LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-10-2012, 04:56 AM   #1
Smuff
LQ Newbie
 
Registered: May 2012
Posts: 3

Rep: Reputation: Disabled
Unhappy IPTables config to allow external clients to connect to internal MS SQL server


Firstly, thanks to everyone for having a look at this, my first post! I have read many forums and learnt a lot, I just haven't learnt enough yet obviously, so I hope some linux guns out there can help?

I have been stuck for too many days (yes, days) and being new to Linux and IPTables I am having trouble allowing our external clients and our web server in the DMZ to connect to the internal MS SQL server. Basically, I only want to allow incoming access to the MS SQL (Port 1433) in to my private network .

If I enable forwarding on the incoming eth0 it works (obvious to some, I guess), but this lets everything in.

I have read a number of threads about PREROUTING DNAT 1433 but I have tried a lot and still very stuck.

I have posted the iptable below to assist and I was also hoping that this would allow for comments and recommendations on fixing security holes, remembering that this iptables is the firewall between the DMZ and the private network.

Can someone please tell me what do I need to put in iptables to allow DMZ traffic into the MS SQL Server (port 1433) on the private LAN?

Thanks in advance.


#eth0 DMZ
#eth1 Private

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth1 --dport 123 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m state -s <PrivateNetworkIP>/24 -d <ProxyPrivateIP> --dport 53 --sport 1024:65535 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -s <DMZ WEB SERVER IP> -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -m state -o eth1 --sport 123 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 10000 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 22 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -o eth1 --dport 1024:65535 --sport 8080 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp -d <PrivateNetworkIP>/24 -o eth1 --dport 1024:65535 --sport 53 -j ACCEPT
-A FORWARD -s <PrivateNetworkIP>/24 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination <ProxyPrivateIP>:8080
-A POSTROUTING -o eth0 -j SNAT --to-source <Proxy DMZ IP>
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080

Last edited by Smuff; 05-10-2012 at 05:01 AM.
 
Old 05-11-2012, 04:33 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 1433 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
 
1 members found this post helpful.
Old 05-11-2012, 08:41 AM   #3
Smuff
LQ Newbie
 
Registered: May 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks. I will give that a try, I thought I had tried that string before but might have had it wrong.
 
Old 05-15-2012, 12:41 AM   #4
Smuff
LQ Newbie
 
Registered: May 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thumbs up SQL Dynamic TCP ports was the problem...

Quote:
Originally Posted by tshikose View Post
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 1433 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
Thanks, Tshimanga. I tried what you said, which would work, but I did some more research and realised that MS-SQL 2008 now uses Dynamic Ports for TCP connections (Well my SQL server was - DOH!). I changed this to static port 1433 and my forward rule now works! All's well that ends well.

Thanks again.

Cheer, Smuff

#eth0 DMZ
#eth1 Private

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth1 --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp -m state -i eth1 --dport 123 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m state -s <PrivateNetworkIP>/24 -d <ProxyPrivateIP> --dport 53 --sport 1024:65535 --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/sec -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p udp -m udp -m state -o eth1 --sport 123 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 10000 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -s <ProxyPrivateIP>/32 -o eth1 --dport 1024:65535 --sport 22 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state -o eth1 --dport 1024:65535 --sport 8080 --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp -d <PrivateNetworkIP>/24 -o eth1 --dport 1024:65535 --sport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp -d <SQL_Internal_IP> --dport 1433 -j ACCEPT #Now works after configuring SQL to use a TCP Static port!!!
-A FORWARD -s <PrivateNetworkIP>/24 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination <ProxyPrivateIP>:8080
-A POSTROUTING -o eth0 -j SNAT --to-source <Proxy DMZ IP>
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 8080
 
Old 05-15-2012, 05:21 AM   #5
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95
Hi Smuff,

I am glad to had been helpful.
Just tick on my reputation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS resolution for internal and external clients bobbera Linux - Server 5 11-24-2010 09:46 AM
Can iptables control what internal LAN clients can configure it? paddyjoesoap Linux - Security 21 02-22-2010 11:11 AM
[SOLVED] How to connect Internal Sendmail Server for Roaming Outlook Clients mail4vijay Linux - General 10 11-12-2009 05:56 PM
Can bind 9 (DNS) resolve names based on who's asking?? (internal vs. external clients registering Linux - Networking 3 06-16-2004 08:25 AM
stopping ftp on certain internal clients with iptables dlm4444 Linux - Security 2 03-17-2004 03:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration