[Firehol-support] how to open the SQL Server port (1433) and to nat it to my server web

Costa Tsaousis costa at tsaousis.gr
Sat Sep 22 11:13:27 CEST 2007


Lotfi kecir wrote:
> hi. i have installed a firehol firewall, and i run behind it two servers one
> is web server (SRV_WEB=192.168.10.55) and the other is a mail
> server(SRV_MAILB=192.168.10.53).
> i would like to forward all data coming from the port 1433 (Sql server port)
> to my web server.
> i did this in my firehol.conf
>
> iptables -t nat -I PREROUTING  -p tcp -d $PUBLIC_MYIP --dport 1433 -j DNAT
> --to-destination $SRV_WEB
> iptables -I FORWARD -p tcp -d $SRV_WEB --dport 1433 -j ACCEPT
>   
Lotfi,

FireHOL is stateful, meaning that you need to accept both directions of
the communication, otherwise FireHOL will allow the requests to go in
but will drop the replies it does not match.
I suggest to do this:

---

# at the top of firehol.conf, dnat the SQL port to the WEB server
# I suggest to put an 'src' here too, for better security.
dnat to "${SRV_WEB}" proto tcp dport 1433 src "${my_sql_clients}"

# then, create a router for this purpose
router sqlrouter src "${my_sql_clients}" dst "${SRV_WEB}"
server SQL accept

---

The last statement will allow both directions of communication.

Costa





More information about the Firehol-support mailing list