LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-26-2010, 07:21 AM   #1
sevillo
LQ Newbie
 
Registered: Nov 2007
Location: Valencia
Distribution: Slackware
Posts: 6

Rep: Reputation: 0
iptables requirement


Hi there.

I have a gateway with iptables running great, no problem at all,

The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.

every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine.

I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.


Can anyone give me an idea?

thanks anyway.
 
Old 11-26-2010, 11:31 AM   #2
JFNash
LQ Newbie
 
Registered: Nov 2010
Posts: 5

Rep: Reputation: 1
Did you specify the source of the packets (through -i option) to port forward the requests sent to the internal mysql database server (DMZ database server)? Would have helped a lot had you posted your current rules so we could look at them.

In your particular situation, you probably will need to do something along these lines:

Quote:
iptables -t nat -A PREROUTING -i <Public-Interface> -p tcp --source <DMZ-MYSQL-Server-User-IP> --dport 3306 -d <MYSQL-Server-Public-IP> -j DNAT --to-destination <DMZ-MYSQL-Server-IP>

iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
They key thing in your issue is the port forwarding. You'll need to port forward the requests coming from that particular user of MySql server that resides in the DMZ to the right destination. Then you'll need to allow the internal users to access MySql server (both the one that resides in the DMZ and the other one that is on the edge of the network) WITHOUT rerouting anything.

HTH

Last edited by JFNash; 11-26-2010 at 11:33 AM.
 
1 members found this post helpful.
Old 11-27-2010, 12:28 PM   #3
sevillo
LQ Newbie
 
Registered: Nov 2007
Location: Valencia
Distribution: Slackware
Posts: 6

Original Poster
Rep: Reputation: 0
Hi JFNash

Thanks a lot for you quick answer

ok my resumed iptable is:

"
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.55:3306
-A POSTROUTING -o eth0 -j MASQUERADE

"

eth0 is my outside interface, and eth1 my inside interface

that way i can connect from the outside but not from the inside,


so a read a little and I resolved the problem adding the following:

"
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.55:3306
-A POSTROUTING -o eth0 -j MASQUERADE

"

the problem is solved

Thanks anyway
 
Old 11-27-2010, 11:51 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by sevillo View Post
the problem is solved
Are you sure you're going about this the right way? I mean, you did say it was working fine for your LAN computers before, which implies that the rule for port 3306 was enough to keep them happy. Now you've added a rule which allows all packets from LAN to WAN. In other words, you've opened a giant (and completely unnecessary) hole in your firewall. Seems to me that all you were missing was a rule to match packets in state ESTABLISHED, so that the returning packets (for the WAN to LAN connection) wouldn't get filtered, while not having to poke any new holes in your firewall. Also, it wouldn't be a bad idea to make your rules a tad more specific, IMHO.
 
1 members found this post helpful.
Old 12-01-2010, 08:00 AM   #5
sevillo
LQ Newbie
 
Registered: Nov 2007
Location: Valencia
Distribution: Slackware
Posts: 6

Original Poster
Rep: Reputation: 0
Hi win32sux

Ok I understand your point, Thanks What i wrote was a resume of my iptables rules regard to the Gateway, now I'm pasting the full rules less another open ports that don't make any difference according to the actual Tread,

I Think is enough, but if you think it could be optimal, please fell free to refute what I'm writing, my wish is to fix the Holes

Thanks anyway,


Quote:
# Generated by iptables-save v1.4.2 on Fri Mar 5 19:07:45 2010
*filter
:INPUT DROP [37851:2928547]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10375893:15440928821]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -s 127.0.0.1/32 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Mar 5 19:07:45 2010
# Generated by iptables-save v1.4.2 on Fri Mar 5 19:07:45 2010
*nat
:PREROUTING ACCEPT [176659:16820666]
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.59:3306
:POSTROUTING ACCEPT [12526:4349599]
:OUTPUT ACCEPT [30625:2256645]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
 
Old 12-01-2010, 08:39 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Well, based on what has been posted so far, something like this should do the trick:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 3306 \
-s 192.168.1.0/24 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 3306 \
-d 192.168.1.59 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3306 \
-j DNAT --to-destination 192.168.1.59

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This lets all hosts on the LAN connect to port 3306 on the WAN, and it forwards port 3306 on the gateway's WAN side to 192.168.1.59 on the LAN (without having to allow all outbound traffic from LAN to WAN as you're currently doing).
 
1 members found this post helpful.
Old 12-01-2010, 03:30 PM   #7
sevillo
LQ Newbie
 
Registered: Nov 2007
Location: Valencia
Distribution: Slackware
Posts: 6

Original Poster
Rep: Reputation: 0
Hey win32sux


thanks, It did the trick, very nice.

I haven't prove JFNash proposal, but I guess is good to, anyway thanks both
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Job Requirement ? ymr_raghu Linux - Newbie 1 11-12-2008 05:31 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Can "IPTABLES" handle my requirement ? sixth_sense Linux - Networking 1 02-22-2005 05:12 AM
ADSL requirement Ricio General 5 08-11-2004 05:33 PM
what is the requirement tony2666 Fedora - Installation 1 05-20-2004 03:58 PM


All times are GMT -5. The time now is 06:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration