING -t nat -d $fw_inaddr \
--dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
else
# same as ipfwadm rule above, actually
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport \
-R $fw_outaddr $fw_outport
fi
fi
done
fi
What'll happen is bastille-netfilter (or bastille-ipchains) will scan
/etc/Bastille/firewall.d/pre-chain-split.d for all the .sh files when
bastille-netfilter (or bastille-ipchains) hits the line
include_supplemental pre-chain-split
when (re)building your ruleset.
-Peter
FROM: Peter WDATE: 01/05/2002 11:43:58
SUBJECT: RE: [Bastille-linux-discuss] Adding custom rules to bastille-netfilter
At 11:30am Jan 5, 2002, kishan at hackorama wrote:
> Looking through /sbin/bastille-netfilter I could not find the
> "include_supplemental" lines or keywords.
>
> Also I dont see /etc/Bastille/firewall.d directory, which
> matches my bastille-netfilter not having any keywords
>
> So I am wondering whether I am running the right version or not.
>
> I have installed Bastille-1.2.0-2mdk + Bastille-Tk-module-1.2.0-2mdk
Ah, OK, I added the supplemental hooks after 1.2.0. The easiest thing
to do is grab the latest bastille-firewall-scripts.tar.gz from
http://www.tux.org/~peterw/linux/ , unpack it, and run the script
named bastille-firewall-install.sh to upgrade to the latest version of
bastille-firewall. (It will back up your current files & migrate your
current bastille-firewall.cfg settings.)
You'll need to make /etc/Bastille/firewall.d (and pre-chain-split.d)
by hand, though. The normal bastille-firewall setup doesn't need the
firewall.d directory, so the install script doesn't create it.
-Peter