DNAT rule requires extra firewall pinhole

[Jeff Weber <jweber@amsuper.com>]

I've setup DNAT on gateway such that external clients connecting to TCP port 
$SCADA_PORT on the gateway are actually connected to the node $MCB_IP on a 
private network.  Here's my rule:

 $IPTABLES -t nat -A PREROUTING -p tcp -d $DAS_SCADA_IP --dport $SCADA_PORT \
        -i $DAS_SCADA_IF -j DNAT --to $MCB_IP:$SCADA_PORT

The gateway knows how to forward packets between the internal and external 
interfaces.  The above rule works fine.

I've added a firewall rule to block external requests to forward through the 
gateway:

$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF --syn -j DROP

The trouble is, I just found out that the above firewall rule is not 
compatible with my DNAT rule.  That is, DNAT rewrites the destination IP [as 
it should] to the $MCB_IP, then forwards the packet, which then encounters 
the new firewall rule, and is dropped.

So I preceeded the above firewall rule with another rule:
$IPTABLES -A FORWARD -p tcp -i $DAS_SCADA_IF -s $SCADANET -d $MCB_IP \
    --dport $SCADA_PORT -j ACCEPT

which enables the DNAT to work again.  However, a side effect is that now 
external nodes on $SCADANET can forward port=$SCADA_PORT to IP=$MCB_IP 
directly through the firewall.  Granted this is a small pinhole, but I'd like 
to plug it if possible.  I would think that it should be possible to prevent 
all external nodes from forwarding through the firewall, and to prevent 
external hosts from directly "seeing" an internal node on the private net.

Any suggestions?

	TIA,
	Jeff