Dear All, I have a firewall related question: I did install a passthrough kind of set up, as described in this other thread in this forum. It all worked well until I wanted to extend the facility to some more ports. I extended the script below, restarted the firewall, and now nothing works anymore. No access to any of the routers, even the ones that previously worked fine. VPN access works fine though, so my best guess is that there were some manual configurations outside of Bastille, which were whipped through the Bastille firewall restart. But which one? Here is my problem: I do not know how to analyse the IPTables firewall (Bastille driven or otherwise). I can see with TCPdump that some packets reach my server, they have the correct IP address and port and are TCP type packets. All good. And then what? How can I analyse what is going wrong, and why the packets are being blocked from further processing and prevented to passthrough to my external routers, which are connected to my server vai a VPN connection? It is the analysis process I am struggling with. IPTables seems like a black box and I cannot find where the packets get dropped and why. Any hints as to ho to analyse the IPTables firewall??? any hints welcome. Cheers PS: Attached are the config file /etc/Bastille/firewall.d/pre-chain-split.sh and the output of IPTables. Code: #vi /etc/Bastille/firewall.d/pre-chain-split.sh #!/bin/sh /sbin/iptables -A FORWARD -o tun+ -j ACCEPT /sbin/iptables -t nat -F #requires one for every router you want to connect to /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8004 -j DNAT --to-destination 10.8.0.4:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8005 -j DNAT --to-destination 10.8.0.5:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8006 -j DNAT --to-destination 10.8.0.6:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8008 -j DNAT --to-destination 10.8.0.8:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8009 -j DNAT --to-destination 10.8.0.9:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8010 -j DNAT --to-destination 10.8.0.10:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8011 -j DNAT --to-destination 10.8.0.11:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8012 -j DNAT --to-destination 10.8.0.12:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8013 -j DNAT --to-destination 10.8.0.13:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8014 -j DNAT --to-destination 10.8.0.14:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8015 -j DNAT --to-destination 10.8.0.15:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8016 -j DNAT --to-destination 10.8.0.16:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8017 -j DNAT --to-destination 10.8.0.17:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8018 -j DNAT --to-destination 10.8.0.18:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8019 -j DNAT --to-destination 10.8.0.19:8080 /sbin/iptables -A PREROUTING --table nat -d 1.2.3.4 -p tcp --dport 8020 -j DNAT --to-destination 10.8.0.20:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8004 -j DNAT --to-destination 10.8.0.4:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8005 -j DNAT --to-destination 10.8.0.5:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8006 -j DNAT --to-destination 10.8.0.6:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8007 -j DNAT --to-destination 10.8.0.7:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8008 -j DNAT --to-destination 10.8.0.8:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8009 -j DNAT --to-destination 10.8.0.9:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8010 -j DNAT --to-destination 10.8.0.10:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8011 -j DNAT --to-destination 10.8.0.11:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8012 -j DNAT --to-destination 10.8.0.12:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8013 -j DNAT --to-destination 10.8.0.13:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8014 -j DNAT --to-destination 10.8.0.14:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8015 -j DNAT --to-destination 10.8.0.15:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8016 -j DNAT --to-destination 10.8.0.16:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8017 -j DNAT --to-destination 10.8.0.17:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8018 -j DNAT --to-destination 10.8.0.18:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8019 -j DNAT --to-destination 10.8.0.19:8080 /sbin/iptables --table nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 8020 -j DNAT --to-destination 10.8.0.20:8080 /sbin/iptables -A POSTROUTING --table nat -o tun+ -j MASQUERADE Code: #iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 632K packets, 31M bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere server.chillifire.net tcp dpt:8004 to:10.8.0.4:8080 0 0 DNAT tcp -- any any anywhere server.chillifire.net tcp dpt:8005 to:10.8.0.5:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080 12 576 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080 6 288 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080 12 576 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080 6 288 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080 3 144 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080 Chain POSTROUTING (policy ACCEPT 40397 packets, 2575K bytes) pkts bytes target prot opt in out source destination 3 252 MASQUERADE all -- any tun+ anywhere anywhere Chain OUTPUT (policy ACCEPT 40440 packets, 2578K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8004 to:10.8.0.4:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8005 to:10.8.0.5:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8006 to:10.8.0.6:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8007 to:10.8.0.7:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8008 to:10.8.0.8:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8009 to:10.8.0.9:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8010 to:10.8.0.10:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8011 to:10.8.0.11:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8012 to:10.8.0.12:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8013 to:10.8.0.13:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8014 to:10.8.0.14:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8015 to:10.8.0.15:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8016 to:10.8.0.16:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8017 to:10.8.0.17:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8018 to:10.8.0.18:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8019 to:10.8.0.19:8080 0 0 DNAT tcp -- any any anywhere blackbird.chillifire.net tcp dpt:8020 to:10.8.0.20:8080 Code: # iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 21 2560 DROP all -- any any 189.51.255.168.static.nqt.com.br anywhere 0 0 DROP tcp -- !lo any anywhere 127.0.0.0/8 346K 46M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 7447 405K ACCEPT all -- lo any anywhere anywhere 0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere 0 0 PUB_IN all -- tun+ any anywhere anywhere 8641 543K PUB_IN all -- eth+ any anywhere anywhere 0 0 PUB_IN all -- ppp+ any anywhere anywhere 0 0 PUB_IN all -- slip+ any anywhere anywhere 0 0 PUB_IN all -- venet+ any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any 189.51.255.168.static.nqt.com.br anywhere 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- any tun+ anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 57197 packets, 5912K bytes) pkts bytes target prot opt in out source destination 3 252 PUB_OUT all -- any tun+ anywhere anywhere 418K 97M PUB_OUT all -- any eth+ anywhere anywhere 0 0 PUB_OUT all -- any ppp+ anywhere anywhere 0 0 PUB_OUT all -- any slip+ anywhere anywhere 0 0 PUB_OUT all -- any venet+ anywhere anywhere Chain INT_IN (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 DROP all -- any any anywhere anywhere Chain INT_OUT (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere 0 0 ACCEPT all -- any any anywhere anywhere Chain PAROLE (17 references) pkts bytes target prot opt in out source destination 6111 320K ACCEPT all -- any any anywhere anywhere Chain PUB_IN (5 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 78 4758 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 45 2724 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp 46 3324 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh 7 420 PAROLE tcp -- any any anywhere anywhere tcp dpt:smtp 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:domain 4717 246K PAROLE tcp -- any any anywhere anywhere tcp dpt:www 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:81 66 3168 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3 838 41116 PAROLE tcp -- any any anywhere anywhere tcp dpt:https 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:webmin 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:radius-acct 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:mysql 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:openvpn 392 23520 PAROLE tcp -- any any anywhere anywhere tcp dpt:munin 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:2812 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:4960 0 0 PAROLE tcp -- any any anywhere anywhere tcp dpts:8000:8199 626 49136 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 1068 83219 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn 339 17628 DROP icmp -- any any anywhere anywhere 419 68552 DROP all -- any any anywhere anywhere Chain PUB_OUT (5 references) pkts bytes target prot opt in out source destination 418K 97M ACCEPT all -- any any anywhere anywhere
I think you are going to need to explicitly log for each section you need to inspect. pseudo example from our iptables: -A droplist -s 1.0.0.0 -j LOG --log-prefix "DROP Block"
Mystery resolved: The reboot caused the loss of a fundametal setting in a LINUX configuration file. Entering the following command into the command line resolves the issue - until the next reboot, so better work it into your start-up scripts if you want to use port forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward
