Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a gateway with iptables running great, no problem at all,
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.
every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine.
I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
Did you specify the source of the packets (through -i option) to port forward the requests sent to the internal mysql database server (DMZ database server)? Would have helped a lot had you posted your current rules so we could look at them.
In your particular situation, you probably will need to do something along these lines:
They key thing in your issue is the port forwarding. You'll need to port forward the requests coming from that particular user of MySql server that resides in the DMZ to the right destination. Then you'll need to allow the internal users to access MySql server (both the one that resides in the DMZ and the other one that is on the edge of the network) WITHOUT rerouting anything.
Are you sure you're going about this the right way? I mean, you did say it was working fine for your LAN computers before, which implies that the rule for port 3306 was enough to keep them happy. Now you've added a rule which allows all packets from LAN to WAN. In other words, you've opened a giant (and completely unnecessary) hole in your firewall. Seems to me that all you were missing was a rule to match packets in state ESTABLISHED, so that the returning packets (for the WAN to LAN connection) wouldn't get filtered, while not having to poke any new holes in your firewall. Also, it wouldn't be a bad idea to make your rules a tad more specific, IMHO.
Ok I understand your point, Thanks What i wrote was a resume of my iptables rules regard to the Gateway, now I'm pasting the full rules less another open ports that don't make any difference according to the actual Tread,
I Think is enough, but if you think it could be optimal, please fell free to refute what I'm writing, my wish is to fix the Holes
Thanks anyway,
Quote:
# Generated by iptables-save v1.4.2 on Fri Mar 5 19:07:45 2010
*filter
:INPUT DROP [37851:2928547]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10375893:15440928821]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -s 127.0.0.1/32 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Mar 5 19:07:45 2010
# Generated by iptables-save v1.4.2 on Fri Mar 5 19:07:45 2010
*nat
:PREROUTING ACCEPT [176659:16820666]
-A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.59:3306
:POSTROUTING ACCEPT [12526:4349599]
:OUTPUT ACCEPT [30625:2256645]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Well, based on what has been posted so far, something like this should do the trick:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 3306 \
-s 192.168.1.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 3306 \
-d 192.168.1.59 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3306 \
-j DNAT --to-destination 192.168.1.59
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This lets all hosts on the LAN connect to port 3306 on the WAN, and it forwards port 3306 on the gateway's WAN side to 192.168.1.59 on the LAN (without having to allow all outbound traffic from LAN to WAN as you're currently doing).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
