Georgia Mangiacapra wrote:
Hi everybody, I'm a Linux beginner and I've setted up a Linux Redhat 8
Server to protect my lan.
Here is my problem:
I've configured iptables and it's working properly concerning nat and
filter.
Now, I've to make accessible a file server (MS sql 2000 Server) inside my
lan from the web, through the Firewall.
Is that really a good idea considering all the problems we've seen with leaving
MSSQL servers (or any DB server like that) exposed to the web? You should
probably do something like establish a secure tunnel (via ssh for example) to
the inside.
I tought that I've to do it configuting the PREROUTING table. That's wath
I've wrote:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx (public FW
ip address) --dport 1433 -j DNAT --to xxx.xxx.xxx.xxx (private File Server
ip address)
iptables -t nat -A PREROUTING -p udp -i eth0 -d xxx.xxx.xxx.xxx (public FW
ip address) --dport 1433 -j DNAT --to xxx.xxx.xxx.xxx (private File Server
ip address)
Do you really need both TCP and UDP? Most servers use one or the other, but not
both.
and I've wrote:
iptables -A FORWARD -p tcp -i eth0 -d xxx.xxx.xxx.xxx (private File Server
ip address) --dport 1433 -j ACCEPT
iptables -A FORWARD -p udp -i eth0 -d xxx.xxx.xxx.xxx (private File Server
ip address) --dport 1433 -j ACCEPT
Make sure there's no other rules aboev these that would block.
On my Web Server I've insert on the ASP file connection:
DB_Conn.Open "DRIVER={SQL Server};Server=xxx.xxx.xxx.xxx (public FW ip
address);UID=xxx;PWD=xxx;DATABASE=xxx
No clue whatsoever on how to configure IIS.
Well.... it's not working, I mean I'm not able to connect from the web
server to the file server DB (the 1433 port is open on the win 2000 server).
Can somebody help me, please?
Thanks
Georgia
A common problem with port forwards is forgettign the outbound SNAT rule. You
DNAT on the inbound, but unless you change the source on the way back out, the
reply to the SYN (a SYN,ACK or a SYN and an ACK) will come from a different IP.
Needless to say this usually isn't a great way to establish a TCP connection
:) UDP has a similar problem, though since it's not connection based you
there's even less of a chance of it working (not that it would work at all
anyway, just putting it in human terms).
The corresponding rules would be like:
iptables -t nat -A POSTROUTING -s int.db.ip.addy -i ethX -j SNAT --to
fw.pub.ip.addy
Add ports and protocols as needed.
Also, when asking for help, it's generally considered helpful to not censor
first two or even three octets. This makes it easier for the person helping you
to get a feel for which IPs are "public" (As in routable all over the internet)
and which are "private" (site local by whatever that RFC is that reserves
192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12). Just an FYI.
--MonMotha
