LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-18-2012, 03:12 PM   #1
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Rep: Reputation: Disabled
SQL Communication over an iptables firewall


Hi guys.

I'm trying to forward ports on my network for an application that uses SQL to communicate with a server on the internet.
http://support.microsoft.com/kb/287932

So far I'm not having much success, I'd appreciate any help.

My rules so far:

Code:
$fw="/sbin/iptables"

$fw -A FORWARD -p tcp -m multiport --dport 1024:5000 -j ACCEPT

$fw -t nat -A PREROUTING -p tcp -m multiport --dport 1024:5000 -j DNAT --to-destination 192.168.0.5
$fw -t nat -A PREROUTING -p tcp -m multiport --sport 1024:5000 -j DNAT --to-destination 192.168.0.5
AFAIK this should allow forwarding for the specified ports, and also forward all traffic on those ports to 192.168.0.5 (which is my client machine inside the LAN that runs the application).
So far, it's not working. What am I doing wrong?
 
Old 04-18-2012, 04:02 PM   #2
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
To just clear my doubt, do you want to forward the SQL port from outside your network to the system inside your network? If that is so, can you just do a forwarding rule that will forward only the SQL port from outside to the system on specific SQL port? Check if this works.
 
Old 04-18-2012, 04:13 PM   #3
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Yes you're correct, but how would I do that exactly? Is that not what I'm doing in my rules above? I'm by no means an expert on iptables.
 
Old 04-18-2012, 04:46 PM   #4
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
Hi,

you have a lot of links and how to already at LQ forum, posted here

also you can look at here (a quick example how to)
or maybe here
to get you examples.

As I understand you have a server with firewall which is then distributing traffic to local network servers (web, mail...) ?
 
Old 04-18-2012, 05:10 PM   #5
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for your links, I will go read them.

My scenario is as follows:
http://i.imgur.com/lFVm8.png

1. App on Client PC (inside my LAN) sends a request on port 1433 to an SQL server on the Internet.
2. SQL Server on the internet acknowledges the transmission and wants to establish a link, sends reply on random port 1024 - 5000.
3. Traffic on ports 1024 - 5000 gets as far as my firewall, and then gets discarded.

I want to forward that traffic (3.) to my client computer inside my LAN (192.168.0.5)

I'm running with rule
Code:
$fw -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
but it doesn't seem to work in this case.

Last edited by v1sper; 04-18-2012 at 05:12 PM.
 
Old 04-19-2012, 02:47 AM   #6
lithos
Senior Member
 
Registered: Jan 2010
Location: SI : 45.9531, 15.4894
Distribution: CentOS, OpenNA/Trustix, testing desktop openSuse 12.1 /Cinnamon/KDE4.8
Posts: 1,144

Rep: Reputation: 217Reputation: 217Reputation: 217
I'm sorry but I don't know how to do it either.

I hope someone here at LQ can help.
 
Old 04-19-2012, 03:37 AM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
If you can't stand up a VPN of some sorts (would be most elegant) the only
way I see is to forward all incoming traffic from the internet-based SQL
server to the client via firewall forwarding rules. Of course that won't
work if you have more than one client NATed (the VPN would still work).

Last edited by Tinkster; 04-19-2012 at 03:39 AM.
 
Old 04-19-2012, 03:40 AM   #8
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for your replies so far. The posts you linked Lithos didn't help me too much.

Tinkster: I only have one client inside the LAN which uses the software that needs to communicate on those ports, but several other machines.
Is there really no way to make this work with port forwarding?
 
Old 04-19-2012, 03:44 AM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
I don't think so; you could examine the incoming packets (save them with
tcpdump) and see whether they're an ACK or something else that could be
used to flag them as related ....
 
Old 04-19-2012, 03:47 AM   #10
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Single port forwarding works. What if I create a script that creates 4000 single port forwarding rules..?

Edit: Or what about redirecting any incoming traffic on port 1024:5000 to one port internally?

Last edited by v1sper; 04-19-2012 at 03:49 AM.
 
Old 04-19-2012, 01:22 PM   #11
v1sper
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Still not got this working, any advice or tips anyone can give is greatly appreciated!

Just tried this, but I'm stumbling in the dark right now..

Code:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  *      *       server-ip       my-internet-ip          tcp dpts:1024:5000 to:192.168.0.5:1024-5000
    0     0 DNAT       tcp  --  *      *       server-ip       my-internet-ip          tcp dpt:1433 to:192.168.0.5:1433
 
Old 04-19-2012, 02:46 PM   #12
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by v1sper View Post
Single port forwarding works. What if I create a script that creates 4000 single port forwarding rules..?

Edit: Or what about redirecting any incoming traffic on port 1024:5000 to one port internally?
That's what I suggested above ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
communication using iptables kumawat10 Linux - Networking 6 12-01-2011 12:47 AM
Firewall for SQL Injection using neural network deepak_dbk Linux - Software 1 10-15-2010 04:46 PM
Fault in KDE processes communication: Could not read network communication list Magnus Johansson MEPIS 0 03-30-2008 01:50 PM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 08:20 AM
Iptables for one way communication toraghun Linux - Networking 5 07-04-2006 06:51 AM


All times are GMT -5. The time now is 04:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration