[luau] Problems with port forwarding using iptables

MonMotha monmotha at indy.rr.com
Thu May 22 18:13:01 PDT 2003 

Georgia Mangiacapra wrote:
> Hi everybody, I'm a Linux beginner and I've setted up a Linux Redhat 8
> Server to protect my lan.
> Here is my problem:
> 
> I've configured iptables and it's working properly concerning nat and
> filter.
> Now, I've to make accessible a file server (MS sql 2000 Server) inside my
> lan from the web, through the Firewall.

Is that really a good idea considering all the problems we've seen with leaving 
MSSQL servers (or any DB server like that) exposed to the web?  You should 
probably do something like establish a secure tunnel (via ssh for example) to 
the inside.

> I tought that I've to do it configuting the PREROUTING table. That's wath
> I've wrote:
> 
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx (public FW
> ip address) --dport 1433 -j DNAT --to xxx.xxx.xxx.xxx (private File Server
> ip address)
> 
> iptables -t nat -A PREROUTING -p udp -i eth0 -d xxx.xxx.xxx.xxx (public FW
> ip address) --dport 1433 -j DNAT --to xxx.xxx.xxx.xxx (private File Server
> ip address)
> 

Do you really need both TCP and UDP?  Most servers use one or the other, but not 
both.

> and I've wrote:
> 
> iptables -A FORWARD -p tcp -i eth0 -d xxx.xxx.xxx.xxx (private File Server
> ip address) --dport 1433 -j ACCEPT
> 
> iptables -A FORWARD -p udp -i eth0 -d xxx.xxx.xxx.xxx (private File Server
> ip address) --dport 1433 -j ACCEPT
> 

Make sure there's no other rules aboev these that would block.

> On my Web Server I've insert on the ASP file connection:
> 
> DB_Conn.Open "DRIVER={SQL Server};Server=xxx.xxx.xxx.xxx (public FW ip
> address);UID=xxx;PWD=xxx;DATABASE=xxx

No clue whatsoever on how to configure IIS.

> 
> Well.... it's not working, I mean I'm not able to connect from the web
> server to the file server DB (the 1433 port is open on the win 2000 server).
> Can somebody help me, please?
> 
> Thanks
> Georgia
> 

A common problem with port forwards is forgettign the outbound SNAT rule.  You 
DNAT on the inbound, but unless you change the source on the way back out, the 
reply to the SYN (a SYN,ACK or a SYN and an ACK) will come from a different IP. 
  Needless to say this usually isn't a great way to establish a TCP connection 
:)  UDP has a similar problem, though since it's not connection based you 
there's even less of a chance of it working (not that it would work at all 
anyway, just putting it in human terms).

The corresponding rules would be like:

iptables -t nat -A POSTROUTING -s int.db.ip.addy -i ethX -j SNAT --to fw.pub.ip.addy

Add ports and protocols as needed.


Also, when asking for help, it's generally considered helpful to not censor 
first two or even three octets.  This makes it easier for the person helping you 
to get a feel for which IPs are "public" (As in routable all over the internet) 
and which are "private" (site local by whatever that RFC is that reserves 
192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12).  Just an FYI.

--MonMotha

More information about the LUAU mailing list