/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hi there Just wondering if anyone could help me with a port forwarding problem. I've got a private LAN with a MS SQL server on it. The LAN is masqued and firewalled by a Linux box. A webserver that needs to connect to the MS sql server is on the outside of the firewall. The connection is via ODBC. Port forwarding must be partly working because the ODBC "test" on the web server's ODBC connection to the SQL server works fine. When we start running queries etc over the connection we get the following error on the web server: "ODBC Distributed transaction error" Has anyone got any idea what might be going on here ? Really appreciate any help Henty My firewall script is as follows: #! /bin/sh # # Firewalling script using IP chains to link the Cargo Suite DMZ to the # Idion LAN - does firewalling + IP masquerading (NAT) # A single firewall solution could not be used because MSMQ cannot be # NAT'd # define a few variables IPCHAINS=/sbin/ipchains IPMASQADM=/usr/sbin/ipmasqadm MODPROBE=/sbin/modprobe LOCALNET="192.168.2.0/24" # the cargo suite private network ETHINSIDE="192.168.2.31" # IP address of this firewall on the cargo suiteN ETHOUTSIDE="xxx.xxx.xxx.xxx" # IP address of this firewall on the cargo suiteZ LOOPBACK="127.0.0.1/8" ANYWHERE="0/0" OUTSIDEIF=eth1 # Ethernet card connecting to DMZ DBSERVER="192.168.2.200" # SQL server for the NEPTUNE systen FORWARD_PROCENTRY=/proc/sys/net/ipv4/ip_forward DEFRAG_PROCENTRY=/proc/sys/net/ipv4/ip_always_defrag # # These two commands will return error codes if the rules # already exist (which happens if you run the firewall # script more than once). We put the commands before "set -e" # so that the script doesn't abort in that case. $IPCHAINS -N outside $IPCHAINS -N portmap $MODPROBE ip_masq_ftp $MODPROBE ip_masq_irc set -e # Abort immediately on error setting # up the rules. # # Turn off forwarding and clear the tables echo "0" > ${FORWARD_PROCENTRY} $IPCHAINS -F forward $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F outside $IPCHAINS -F portmap # # Masquerade packets from within our local network destined for the # outside world. Don't masquerade packets which are local to local $IPCHAINS -A forward -s $LOCALNET -d $LOCALNET -j ACCEPT > /dev/null 2>&1 $IPCHAINS -A forward -s $ETHOUTSIDE -d $ANYWHERE -j ACCEPT > /dev/null 2>&1 $IPCHAINS -A forward -s $LOCALNET -d $ANYWHERE -j MASQ > /dev/null 2>&1 # # Set the priority flags. Minimum delay connections for www, telnet, # ftp, dns, and ssh (outgoing packets only). Max throughput for ftp-data # and email #$IPCHAINS -A output -p tcp -d $ANYWHERE www -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE https -t 0x01 0x10 #$IPCHAINS -A output -p udp -d $ANYWHERE https -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE telnet -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE ftp -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE ssh -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE domain -t 0x01 0x10 #$IPCHAINS -A output -p udp -d $ANYWHERE domain -t 0x01 0x10 #$IPCHAINS -A output -p tcp -d $ANYWHERE ftp-data -t 0x01 0x02 #$IPCHAINS -A output -p tcp -d $ANYWHERE smtp -t 0x01 0x08 # # Anything from our local class C is to be accepted, as are # packets from the loopback and the external IP. $IPCHAINS -A input -s $LOCALNET -j ACCEPT $IPCHAINS -A input -s $LOOPBACK -j ACCEPT $IPCHAINS -A input -s $ETHOUTSIDE -j ACCEPT # We'll create a set of rules for packets coming from the big, bad # outside world, and then bind all external interfaces to it. This # rule will be called "outside" # # # Send packets from any outside interface to the "outside" # rules chain. This includes the $OUTSIDEIF interface and any # ppp interfaces we create for dialout (or dialin). $IPCHAINS -A input -i ${OUTSIDEIF} -j outside #$IPCHAINS -A input -i ppp+ -j outside ################################################## # # Set up the "outside" rules chain # # ################################################## # # Nobody from the outside should claim to be coming from our localnet # or loopback $IPCHAINS -A outside -s $LOCALNET -j DENY $IPCHAINS -A outside -s $LOOPBACK -j DENY # # No packets routed to our local net should come in from outside # because the outside isn't supposed to know about our private # IP numbers. $IPCHAINS -A outside -d $LOCALNET -j DENY # # Block incoming connections on the X port. Block 6000 to 6010. $IPCHAINS -l -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 6000:6010 -j DENY # # Block NFS ports 111 and 2049 $IPCHAINS -l -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 111 -j DENY $IPCHAINS -l -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 2049 -j DENY $IPCHAINS -l -A outside -p UDP -s $ANYWHERE -d $ANYWHERE 111 -j DENY $IPCHAINS -l -A outside -p UDP -s $ANYWHERE -d $ANYWHERE 2049 -j DENY # # Block XDM packets from outside, port 177 UDP $IPCHAINS -l -A outside -p UDP -s $ANYWHERE -d $ANYWHERE 177 -j DENY # # Block the YP/NIS port 653 $IPCHAINS -l -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 653 -j DENY # # Accept FTP data and control connections. # $IPCHAINS -A outside -p TCP -s $ANYWHERE 20:21 -d $ANYWHERE 1024: -j ACCEPT # # Accept ssh packets #$IPCHAINS -A outside -p TCP -s $ANYWHERE -d $ANYWHERE ssh -j ACCEPT # # Accept DNS packets from outside #$IPCHAINS -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 53 -j ACCEPT #$IPCHAINS -A outside -p UDP -s $ANYWHERE -d $ANYWHERE 53 -j ACCEPT # # Accept SMTP from the world and forward it to the internal mail server # on our private network #$IPCHAINS -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 80 -j ACCEPT #$IPMASQADM portfw -a -P tcp -L $ETHOUTSIDE 80 -R $DBSERVER 80 # HERE's THE MS SQL CONFIG !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Accept MS SQL connections from DMZ and forward it to SQL server # on our private network. 1433 std SQL, 1434 SQL monitor $IPCHAINS -A outside -p TCP -s $ANYWHERE -d $DBSERVER 1433 -j ACCEPT $IPCHAINS -A outside -p UDP -s $ANYWHERE -d $DBSERVER 1433 -j ACCEPT $IPMASQADM portfw -a -P tcp -L $ETHOUTSIDE 1433 -R $DBSERVER 1433 $IPMASQADM portfw -a -P udp -L $ETHOUTSIDE 1433 -R $DBSERVER 1433 $IPCHAINS -A outside -p TCP -s $ANYWHERE -d $DBSERVER 1434 -j ACCEPT $IPCHAINS -A outside -p UDP -s $ANYWHERE -d $DBSERVER 1434 -j ACCEPT $IPMASQADM portfw -a -P tcp -L $ETHOUTSIDE 1434 -R $DBSERVER 1434 $IPMASQADM portfw -a -P udp -L $ETHOUTSIDE 1434 -R $DBSERVER 1434 # # Accept no tap ident packets, we don't use them $IPCHAINS -A outside -p TCP -s $ANYWHERE -d $ANYWHERE 113 -j DENY # # Turn off and log all other packets incoming, TCP or UDP, on privileged port $IPCHAINS -l -A outside -p UDP -s $ANYWHERE -d $ANYWHERE :1023 -j DENY ############################################## # # End of "outside" rules chain # # ############################################## # # Block outgoing rwho packets $IPCHAINS -A output -p UDP -i $OUTSIDEIF -s $ANYWHERE 513 -d $ANYWHERE -j DENY # Prevent netbios packets from leaving $IPCHAINS -A output -p UDP -i $OUTSIDEIF -s $ANYWHERE 137 -d $ANYWHERE -j DENY # Turn on forwarding echo "1" > ${FORWARD_PROCENTRY} echo "1" > ${DEFRAG_PROCENTRY} _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
