Quote:
Originally Posted by tshikose
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 1433 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
|
Thanks, Tshimanga. I tried what you said, which would work, but I did some more research and realised that MS-SQL 2008 now uses Dynamic Ports for TCP connections (Well my SQL server was - DOH!). I changed this to static port 1433 and my forward rule now works! All's well that ends well.
Thanks again.
Cheer, Smuff
#eth0 DMZ
#eth1 Private
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth1 --dport 123 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m state -s <PrivateNetworkIP>/24 -d <ProxyPrivateIP> --dport 53 --sport 1024:65535 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -m state -o eth1 --sport 123 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 10000 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 22 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -o eth1 --dport 1024:65535 --sport 8080 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp -d <PrivateNetworkIP>/24 -o eth1 --dport 1024:65535 --sport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -d <SQL_Internal_IP> --dport 1433 -j ACCEPT #Now works after configuring SQL to use a TCP Static port!!!
-A FORWARD -s <PrivateNetworkIP>/24 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination <ProxyPrivateIP>:8080
-A POSTROUTING -o eth0 -j SNAT --to-source <Proxy DMZ IP>
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080