Alright, I've been hacking away at this for a while now with no success.

Three boxes. Networked via a hub, which is working peachy. First box is on the cable modem (eth1), and has Bastille-Firewall running. Internet connection sharing works fine with the other two computers (via eth0).

Second box is behind the firewall, and is my primary machine. I wanna run gtk-gnutella, which uses port 6346, so the idea is that I want to forward that port from the firewall box. (gtk-gnutella will work without this, but it works a lot better if that port's open)

I've run InteractiveBastille a dozen times, tried various things to get it to work - listed 6346 among the public and internal interfaces. I ran the following two commands to set up a forwarding policy:

iptables -A -i eth1 -d 192.168.0.0/24 -s 0.0.0.0/32 -p tcp --dport 6346 -j ACCEPT
iptables -A -i eth1 -d 192.168.0.0/24 -s 0.0.0.0/32 -p udp --dport 6346 -j ACCEPT

After all this, iptables -L shows:

Chain FORWARD
ACCEPT tcp -- 0.0.0.0 192.168.0.0/24 tcp dpt:gnutella-svc
ACCEPT udp -- 0.0.0.0 192.168.0.0/24 udp dpt:gnutella-svc

Chain INT_IN
ACCEPT tcp -- anywhere anywhere tcp dtp:gnutella-svc
ACCEPT udp -- anywhere anywhere udp dpt:gnutella-svc

Chain PUB_IN
ACCEPT tcp -- anywhere anywhere tcp dpt:gnutella-svc
ACCEPT udp -- anywhere anywhere udp dpt:gnutella-svc

Gtk-gnutella still thinks it's firewalled though. Is it wrong? Am I wrong?

Any help appreciated!

I am no expert on iptables, but I am doing some similar port forwarding. I was told that for this purpose you should use DNAT (destination NAT) in the Postrouting chain to forward the port you need. I may be wrong but if so, hopefully someone will correct me..

Might be SNAT instead..here is the difference.

The SNAT target is used to do Source Network Address Translation, which means that this target will rewrite the Source IP address in the IP header of the packet. For example, this is good when we want several computers to share an internet connection. We could then turn on ip forwarding in the kernel, and then set an SNAT rule which would translate all packets from our local network to the source IP of our own internet connection. Without doing this, the outside world would not know where to send reply packets, since our local networks should use the IANA specified IP addresses which are allocated for LAN networks. If we forwarded these packets as is, noone on the internet would know that they where actually from us. The SNAT target does all the translation needed to do this kind of work, letting all packets leaving our LAN look as if they came from a single host, which would be our firewall.

The SNAT target is only valid within the nat table, within the POSTROUTING chain. This is in other words the only place that you may do SNAT in. If the first packet in a connection is mangled in this fashion, then all future packets in the same connection will also be SNAT'ed and, also, no further processing of rules in the POSTROUTING chain will be commenced on the packets in the same stream.


Here is DNAT...
The DNAT target is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet. If a packet is matched, and this is the target of the rule, the packet, and all subsequent packets in the same stream will be translated, and then routed on to the correct device, host or network. This target can be extremely useful, for example, when you have an host running your webserver inside a LAN, but no real IP to give it that will work on the internet. You could then tell the firewall to forward all packets going to its own HTTP port, on to the real webserver within the LAN. We may also specify a whole range of destination IP addresses, and the DNAT mechanism will choose the destination IP address at random for each stream. Hence, we will be able to deal with a kind of load balancing by doing this.

Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table, and any of the chains called upon from any of those listed chains. Note that chains containing DNAT targets may not be used from any other chains, such as the POSTROUTING chain.

These are bogarted from some tutorial I found on iptables.

I'm pretty sure it's not the Source NAT that I am having trouble with... gtk-gnutella uses port 6346 to allow the outside world to connect to me. From what I can tell, my firewall is allowing all outbound traffic, but inbound stuff is restricted (which makes good sense).

When I posted about this problem, I had a firewall running on both machines (the real firewall, and the main computer I'm running gnutella on). I've since re-installed Mandrake on the main computer, without a firewall, and the problem still exists, so at least I know it's not an issue of the second firewall interfering. Just gotta get the real firewall configured right!

After some further reading, I'm understanding that the INT_IN list shows internal-interface stuff that's allowed in; PUB_IN is what allows public interfaces in. So it's probably the FORWARD section I need to be looking at - since it looks like port 6346 is allowed in, but it's not being forwarded to the right machine.

I will keep at it and hopefully figure it out... Thanks for the tips!

I've run into problems using automatic firewall scripting tools in the past. Best to write your own scripts.

I would have to agree - I should definitely write my own, but since I'm pretty new at this, I figured I'd rely on the security of one written by someone that knows what they're doing, at least for now :)

It been awhile since I played with Bastille-Firewall....

What does iptables -t nat -L PREROUTING give you??