IPTables config to allow external clients to connect to internal MS SQL server
 

Firstly, thanks to everyone for having a look at this, my first post! I have read many forums and learnt a lot, I just haven't learnt enough yet obviously, so I hope some linux guns out there can help?

I have been stuck for too many days (yes, days) and being new to Linux and IPTables I am having trouble allowing our external clients and our web server in the DMZ to connect to the internal MS SQL server. Basically, I only want to allow incoming access to the MS SQL (Port 1433) in to my private network .

If I enable forwarding on the incoming eth0 it works (obvious to some, I guess), but this lets everything in.

I have read a number of threads about PREROUTING DNAT 1433 but I have tried a lot and still very stuck.

I have posted the iptable below to assist and I was also hoping that this would allow for comments and recommendations on fixing security holes, remembering that this iptables is the firewall between the DMZ and the private network.

Can someone please tell me what do I need to put in iptables to allow DMZ traffic into the MS SQL Server (port 1433) on the private LAN?

Thanks in advance.


#eth0 DMZ
#eth1 Private

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth1 --dport 123 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m state -s <PrivateNetworkIP>/24 -d <ProxyPrivateIP> --dport 53 --sport 1024:65535 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -s <DMZ WEB SERVER IP> -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -m state -o eth1 --sport 123 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 10000 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 22 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -o eth1 --dport 1024:65535 --sport 8080 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp -d <PrivateNetworkIP>/24 -o eth1 --dport 1024:65535 --sport 53 -j ACCEPT
-A FORWARD -s <PrivateNetworkIP>/24 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination <ProxyPrivateIP>:8080
-A POSTROUTING -o eth0 -j SNAT --to-source <Proxy DMZ IP>
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080

-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 1433 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT

Thanks. I will give that a try, I thought I had tried that string before but might have had it wrong.

SQL Dynamic TCP ports was the problem...
 

Thanks, Tshimanga. I tried what you said, which would work, but I did some more research and realised that MS-SQL 2008 now uses Dynamic Ports for TCP connections (Well my SQL server was - DOH!). I changed this to static port 1433 and my forward rule now works! All's well that ends well.

Thanks again.

Cheer, Smuff

#eth0 DMZ
#eth1 Private

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth1 --dport 123 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m state -s <PrivateNetworkIP>/24 -d <ProxyPrivateIP> --dport 53 --sport 1024:65535 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -m state -o eth1 --sport 123 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 10000 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 22 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -o eth1 --dport 1024:65535 --sport 8080 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp -d <PrivateNetworkIP>/24 -o eth1 --dport 1024:65535 --sport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -d <SQL_Internal_IP> --dport 1433 -j ACCEPT #Now works after configuring SQL to use a TCP Static port!!!
-A FORWARD -s <PrivateNetworkIP>/24 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination <ProxyPrivateIP>:8080
-A POSTROUTING -o eth0 -j SNAT --to-source <Proxy DMZ IP>
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080

Hi Smuff,

I am glad to had been helpful.
Just tick on my reputation.