/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Peer Oliver Schmidt wrote:
> my MS SQL Server sits behind a Linux gateway. Using the following IPCHAINS I
> am trying to forward all requests for Port 1433 that arrive at the Linux
> gateway to be forwarded to the internal SQLIP. Problem is, it does not work.
> If I change the destination port (SQLPORT) to say port 80 the web server on
> the SQLIP-Machine does answer.
>
> Most of the code is extracted from TrinityOS and/or MASQ HOW To.
>
> Any help would be greatly appreciated.
>
> Best regards
>
> Peer Oliver Schmidt
>
> #!/bin/sh
>
> UNIVERSE="0.0.0.0/0"
> IP_LNET=10.1.1.1
> EXTIF="ippp0"
> SQLIP=10.1.1.5
> SQLPORT=1433
> EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print
> $2 }'`
>
> echo External IP: $EXTIP
>
> /sbin/ipchains -F
>
> /sbin/ipchains -v -P forward DENY # Disable anything coming in
> /sbin/ipchains -v -A forward -i ippp0 -j MASQ # Masquerade everything
> going out
i'd use "-s $IP_LNET" instead of "-i ippp0" because it's less ambiguous
(forwarded packets arrive on one interface and leave on another so
specifying an interface is more ambiguous than specifying the source
address mask). i thought you had to specify the entry interface (not
the exit interface since the packet hasn't exited yet) for such a masq rule?
if so, this rule could be masquerading everything that comes in, not out.
> echo "Accepting Port $SQLPORT from universe for INPUT and FORWARDING"
> /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE $SQLPORT
> /sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE $SQLPORT -d $UNIVERSE
> /sbin/ipchains -A forward -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE
> $SQLPORT
> /sbin/ipchains -A forward -j ACCEPT -p tcp -s $UNIVERSE $SQLPORT -d
> $UNIVERSE
you use $UNIVERSE a lot when you could use $EXTIP and i think the 2nd
input should be output. i'd use:
ipchains -A input -i ippp0 -p tcp -d $EXTIP $SQLPORT -j ACCEPT
ipchains -A output -i ippp0 -p tcp -s $EXTIP $SQLPORT ! -y -j ACCEPT
scrap the above forward rules. if you are masquerading/portforwarding,
they will never be used. and if they were, masquerading wouldn't happen.
> /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE $SQLPORT
> /sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE $SQLPORT -d $UNIVERSE
> /sbin/ipchains -A forward -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE
> $SQLPORT
> /sbin/ipchains -A forward -j ACCEPT -p udp -s $UNIVERSE $SQLPORT -d
> $UNIVERSE
again (if udp is really needed by mssql):
ipchains -A input -i ippp0 -p udp -d $EXTIP $SQLPORT -j ACCEPT
ipchains -A output -i ippp0 -p udp -s $EXTIP $SQLPORT -j ACCEPT
and scrap the forward rules.
> echo "Marking packets for port $SQLPORT to be forwarded"
> /sbin/ipchains -I input -p tcp -y -d $EXTIP $SQLPORT -m 1
> /sbin/ipchains -I input -p tcp -y -d $IP_LNET $SQLPORT -m 2
> echo "Forwarding marked packets"
> /usr/sbin/ipmasqadm mfw -F
> /usr/sbin/ipmasqadm mfw -A -m 1 -r $SQLIP $SQLPORT -p 10
> /usr/sbin/ipmasqadm mfw -A -m 2 -r $SQLIP $SQLPORT -p 10
the 2nd "ipchains -I" isn't necessary. if an internal host connects
to the sql port of an internal host, the firewall host will never
see the packet and hence won't have the chance of using this rule
(it marks packets destined for port 1433 on any host on the internal
network but such packets can only be coming from the internal network
and so won't be forwarded via this host). also, you forgot to mark the
the udp packets? that could be why http works but mssql doesn't. http
doesn't use udp.
another method to try is:
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $EXTIP $SQLPORT -R $SQLIP $SQLPORT
ipmasqadm portfw -a -P udp -L $EXTIP $SQLPORT -R $SQLIP $SQLPORT
> echo "Loading FTP modules"
> /sbin/modprobe ip_masq_ftp
don't bother load the ftp module if you aren't accepting ftp packets.
> echo 1 > /proc/sys/net/ipv4/ip_forward # Enable routing
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
