Hi, I have used iptables and mandriva's shorewall with huge success in setting the nat/pat up in the Internet sharing environment. Shorewall is disabled in Mandriva and ISPConfig add Bastille, or an version thereof. I do not know not understand Bastille yet, It seem to be using Masq and literal IP's therefore IP changes int he Interfaces does not automatically set-up the firewaal at re-boot like Shorewall would were you only say e.g. NET = eth0 and LAN = eth1 I see that ISPConfig include only parts of the Bastille software (bastille executable seem to be removed / renamed) I ran updatedb and locate bastille - empty I came up and i could not use the bastill utility as descrived on their Website. My problem is to now change the bastile config files to allow for proper GW sever w/o interfering with the ISPconfig controll over this bastill software. I have an DSL router with ETH 10.0.0.2, thus my Default GW, My Fedora 5 box has eth1 10.0.0.1 and the inside network is 192.168.1.1 on eth0 In shorewall I only need to define the internet interface and the lan interface - is there such an easy way with bastile config files that will not be modified by ISPConfig?
If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....
Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (firehol.sf.net, an abstraction shellscript, easy to configure and very flexible) maybe that can help you? Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...
Elegant way Yes the point is NOT to use External (Other than pure ISPConfig set-up) here. Standard install on any platform for easy reproduction is the need. I have plenty ways of doing it outside this environment, but all I need is the modification required inside /root/ispconfig/isp/conf/bastille-firewall.cfg.master to make this work. That will give me and nice PURE install much more elegant than otherwise.
1) The bastile firewall sctipt is namde "Bastille" and not "bastille", so locate "Bastille" will give you the locations of the scripts. 2) If you want to change the Bastille firewall script globally, edit the template file in /root/ispconfig/isp/conf/ 3) If you dont like bastille, you may use any other firewall with ISPConfig as well.
GW via SNAT and NOT MASq HI, I did find it, It is an MOD and this shoeld only be done if you know yr stuff. I do not like this, althow clearly the intended method by the author, It is messy and non-elegant. I would of liked to see an setting in the bastille-firewall.cfg file asking to SNAT or MASq vi /sbin/bastille-netfilter or edit /sbin/bastille-netfilter remark the line Around line 390-391 # ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE # ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT Around line 397 Remove the # (uncomment it) ${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP} What is great is that the DEFAULT_GW_IFACE is self-detected and come from your interface set-up.
My solution Above din't work for some reason, I mised another setting althow the inscript comments allow this, I had to in the end use masq. Ran out off time. Till/Falco can't you guys look into this and give us an solution inside the ISPConfig system as this is surely needed.? Bastille is very badly documented!
