[Firehol-support] how to open the SQL Server port (1433) and to nat it to my server web

Sat Sep 22 02:02:55 BST 2007

hi. i have installed a firehol firewall, and i run behind it two servers one
is web server (SRV_WEB=192.168.10.55) and the other is a mail
server(SRV_MAILB=192.168.10.53).
i would like to forward all data coming from the port 1433 (Sql server port)
to my web server.
i did this in my firehol.conf

iptables -t nat -I PREROUTING  -p tcp -d $PUBLIC_MYIP --dport 1433 -j DNAT
--to-destination $SRV_WEB
iptables -I FORWARD -p tcp -d $SRV_WEB --dport 1433 -j ACCEPT

and when i try the NMAP software to dispaly all opened ports i don't have
the 1433 ports among the list returned by NMAP.

someone can tell me what is wrong in my rules.

here is my firehol.conf

server_MSN_ports="tcp/1863"
client_MSN_ports="default"

server_SQL_ports="tcp/1433"
client_SQL_ports="default 1433"

server_YAHOO_ports="tcp/5050"
client_YAHOO_ports="default"

HOME_MYIP="192.168.10.1"
HOME_MYIF="eth1"
HOME_BCAST="192.168.10.255"
HOME_LAN="192.168.10.0/24"
HOME_SERVICES="all"

PUBLIC_MYIP="81.52.166.74"
PUBLIC_MYIF="eth0"
PUBLIC_SERVICES="mysql AH ESP isakmp icmp ssh webcache"

SRV_WEB=192.168.10.55
SRV_VNC=192.168.10.133
SRV_MAIL=192.168.10.50

iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport http -j DNAT
--to-destination $SRV_WEB
iptables -I FORWARD -p tcp -d $SRV_WEB --dport http -j ACCEPT

iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport 25 -j DNAT
--to-destination $SRV_MAIL
iptables -I FORWARD -p tcp -d $SRV_MAIL --dport 25 -j ACCEPT
iptables -t nat -I PREROUTING  -p udp -d 81.52.166.74 --dport 25 -j DNAT
--to-destination $SRV_MAIL
iptables -I FORWARD -p udp -d $SRV_MAIL --dport 25 -j ACCEPT

iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport 110 -j DNAT
--to-destination $SRV_MAIL
iptables -I FORWARD -p tcp -d $SRV_MAIL --dport 110 -j ACCEPT
iptables -t nat -I PREROUTING  -p udp -d 81.52.166.74 --dport 110 -j DNAT
--to-destination $SRV_MAIL
iptables -I FORWARD -p udp -d $SRV_MAIL --dport 110 -j ACCEPT

iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport 5900 -j DNAT
--to-destination $SRV_VNC
iptables -I FORWARD -p tcp -d $SRV_VNC --dport 5900 -j ACCEPT
iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport 9100 -j DNAT
--to-destination $SRV_VNC
iptables -I FORWARD -p tcp -d $SRV_VNC --dport 9100 -j ACCEPT

iptables -t nat -I PREROUTING  -p tcp -d 81.52.166.74 --dport 1433 -j DNAT
--to-destination $SRV_WEB
iptables -I FORWARD -i eth0 -o eth1 -p tcp -d $SRV_WEB --dport 1433 -j
ACCEPT
iptables -I FORWARD -p tcp -i eth1 -o eth0 -s $SRV_WEB --sport 1433 -j
ACCEPT

blacklist=""
if [ ! -z "${blacklist}" ]
then
        blacklist full "${blacklist}"
fi

iptables -t nat -A PREROUTING -p tcp -s 192.168.10.0/24 --dport 21 -j
REDIRECT --to 2121
if [ ! -z "${SQUID_PORT}" ]

then
        transparent_squid "${SQUID_PORT}" "${SQUID_USERS}"  inface
"${HOME_MYIF}"
#src "${HOME_LAN}"
#`test ! -z "${SQUID_EXCLUDE}" && echo "dst not '${SQUID_EXCLUDE}'"`
fi

if [ ! -z "${PUBLIC_MYIP}" ]
then
        snat to "${PUBLIC_MYIP}" outface "${PUBLIC_MYIF}" src "${HOME_LAN}"
dst not "${UNROUTABLE_IPS}"
else
        masquerade "${PUBLIC_MYIF}"
fi

interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
${HOME_BCAST}"
        policy reject
        server "${HOME_SERVICES}" accept
        client all accept

interface "${PUBLIC_MYIF}" internet
        protection strong
        policy drop
        if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
        then
                server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
        fi

        server "${PUBLIC_SERVICES}" accept
        client all accept

router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}"
client "dns smtp pop3 imap http ssh icmp SQL" accept src 192.168.20.0/24
server all accept src 192.168.20.0/24 dst 192.168.10.0/24
          client all accept src "192.168.10.0/24"
          server "MSN YAHOO" reject
          client "MSN YAHOO" reject
          client all accept
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20070922/ca6a3a36/attachment-0002.html>